Skip to content

✨(oidc) add refresh token tools #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 3, 2025
Merged

✨(oidc) add refresh token tools #3

merged 1 commit into from
Apr 3, 2025

Conversation

qbey
Copy link
Member

@qbey qbey commented Apr 2, 2025
edited
Loading

Purpose

This provides a way to to refresh the OIDC access token.

The OIDC token will be used to request data to a resource server.
This code is highly related to mozilla/mozilla-django-oidc#377

The refresh token is encrypted in the session.

Proposal

Reuse code written in suitenumerique/docs#584

  • allow access token storage in user session
  • allow refresh token encrypted storage in user session
  • create middleware for access token refresh and provide a decorator

@qbey qbey force-pushed the qbey/oidc-add-resource-server-clients branch from 38c0683 to 489af13 Compare April 2, 2025 13:21
@qbey qbey requested a review from Copilot April 2, 2025 13:21
@qbey qbey self-assigned this Apr 2, 2025
@qbey qbey marked this pull request as ready for review April 2, 2025 13:21
Copilot
Copilot AI reviewed Apr 2, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces refresh token tools for OIDC integration by enabling encrypted storage of the refresh token in the user session and adding middleware/decorators to refresh access tokens when needed. Additionally, it updates the authentication backends, URL configurations, client classes, documentation, and testing workflows in support of these features.

  • Added functions to import private keys and encrypt/decrypt refresh tokens.
  • Implemented a middleware and decorator for on-demand token refresh.
  • Updated documentation, changelog, and tests configuration.

Reviewed Changes

Copilot reviewed 45 out of 46 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/lasuite/oidc_resource_server/utils.py Adds a utility function for importing the resource server’s private key.
src/lasuite/oidc_resource_server/urls.py Introduces a URL pattern for exposing the JWKS endpoint.
src/lasuite/oidc_resource_server/mixins.py Provides a mixin to support resource server view functionality.
src/lasuite/oidc_resource_server/clients.py Implements an authorization server client for token introspection and JWKS retrieval.
src/lasuite/oidc_resource_server/backend.py Adds the backend implementations for token introspection and JWT handling.
src/lasuite/oidc_resource_server/authentication.py Updates authentication to leverage the new resource server backend.
src/lasuite/oidc/views.py Customizes logout views to handle OIDC logout flows.
src/lasuite/oidc/middleware.py Implements a middleware for refreshing the OIDC access token.
src/lasuite/oidc/decorators.py Provides a decorator to apply the token refresh middleware on demand.
src/lasuite/oidc/backends.py Enhances the OIDC authentication backend to support refresh token storage.
documentation/* and pyproject.toml, CHANGELOG.md, workflows.yml Updates documentation, dependency configuration, and CI workflows.
Files not reviewed (1)
  • Makefile: Language not supported
Comments suppressed due to low confidence (1)

src/lasuite/oidc_resource_server/backend.py:136

  • The error message is confusing; consider changing it to 'Introspection response is missing required scopes.'
message = "Introspection response contains any required scopes."

@qbey qbey changed the base branch from main to qbey/oidc-add-authentication-backend April 2, 2025 13:22
@qbey qbey force-pushed the qbey/oidc-add-resource-server-clients branch from 489af13 to f999af7 Compare April 2, 2025 13:23
@qbey qbey requested review from Copilot and lunika April 2, 2025 13:23
@qbey qbey mentioned this pull request Apr 2, 2025
Closed
3 tasks
Copilot
Copilot AI reviewed Apr 2, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds refresh token tools to support encrypted storage of OIDC refresh tokens and enables automatic access token refresh via middleware and a decorator. Key changes include updating configuration settings, refining error messages in the backend and tests, and adding comprehensive tests for token refresh functionality.

