Open ghost opened 6 years ago
Hey @rackmuthu! The config value OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS
is used for the session refresh middleware [1]. Is that what you are referring to as well?
What is the expected behavior you are proposing ?
[1] https://github.com/mozilla/mozilla-django-oidc/blob/master/mozilla_django_oidc/middleware.py#L41
same problem.
I think, If the oidc provider returns a refresh key together with access token, we can easily refresh the access token use it in backend, rather than directly redirect the request.
That is important because, I use the server as an API provider. It always redirect my api request to login pages and return back. For frontend, it is a confusing behavior because they may expect a 401 code. http redirect in api request is not a good practice.
In my understanding, the expected behavior flow is just like that:
(user has login before)
In middleware:
if match the 'OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS':
if has refresh_token:
refresh access_token using refresh_access through refresh URL (from .well-known)
if successfully refreshed:
return # login valid, finish
else:
return http 401 # key expired, and login is invalid
else: # no refresh token support
use the redirect way or 401(maybe a option like 'OIDC_RENEW_ID_TOKEN_REDIRECT')
Here another oidc rp library does this staff.
I am using keycloak for single sign on and also single sign out. And i try to connect django application to keycloak through the mozilla-django-oidc.
My django application is working good to single sign on concept. But when comes to single sign out, i am forced to manually configure OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS parameter in settings.
In my case, the keycloak have the generic expire time values
In the mozilla-django-oidc is not use those parameter for token expiry. So how many django client i have that mush of time i am specify OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS.
Moreover, mozilla-django-oidc is receive the following values in following function response = requests.post( self.OIDC_OP_TOKEN_ENDPOINT, data=payload, verify=import_from_settings('OIDC_VERIFY_SSL', True))
response is : mozilla_djanfo_oidc/auth.py