Added middleware to refresh access tokens

Author: daggaz

django_auth_adfs/backend.py

@@ -1,11 +1,13 @@
 import logging
+from datetime import datetime, timedelta
 
 import jwt
-from django.contrib.auth import get_user_model
+from django.contrib.auth import get_user_model, logout
 from django.contrib.auth.backends import ModelBackend
 from django.contrib.auth.models import Group
 from django.core.exceptions import (ImproperlyConfigured, ObjectDoesNotExist,
                                     PermissionDenied)
+from requests import HTTPError
 
 from django_auth_adfs import signals
 from django_auth_adfs.config import provider_config, settings
@@ -398,10 +400,38 @@ def authenticate(self, request=None, authorization_code=None, **kwargs):
         provider_config.load_config()
 
         adfs_response = self.exchange_auth_code(authorization_code, request)
-        access_token = adfs_response["access_token"]
-        user = self.process_access_token(access_token, adfs_response)
+        user = self._process_adfs_response(request, adfs_response)
         return user
 
+    def _process_adfs_response(self, request, adfs_response):
+        user = self.process_access_token(adfs_response['access_token'], adfs_response)
+        request.session['adfs_access_token'] = adfs_response['access_token']
+        expiry = datetime.now() + timedelta(seconds=adfs_response['expires_in'])
+        request.session['adfs_token_expiry'] = expiry.isoformat()
+        if 'refresh_token' in adfs_response:
+            request.session['adfs_refresh_token'] = adfs_response['refresh_token']
+        request.session.save()
+        return user
+
+    def process_request(self, request):
+        now = datetime.now() + settings.REFRESH_THRESHOLD
+        expiry = datetime.fromisoformat(request.session['adfs_token_expiry'])
+        if now > expiry:
+            try:
+                self._refresh_access_token(request, request.session['adfs_refresh_token'])
+            except (PermissionDenied, HTTPError):
+                logout(request)
+
+    def _refresh_access_token(self, request, refresh_token):
+        provider_config.load_config()
+        response = provider_config.session.post(
+            provider_config.token_endpoint,
+            data=f'grant_type=refresh_token&refresh_token={refresh_token}'
+        )
+        response.raise_for_status()
+        adfs_response = response.json()
+        self._process_adfs_response(request, adfs_response)
+
 
 class AdfsAccessTokenBackend(AdfsBaseBackend):
     """

django_auth_adfs/config.py

@@ -72,6 +72,7 @@ def __init__(self):
         self.USERNAME_CLAIM = "winaccountname"
         self.GUEST_USERNAME_CLAIM = None
         self.JWT_LEEWAY = 0
+        self.REFRESH_THRESHOLD = timedelta(minutes=5)
         self.CUSTOM_FAILED_RESPONSE_VIEW = lambda request, error_message, status: render(
             request, 'django_auth_adfs/login_failed.html', {'error_message': error_message}, status=status
         )

django_auth_adfs/middleware.py

@@ -4,9 +4,11 @@
 from re import compile
 
 from django.conf import settings as django_settings
+from django.contrib import auth
 from django.contrib.auth.views import redirect_to_login
 from django.urls import reverse
 
+from django_auth_adfs.backend import AdfsAuthCodeBackend
 from django_auth_adfs.exceptions import MFARequired
 from django_auth_adfs.config import settings
 
@@ -49,3 +51,17 @@ def __call__(self, request):
                     return redirect_to_login('django_auth_adfs:login-force-mfa')
 
         return self.get_response(request)
+
+
+def adfs_refresh_middleware(get_response):
+    def middleware(request):
+        try:
+            backend_str = request.session[auth.BACKEND_SESSION_KEY]
+        except KeyError:
+            pass
+        else:
+            backend = auth.load_backend(backend_str)
+            if isinstance(backend, AdfsAuthCodeBackend):
+                backend.process_request(request)
+        return get_response()
+    return middleware