Reviewed Changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
tests/test_project/settings.py Added OIDC_OP_AUTHORIZATION_ENDPOINT setting for authentication flows
tests/oidc_resource_server/test_backend.py Corrected error messages for token introspection and user info verification
tests/oidc/test_middleware.py Added tests covering token refresh scenarios and error cases
tests/oidc/test_decorators.py Added tests for the refresh_oidc_access_token decorator
tests/oidc/test_backends.py Added tests to verify session token storage and refresh token handling
src/lasuite/oidc_resource_server/backend.py Updated logging messages in error handling
src/lasuite/oidc/middleware.py Introduced middleware to automatically refresh access tokens
src/lasuite/oidc/decorators.py Provided a decorator wrapping the refresh middleware
src/lasuite/oidc/backends.py Implemented encrypted storage and retrieval of refresh tokens
documentation/how-to-use-oidc-call-to-resource-server.md Expanded documentation on configuring and using OIDC tokens
CHANGELOG.md Documented the new refresh token tools feature

@qbey qbey force-pushed the qbey/oidc-add-resource-server-clients branch from f999af7 to 421dd3a Compare April 2, 2025 13:26
@qbey qbey requested a review from Copilot April 2, 2025 13:26
Copilot
Copilot AI reviewed Apr 2, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request adds refresh token tools to the OIDC module, enabling secure storage and automatic refreshing of the access token via session mechanisms and middleware. The changes include new settings and test cases, updated error messages for clarity, and comprehensive documentation on how to use the resource server endpoints.

  • Added a new OIDC_AUTHORIZATION_ENDPOINT setting.
  • Implemented middleware and decorator for refreshing access tokens.
  • Enhanced backend functionality to securely store and retrieve encrypted refresh tokens.

Reviewed Changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.

Show a summary per file
File Description
tests/test_project/settings.py Added OIDC_OP_AUTHORIZATION_ENDPOINT setting for auth URL
tests/oidc_resource_server/test_backend.py Updated error messages for JWKS and scope verification
tests/oidc/test_middleware.py Added tests to verify various scenarios for the refresh token middleware
tests/oidc/test_decorators.py Introduced tests for the refresh_oidc_access_token decorator
tests/oidc/test_backends.py Added tests for storing/retrieving refresh and access tokens
src/lasuite/oidc_resource_server/backend.py Updated error messages to better reflect missing scopes/JWKS
src/lasuite/oidc/middleware.py New middleware for automatic access token refresh based on OIDC settings
src/lasuite/oidc/decorators.py Added a decorator to trigger token refresh on demand
src/lasuite/oidc/backends.py Implemented functions for encrypted refresh token storage and retrieval
documentation/how-to-use-oidc-call-to-resource-server.md Added documentation on configuring and using token refresh with the resource server
CHANGELOG.md Updated changelog with the refresh token tools addition

@qbey qbey force-pushed the qbey/oidc-add-authentication-backend branch from 2237242 to 075c6b2 Compare April 3, 2025 11:25
@qbey qbey force-pushed the qbey/oidc-add-resource-server-clients branch from 421dd3a to 0da083f Compare April 3, 2025 11:27
@qbey qbey force-pushed the qbey/oidc-add-authentication-backend branch from 075c6b2 to c7f3383 Compare April 3, 2025 11:31
@qbey qbey force-pushed the qbey/oidc-add-resource-server-clients branch from 0da083f to e6f341d Compare April 3, 2025 11:32
@qbey qbey force-pushed the qbey/oidc-add-authentication-backend branch from c7f3383 to 270f06d Compare April 3, 2025 15:03
Base automatically changed from qbey/oidc-add-authentication-backend to main April 3, 2025 15:04
@qbey
✨(oidc) add refresh token tools
47930a2 
This provides a way to to refresh the OIDC access token.

The OIDC token will be used to request data to a resource server.
This code is highly related to
mozilla/mozilla-django-oidc#377

The refresh token is encrypted in the session.
@qbey qbey force-pushed the qbey/oidc-add-resource-server-clients branch from e6f341d to 47930a2 Compare April 3, 2025 15:10
@qbey qbey merged commit 47930a2 into main Apr 3, 2025
6 checks passed
@qbey qbey deleted the qbey/oidc-add-resource-server-clients branch April 3, 2025 15:11
qbey added a commit that referenced this pull request Apr 3, 2025
@qbey
🔖(minor) bump release to 0.0.1
d06a32f 
Added:

- ✨(tools) extract domain from email address #2
- ✨(oidc) add the authentication backends #2
- ✨(oidc) add refresh token tools #3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@lunika lunika lunika approved these changes

Assignees

@qbey qbey

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@qbey @lunika