k-space/inventory-app
13
0
Fork 0
Code Issues 16 Pull Requests 1 Packages Activity

Add token refresh

Browse Source
This commit is contained in:
Madis Mägi
2025-07-12 19:08:51 +03:00
parent 9c5dcbf737
commit bfd0fba2ee
2 changed files with 31 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
deployment.yaml
View File

@@ -111,11 +111,13 @@ spec:
- 'https://inventory-app-72zn4.codemowers.ee/login-callback' - 'https://inventory-app-72zn4.codemowers.ee/login-callback'
grantTypes: grantTypes:
- 'authorization_code' - 'authorization_code'
- 'refresh_token'
responseTypes: responseTypes:
- 'code' - 'code'
availableScopes: availableScopes:
- 'openid' - 'openid'
- 'profile' - 'profile'
- 'offline_access'
tokenEndpointAuthMethod: 'client_secret_basic' tokenEndpointAuthMethod: 'client_secret_basic'
pkce: false pkce: false

31
inventory-app/oidc.py
View File

@@ -45,6 +45,11 @@ def add_url_params(url, params):
req.prepare_url(url, params) req.prepare_url(url, params)
return req.url return req.url
def add_session_tokens(session, r):
session["access_token"] = r["access_token"]
session["id_token"] = r["id_token"]
session["refresh_token"] = r["refresh_token"]
@page_oidc.route('/login-callback') @page_oidc.route('/login-callback')
def login_callback(): def login_callback():
r = requests.post(metadata["token_endpoint"], { r = requests.post(metadata["token_endpoint"], {
@@ -59,11 +64,26 @@ def login_callback():
if not validate_id_token(r["id_token"]) or not read_user(r["access_token"]): if not validate_id_token(r["id_token"]) or not read_user(r["access_token"]):
return "tokens validation failed", 500 return "tokens validation failed", 500
session["id_token"] = r["id_token"] add_session_tokens(session, r)
session["access_token"] = r["access_token"]
print("authenticated, stored url was: " + session.get("original_url")) print("authenticated, stored url was: " + session.get("original_url"))
return redirect(session.pop("original_url", "/")) return redirect(session.pop("original_url", "/"))
def do_refresh():
print("doing refreesh")
r = requests.post(metadata["token_endpoint"], {
"client_secret": os.getenv("OIDC_CLIENT_SECRET"),
"grant_type": "refresh_token",
"refresh_token": session["refresh_token"],
"scope": os.getenv("OIDC_AVAILABLE_SCOPES").replace(",", " "),
})
if r.status_code == 200:
add_session_tokens(session, r.json())
print("token refresh success")
return True
else:
print("token refresh failed")
return False
@page_oidc.route("/logout") @page_oidc.route("/logout")
def logout(): def logout():
token = session.pop("access_token", "asdf") token = session.pop("access_token", "asdf")
@@ -87,6 +107,13 @@ def read_user(token=None):
}) })
if r.status_code == 200: if r.status_code == 200:
return r.json() return r.json()
elif r.status_code == 401 and do_refresh():
token = session.get("access_token", False)
r = requests.get(url = metadata["userinfo_endpoint"], headers = {
"Authorization": "Bearer " + token
})
if r.status_code == 200:
return r.json()
else: else:
return False return False