search

puiterwijk / flask-oidc

OpenID Connect support for Flask
BSD 2-Clause "Simplified" License
154 stars 217 forks source link

Automatically refresh token #116

Open hrauch opened 3 years ago

hrauch commented 3 years ago

I'm using keycloak and want to refresh my token after timeout (1 min).

I've found this solution - I'm using two session variables 'user' and 'oidc_id_token':

@app.before_request def before_request_func(): if 'user' in session: if not g.oidc_id_token and 'oidc_id_token' in session: g.oidc_id_token = session["oidc_id_token"] else: session['oidc_id_token'] = g.oidc_id_token

On the other hand: If I comment out line 376 in function _set_cookie_id_token(self, id_token), I got the same result???

Hans

jouellnyc commented 2 years ago

@hrauch Great. Thanks so much for this. I had the same issue w/Google:

I was just starting w/flask, so did not from flask import session . That made this all work.

For other's Google-Ability, here's my error:

2022-05-13T22:01:32.544-04:00 | DEBUG:flask_oidc:Invalid ID token cookie
-- | --
  | 2022-05-13T22:01:32.544-04:00 | Traceback (most recent call last):
  | 2022-05-13T22:01:32.544-04:00 | File "/usr/local/lib/python3.9/site-packages/flask_oidc/__init__.py", line 353, in _get_cookie_id_token
  | 2022-05-13T22:01:32.544-04:00 | return self.cookie_serializer.loads(id_token_cookie)
  | 2022-05-13T22:01:32.544-04:00 | File "/usr/local/lib/python3.9/site-packages/itsdangerous/jws.py", line 202, in loads
  | 2022-05-13T22:01:32.544-04:00 | raise SignatureExpired(
  | 2022-05-13T22:01:32.544-04:00 | itsdangerous.exc.SignatureExpired: Signature expired
  | 2022-05-13T22:01:32.835-04:00 | [2022-05-14 02:01:32 +0000] [10] [DEBUG] GET /
  | 2022-05-13T22:01:34.885-04:00 | [2022-05-14 02:01:34 +0000] [11] [DEBUG] GET /login_oauth
  | 2022-05-13T22:01:37.120-04:00 | [2022-05-14 02:01:37 +0000] [9] [DEBUG] GET /oidc_callback
  | 2022-05-13T22:01:37.171-04:00 | INFO:oauth2client.client:Received token response with no refresh_token. Consider reauthenticating with prompt='consent'.
  | 2022-05-13T22:01:37.172-04:00 | INFO:oauth2client.client:Successfully retrieved access token
  | 2022-05-13T22:01:37.212-04:00 | [2022-05-14 02:01:37 +0000] [11] [DEBUG] GET /login_oauth
  | 2022-05-13T22:01:37.257-04:00 | INFO:oauth2client.transport:Refreshing due to a 401 (attempt 1/2)
  | 2022-05-13T22:01:37.257-04:00 | INFO:oauth2client.client:Refreshing access_token
  | 2022-05-13T22:01:37.298-04:00 | INFO:oauth2client.client:Failed to retrieve access token: {
  | 2022-05-13T22:01:37.298-04:00 | "error": "invalid_grant",
  | 2022-05-13T22:01:37.298-04:00 | "error_description": "Bad Request"
  | 2022-05-13T22:01:37.298-04:00 | }
  | 2022-05-13T22:01:37.300-04:00 | [2022-05-14 02:01:37 +0000] [11] [ERROR] Error handling request /login_oauth
  | 2022-05-13T22:01:37.300-04:00 | Traceback (most recent call last):
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/gunicorn/workers/sync.py", line 134, in handle
  | 2022-05-13T22:01:37.300-04:00 | self.handle_request(listener, req, client, addr)
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/gunicorn/workers/sync.py", line 175, in handle_request
  | 2022-05-13T22:01:37.300-04:00 | respiter = self.wsgi(environ, resp.start_response)
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 2464, in __call__
  | 2022-05-13T22:01:37.300-04:00 | return self.wsgi_app(environ, start_response)
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 2450, in wsgi_app
  | 2022-05-13T22:01:37.300-04:00 | response = self.handle_exception(e)
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1867, in handle_exception
  | 2022-05-13T22:01:37.300-04:00 | reraise(exc_type, exc_value, tb)
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/flask/_compat.py", line 39, in reraise
  | 2022-05-13T22:01:37.300-04:00 | raise value
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 2447, in wsgi_app
  | 2022-05-13T22:01:37.300-04:00 | response = self.full_dispatch_request()
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1952, in full_dispatch_request
  | 2022-05-13T22:01:37.300-04:00 | rv = self.handle_user_exception(e)
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1821, in handle_user_exception
  | 2022-05-13T22:01:37.300-04:00 | reraise(exc_type, exc_value, tb)
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/flask/_compat.py", line 39, in reraise
  | 2022-05-13T22:01:37.300-04:00 | raise value
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1950, in full_dispatch_request
  | 2022-05-13T22:01:37.300-04:00 | rv = self.dispatch_request()
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1936, in dispatch_request
  | 2022-05-13T22:01:37.300-04:00 | return self.view_functions[rule.endpoint](**req.view_args)
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/flask_oidc/__init__.py", line 487, in decorated
  | 2022-05-13T22:01:37.300-04:00 | return view_func(*args, **kwargs)
  | 2022-05-13T22:01:37.300-04:00 | File "/stocks/stock_flask.py", line 76, in hello_me
  | 2022-05-13T22:01:37.300-04:00 | info = oidc.user_getinfo(['email', 'openid_id'])
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/flask_oidc/__init__.py", line 248, in user_getinfo
  | 2022-05-13T22:01:37.300-04:00 | all_info = self._retrieve_userinfo(access_token)
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/flask_oidc/__init__.py", line 319, in _retrieve_userinfo
  | 2022-05-13T22:01:37.300-04:00 | resp, content = http.request(self.client_secrets['userinfo_uri'])
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/oauth2client/transport.py", line 186, in new_request
  | 2022-05-13T22:01:37.300-04:00 | credentials._refresh(orig_request_method)
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/oauth2client/client.py", line 749, in _refresh
  | 2022-05-13T22:01:37.300-04:00 | self._do_refresh_request(http)
  | 2022-05-13T22:01:37.300-04:00 | File "/usr/local/lib/python3.9/site-packages/oauth2client/client.py", line 819, in _do_refresh_request
  | 2022-05-13T22:01:37.300-04:00 | raise HttpAccessTokenRefreshError(error_msg, status=resp.status)
  | 2022-05-13T22:01:37.300-04:00 | oauth2client.client.HttpAccessTokenRefreshError: invalid_grant: Bad Request