As armadillo user I want to refresh my tokens when they timeout

[clemens-tolboom]

In #121 we learned that increasing the OICD token lifetime make long R queries finish correctly.

Is seems we should add a refresh token into Armadillo ... the R side takes care of keeping the Armadillo session alive but has no business with JWT token timeout

• [ ] For using KeyCloak OIDC needs PR https://github.com/molgenis/molgenis-r-auth/pull/18 for using KeyCloak OIDC
• [ ] For using KeyCloak OIDC needs fix in https://github.com/molgenis/molgenis-r-armadillo
• Example Token Binding for Refresh Tokens

[clemens-tolboom]

Sketchy example:

spring:
  security:
    oauth2:
      authorizationserver:
        issuer: http://auth-server:9000 # Set the issuer URL for your authorization server

      client:
        articles-client: # Define your client configuration
          registration:
            client-id: articles-client
            client-secret: "{noop}secret" # Replace with your actual client secret
            client-name: Articles Client
            client-authentication-methods:
              - client_secret_basic
            authorization-grant-types:
              - authorization_code
              - refresh_token # Include refresh token grant type

but path spring.security.oauth2.client.registration.[registrationId].authorization-grant-type is listed

[clemens-tolboom]

KeyCloak OIDC

We managed to login through the UI https://dev-armadillo.molgenis.org using KeyCloak config below

Described on https://github.com/molgenis/molgenis-r-auth we see KeyCloak is not working from R

Fusion Auth

# Fusion Auth
endpoint <- discover("https://auth.molgenis.org")

does similar

curl https://auth.molgenis.org/.well-known/openid-configuration

KeyCloak

endpoint <- discover("https://auth1.molgenis.net/realms/Molgenis")

does similar

curl https://auth1.molgenis.net/realms/Molgenis/.well-known/openid-configuration

application.yml

There are some fields added for KeyCloak esp. for resourceserver

    oauth2:
      client:
        provider:
          molgenis:
            issuer-uri: https://auth1.molgenis.net/realms/Molgenis
        registration:
          molgenis:
            redirect-uri: 'https://dev-armadillo.molgenis.org/login/oauth2/code/molgenis'
            scope: openid, profile, email <=================
            client-id: Dev-Armadillo-Test
            client-secret: ...
      resourceserver:
        jwt:
          issuer-uri: https://auth1.molgenis.net/realms/Molgenis
          jwk-set-uri: https://auth1.molgenis.net/realms/Molgenis/protocol/openid-connect/certs <=======
        opaquetoken:
          introspection-url: 'https://auth1.molgenis.net/realms/Molgenis/protocol/openid-connect/token/introspect' <====
          client-id: Dev-Armadillo-Test
          client-secret: ...

Test script used

Used R script

This needs a working release-test.R libs RStudio environment. ```Rscript #!/usr/bin/env Rscript library(dsBaseClient) library(purrr) library(MolgenisArmadillo) #demo_url <- "https://armadillo-demo.molgenis.net/" #demo_url <- "http://localhost:8080/" demo_url <- "https://dev-armadillo.molgenis.org/" demo_token <- armadillo.get_token(demo_url) print(demo_token) builder <- DSI::newDSLoginBuilder() builder$append(server = "study1", url = demo_url, profile = "xenon", token = demo_token, driver = "ArmadilloDriver", table = "xenon-tests/2_1-core-1_0/nonrep") #builder$append(server = "study1", url = demo_url, profile = "default", token = demo_token, driver = "ArmadilloDriver", # table = "lifecycle/core/nonrep") logindata <- builder$build() conns <- DSI::datashield.login(logins = logindata, assign = T, symbol = "nonrep") 1:100000 %>% map( ~{ Sys.sleep(10) print(.) print(format(Sys.time(), "%Y-%m-%dT%H:%M:%S")) ds.rep(x1 = 4, times = 6, length.out = NA, each = 1, source.x1 = "clientside", source.times = "c", source.length.out = NULL, source.each = "c", x1.includes.characters = FALSE, newobj = "rep.seq") }) ```

[clemens-tolboom]

device login

After cloning https://github.com/molgenis/molgenis-r-auth and googling and managing KeyCloak checkboxes we tried POST-ing as form and device login works

See PR https://github.com/molgenis/molgenis-r-auth/pull/18