Imperfect Cbio API OAuth2 Token Lifecycle

[Aiosa]

The current approach of using tokens with cbio API via dat.method=oauth2 is the following:

The auth provider requests a token from offlineToken

https://github.com/cBioPortal/cbioportal/blob/9862072228d02ece0ed1252e27c5a2aec017c653/src/main/java/org/cbioportal/security/token/oauth2/OAuth2TokenAuthenticationProvider.java#L75

And the injected tokenRefreshRestTemplate is forced to get a new token with every single API access like so:

https://github.com/cBioPortal/cbioportal/blob/9862072228d02ece0ed1252e27c5a2aec017c653/src/main/java/org/cbioportal/security/token/oauth2/OAuth2TokenRefreshRestTemplate.java#L71

Now, as discussed a while ago elsewhere, the current import logics (validateData.py) do not even add an access token to the headers in the first place, which I have temporarily fixed by injecting the token obtained from the cbioportal webpage. But the script proceeds to use this token multiple times to access various API endpoints, and triggers the above several times.

This is blocked by our OIDC provider. From our security department:

Once you send a valid refresh token, you should get back a new access & refresh token, while the old refresh token has been invalidated, to prevent for example main-in-middle replay attack. You should use the new refresh token instead.

Which basically forces me to update the token with each API call. But I doubt I can get the new refresh token out of the cbioportal app. What is the recommended solution here? Why offilne token is not enough, e.g. to check its validity / signature?

[Aiosa]

Hmm cbioportal_data_access_token is in fact a refresh token, supposed to be used in the REST API? If this is the case, then it is not compatible.