mozilla / mozilla-django-oidc

A django OpenID Connect library
https://mozilla-django-oidc.readthedocs.io
Mozilla Public License 2.0
452 stars 169 forks source link

Mozilla django odic is does not use default refresh token and #236

Open ghost opened 6 years ago

ghost commented 6 years ago

I am using keycloak for single sign on and also single sign out. And i try to connect django application to keycloak through the mozilla-django-oidc.

My django application is working good to single sign on concept. But when comes to single sign out, i am forced to manually configure OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS parameter in settings.

In my case, the keycloak have the generic expire time values image

In the mozilla-django-oidc is not use those parameter for token expiry. So how many django client i have that mush of time i am specify OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS.

Moreover, mozilla-django-oidc is receive the following values in following function response = requests.post( self.OIDC_OP_TOKEN_ENDPOINT, data=payload, verify=import_from_settings('OIDC_VERIFY_SSL', True))

response is : mozilla_djanfo_oidc/auth.py image

johngian commented 6 years ago

Hey @rackmuthu! The config value OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS is used for the session refresh middleware [1]. Is that what you are referring to as well?

What is the expected behavior you are proposing ?

[1] https://github.com/mozilla/mozilla-django-oidc/blob/master/mozilla_django_oidc/middleware.py#L41

wtlyu commented 5 years ago

same problem.

I think, If the oidc provider returns a refresh key together with access token, we can easily refresh the access token use it in backend, rather than directly redirect the request.

That is important because, I use the server as an API provider. It always redirect my api request to login pages and return back. For frontend, it is a confusing behavior because they may expect a 401 code. http redirect in api request is not a good practice.

In my understanding, the expected behavior flow is just like that:

(user has login before)
In middleware: 

if match the 'OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS':
    if has refresh_token:
        refresh access_token using refresh_access through refresh URL (from .well-known)
        if successfully refreshed:
            return # login valid, finish 
        else:
            return http 401 # key expired, and login is invalid
    else:  # no refresh token support
        use the redirect way or 401(maybe a option like 'OIDC_RENEW_ID_TOKEN_REDIRECT')
wtlyu commented 5 years ago

Here another oidc rp library does this staff.

cc django-oidc-rp's middleware.py