Lifetime of auth tokens limiting workflow execution runtime

[uniqueg]

Is your feature request related to a problem? Please describe. Current support for the OAuth2 implicit flow authorization scheme, handling authorization from WES-ELIXIR via cwl-tes to TESK is limited by the duration of validity of the issues tokens (e.g., 60 minutes for ELIXIR AAI). In other words: Workflows with runtimes exceeding one hour cannot currently be run in an AAI-secured setup.

Describe the solution you'd like Support for refresh tokens should be added to WES-ELIXIR to allow negotation of new authorization tokens. For ELIXIR AAI, a refresh token can be obtained by requesting a token with an offline_token scope. In order to be able to do that, WES-ELIXIR first needs to be registered as a client with the identity provider/broker.

Describe alternatives you've considered N/A at this time.

Additional context

• While requesting tokens inside WES-ELIXIR should solve the problem in a test environment, it is likely not by itself a tenable solution in a real-world scenario where authentication would likely take place in a user-facing web service, not inside WES-ELIXIR. A way to "pass the refresh token" (or equivalent) would thus need to be found, possibly by using OpenID Connect hybrid flow.
• Implementation of a refresh token policy would further increase security by restricting authorization tokens to single use.

[uniqueg]

See AAI guidelines set up by ELIXIR Cloud & AAI. This needs to be set up together with a client that exposes a dedicated endpoint for refreshing the token.