zamzterz
commented
4 years ago Nice catch finding those issues and solutions for it! 🙇
- Your solution to the first issue looks good to me as-is. 👍
- Have you debugged the requests? I'm wondering why the
auth_timein the session was not updated with the silent refresh request. Was there no ID Token returned in that case? Another thing: since the ID Token lifetime has no relation to the end-user session lifetime, it's better to base the refresh interval on the last authentication timestamp than the expiry time of the ID Token. That's why therefresh_interval_secondsis necessary (which looks to currently be ignored your proposed solution).
fredldotme
With the current state of flask_pyoidc we're running into the issue of not silently refreshing the tokens when it's desired.
Our current setup is as follows: API endpoints are protected using flask_pyoidc, with the session_refresh_interval_seconds providing
prompt=nonerefreshing after 5 minutes.The first issue we encountered was running into the silent refreshing when the initial authentication has not been successfully established yet. The second issue was the refreshing being triggered based on the previous auth_time, which didn't change with the request. Instead, what worked was taking the expiry time provided by the OIDC instance to trigger the silent refresh that way.
To illustrate a proposed way of fixing it we've created this change (this is not PR-quality code by any means): https://github.com/fredldotme/Flask-pyoidc/commit/8a062a1d9d281a80421c1e3adadd84c50ae12c7a
This forces the refresh after 5 minutes. Note that we've added 20 seconds of headroom before the expiry time runs out.
I'd like to get your suggestions on this topic and maybe a way forward in the form of code being merged into upstream.