Added middleware to refresh access tokens

Author: daggaz

django_auth_adfs/backend.py

@@ -1,11 +1,13 @@
 import logging
+from datetime import datetime, timedelta
 
 import jwt
-from django.contrib.auth import get_user_model
+from django.contrib.auth import get_user_model, logout
 from django.contrib.auth.backends import ModelBackend
 from django.contrib.auth.models import Group
 from django.core.exceptions import (ImproperlyConfigured, ObjectDoesNotExist,
                                     PermissionDenied)
+from requests import HTTPError
 
 from django_auth_adfs import signals
 from django_auth_adfs.config import provider_config, settings
@@ -398,10 +400,38 @@ def authenticate(self, request=None, authorization_code=None, **kwargs):
         provider_config.load_config()
 
         adfs_response = self.exchange_auth_code(authorization_code, request)
-        access_token = adfs_response["access_token"]
-        user = self.process_access_token(access_token, adfs_response)
+        user = self._process_adfs_response(request, adfs_response)
         return user
 
+    def _process_adfs_response(self, request, adfs_response):
+        user = self.process_access_token(adfs_response['access_token'], adfs_response)
+        request.session['adfs_access_token'] = adfs_response['access_token']
+        expiry = datetime.now() + timedelta(seconds=adfs_response['expires_in'])
+        request.session['adfs_token_expiry'] = expiry.isoformat()
+        if 'refresh_token' in adfs_response:
+            request.session['adfs_refresh_token'] = adfs_response['refresh_token']
+        request.session.save()
+        return user
+
+    def process_request(self, request):
+        now = datetime.now() + settings.REFRESH_THRESHOLD
+        expiry = datetime.fromisoformat(request.session['adfs_token_expiry'])
+        if now > expiry:
+            try:
+                self._refresh_access_token(request, request.session['adfs_refresh_token'])
+            except (PermissionDenied, HTTPError):
+                logout(request)
+
+    def _refresh_access_token(self, request, refresh_token):
+        provider_config.load_config()
+        response = provider_config.session.post(
+            provider_config.token_endpoint,
+            data=f'grant_type=refresh_token&refresh_token={refresh_token}'
+        )
+        response.raise_for_status()
+        adfs_response = response.json()
+        self._process_adfs_response(request, adfs_response)
+
 
 class AdfsAccessTokenBackend(AdfsBaseBackend):
     """

django_auth_adfs/config.py

@@ -72,6 +72,7 @@ def __init__(self):
         self.USERNAME_CLAIM = "winaccountname"
         self.GUEST_USERNAME_CLAIM = None
         self.JWT_LEEWAY = 0
+        self.REFRESH_THRESHOLD = timedelta(minutes=5)
         self.CUSTOM_FAILED_RESPONSE_VIEW = lambda request, error_message, status: render(
             request, 'django_auth_adfs/login_failed.html', {'error_message': error_message}, status=status
         )

django_auth_adfs/middleware.py

@@ -4,9 +4,11 @@
 from re import compile
 
 from django.conf import settings as django_settings
+from django.contrib import auth
 from django.contrib.auth.views import redirect_to_login
 from django.urls import reverse
 
+from django_auth_adfs.backend import AdfsAuthCodeBackend
 from django_auth_adfs.exceptions import MFARequired
 from django_auth_adfs.config import settings
 
@@ -49,3 +51,17 @@ def __call__(self, request):
                     return redirect_to_login('django_auth_adfs:login-force-mfa')
 
         return self.get_response(request)
+
+
+def adfs_refresh_middleware(get_response):
+    def middleware(request):
+        try:
+            backend_str = request.session[auth.BACKEND_SESSION_KEY]
+        except KeyError:
+            pass
+        else:
+            backend = auth.load_backend(backend_str)
+            if isinstance(backend, AdfsAuthCodeBackend):
+                backend.process_request(request)
+        return get_response()
+    return middleware

tests/test_authentication.py

@@ -1,5 +1,7 @@
 import base64
 
+from django.urls import reverse
+
 from django_auth_adfs.exceptions import MFARequired
 
 try:
@@ -16,7 +18,6 @@
 from mock import Mock, patch
 
 from django_auth_adfs import signals
-from django_auth_adfs.backend import AdfsAuthCodeBackend
 from django_auth_adfs.config import ProviderConfig, Settings
 
 from .models import Profile
@@ -34,14 +35,13 @@ def setUp(self):
 
     @mock_adfs("2012")
     def test_post_authenticate_signal_send(self):
-        backend = AdfsAuthCodeBackend()
-        backend.authenticate(self.request, authorization_code="dummycode")
+        response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
         self.assertEqual(self.signal_handler.call_count, 1)
 
     @mock_adfs("2012")
     def test_with_auth_code_2012(self):
-        backend = AdfsAuthCodeBackend()
-        user = backend.authenticate(self.request, authorization_code="dummycode")
+        response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+        user = response.wsgi_request.user
         self.assertIsInstance(user, User)
         self.assertEqual(user.first_name, "John")
         self.assertEqual(user.last_name, "Doe")
@@ -52,8 +52,8 @@ def test_with_auth_code_2012(self):
 
