Add token refresh

2025-07-12 19:08:51 +03:00
parent 9c5dcbf737
commit bfd0fba2ee
2 changed files with 31 additions and 2 deletions
--- a/deployment.yaml
+++ b/deployment.yaml
@@ -111,11 +111,13 @@ spec:
    - 'https://inventory-app-72zn4.codemowers.ee/login-callback'
  grantTypes:
    - 'authorization_code'
+    - 'refresh_token'
  responseTypes:
    - 'code'
  availableScopes:
    - 'openid'
    - 'profile'
+    - 'offline_access'
  tokenEndpointAuthMethod: 'client_secret_basic'
  pkce: false

--- a/inventory-app/oidc.py
+++ b/inventory-app/oidc.py
@@ -45,6 +45,11 @@ def add_url_params(url, params):
    req.prepare_url(url, params)
    return req.url

+def add_session_tokens(session, r):
+    session["access_token"] = r["access_token"]
+    session["id_token"] = r["id_token"]
+    session["refresh_token"] = r["refresh_token"]
+
@page_oidc.route('/login-callback')
 def login_callback():
    r = requests.post(metadata["token_endpoint"], {
@@ -59,11 +64,26 @@ def login_callback():
    if not validate_id_token(r["id_token"]) or not read_user(r["access_token"]):
        return "tokens validation failed", 500
    
-    session["id_token"] = r["id_token"]
-    session["access_token"] = r["access_token"]
+    add_session_tokens(session, r)
    print("authenticated, stored url was: " + session.get("original_url"))
    return redirect(session.pop("original_url", "/"))

+def do_refresh():
+    print("doing refreesh")
+    r = requests.post(metadata["token_endpoint"], {
+        "client_secret": os.getenv("OIDC_CLIENT_SECRET"),
+        "grant_type": "refresh_token",
+        "refresh_token": session["refresh_token"],
+        "scope": os.getenv("OIDC_AVAILABLE_SCOPES").replace(",", " "),
+    })
+    if r.status_code == 200:
+        add_session_tokens(session, r.json())
+        print("token refresh success")
+        return True
+    else:
+        print("token refresh failed")
+        return False
+
@page_oidc.route("/logout")
 def logout():
    token = session.pop("access_token", "asdf")
@@ -87,6 +107,13 @@ def read_user(token=None):
    })
    if r.status_code == 200:
        return r.json()
+    elif r.status_code == 401 and do_refresh():
+       token = session.get("access_token", False)
+       r = requests.get(url = metadata["userinfo_endpoint"], headers = {
+           "Authorization": "Bearer " + token
+       })
+       if r.status_code == 200:
+           return r.json()
    else:
        return False