Datatracker OAuth2: refresh access tokens

[strogonoff]

This will likely be left pending at delivery, since Datatracker doesn’t seem to be offering a token refresh endpoint.

Current behavior is to avoid verifying token on each page load to save time, so the user will be shown as logged in indefinitely—but the token is verified upon an authenticated request, and if that fails the user will be automatically logged out.

[rjsparks]

for the short term, we plan to remove the datatracker login requirement, but the oidc provider does provide token refresh. (I think elsewhere we discussed using an oidc library rather than trying to reimplement oidc with an oauth2 library).

[strogonoff]

Yes, we discussed using an OIDC library. The Django OIDC integration library maintained by Mozilla was judged to cost excess overhead for this project, but I’ll revisit that.

Either way, since token refresh is provided by OIDC provider, going to look into integrating it. I may have thought there’s no refresh feature because I didn’t spot it when looking at api/openid/.well-known/openid-configuration… Thanks for the pointer!

[strogonoff]

Since you mentioned Datatracker login may be unnecessary, I’ll see if a settings flag can be implemented to control the behavior.

[strogonoff]

Automatic token refresh appears to work now (tested in staging), but I’ll leave this issue open until Datatracker auth is configurable too…

[rjsparks]

Thanks - be sure that configuring no auth opens access to the things we otherwise required auth for (such as the links to download bibxml from the search results page.