     @mock_adfs("2016")
     def test_with_auth_code_2016(self):
-        backend = AdfsAuthCodeBackend()
-        user = backend.authenticate(self.request, authorization_code="dummycode")
+        response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+        user = response.wsgi_request.user
         self.assertIsInstance(user, User)
         self.assertEqual(user.first_name, "John")
         self.assertEqual(user.last_name, "Doe")
@@ -64,9 +64,15 @@ def test_with_auth_code_2016(self):
 
     @mock_adfs("2016", mfa_error=True)
     def test_mfa_error_backends(self):
-        with self.assertRaises(MFARequired):
-            backend = AdfsAuthCodeBackend()
-            backend.authenticate(self.request, authorization_code="dummycode")
+        response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(
+            response['Location'],
+            "https://adfs.example.com/adfs/oauth2/authorize/?response_type=code&"
+            "client_id=your-configured-client-id&resource=your-adfs-RPT-name&"
+            "redirect_uri=http%3A%2F%2Ftestserver%2Foauth2%2Fcallback&state=Lw%3D%3D&scope=openid&"
+            "amr_values=ngcmfa"
+        )
 
     @mock_adfs("azure")
     def test_with_auth_code_azure(self):
@@ -77,8 +83,8 @@ def test_with_auth_code_azure(self):
         with patch("django_auth_adfs.config.django_settings", settings):
             with patch("django_auth_adfs.config.settings", Settings()):
                 with patch("django_auth_adfs.backend.provider_config", ProviderConfig()):
-                    backend = AdfsAuthCodeBackend()
-                    user = backend.authenticate(self.request, authorization_code="dummycode")
+                    response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+                    user = response.wsgi_request.user
                     self.assertIsInstance(user, User)
                     self.assertEqual(user.first_name, "John")
                     self.assertEqual(user.last_name, "Doe")
@@ -100,9 +106,8 @@ def test_with_auth_code_azure_guest_block(self):
             with patch('django_auth_adfs.backend.settings', Settings()):
                 with patch("django_auth_adfs.config.settings", Settings()):
                     with patch("django_auth_adfs.backend.provider_config", ProviderConfig()):
-                        with self.assertRaises(PermissionDenied, msg=''):
-                            backend = AdfsAuthCodeBackend()
-                            _ = backend.authenticate(self.request, authorization_code="dummycode")
+                        response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+                        self.assertEqual(response.status_code, 401)
 
     @mock_adfs("azure", guest=True)
     def test_with_auth_code_azure_guest_no_block(self):
@@ -117,8 +122,8 @@ def test_with_auth_code_azure_guest_no_block(self):
             with patch('django_auth_adfs.backend.settings', Settings()):
                 with patch("django_auth_adfs.config.settings", Settings()):
                     with patch("django_auth_adfs.backend.provider_config", ProviderConfig()):
-                        backend = AdfsAuthCodeBackend()
-                        user = backend.authenticate(self.request, authorization_code="dummycode")
+                        response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+                        user = response.wsgi_request.user
                         self.assertIsInstance(user, User)
                         self.assertEqual(user.first_name, "John")
                         self.assertEqual(user.last_name, "Doe")
@@ -139,8 +144,8 @@ def test_version_two_endpoint_calls_correct_url(self):
             with patch('django_auth_adfs.backend.settings', Settings()):
                 with patch("django_auth_adfs.config.settings", Settings()):
                     with patch("django_auth_adfs.backend.provider_config", ProviderConfig()):
-                        backend = AdfsAuthCodeBackend()
-                        user = backend.authenticate(self.request, authorization_code="dummycode")
+                        response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+                        user = response.wsgi_request.user
                         self.assertIsInstance(user, User)
                         self.assertEqual(user.first_name, "John")
                         self.assertEqual(user.last_name, "Doe")
@@ -151,14 +156,15 @@ def test_version_two_endpoint_calls_correct_url(self):
 
     @mock_adfs("2016")
     def test_empty(self):
-        backend = AdfsAuthCodeBackend()
-        self.assertIsNone(backend.authenticate(self.request))
+        response = self.client.get(reverse('django_auth_adfs:callback'))
+        user = response.wsgi_request.user
+        self.assertTrue(user.is_anonymous)
 
     @mock_adfs("2016")
     def test_group_claim(self):
-        backend = AdfsAuthCodeBackend()
         with patch("django_auth_adfs.backend.settings.GROUPS_CLAIM", "nonexisting"):
-            user = backend.authenticate(self.request, authorization_code="dummycode")
+            response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+            user = response.wsgi_request.user
             self.assertIsInstance(user, User)
             self.assertEqual(user.first_name, "John")
             self.assertEqual(user.last_name, "Doe")
@@ -167,9 +173,9 @@ def test_group_claim(self):
 
     @mock_adfs("2016")
     def test_no_group_claim(self):
-        backend = AdfsAuthCodeBackend()
         with patch("django_auth_adfs.backend.settings.GROUPS_CLAIM", None):
-            user = backend.authenticate(self.request, authorization_code="dummycode")
+            response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+            user = response.wsgi_request.user
             self.assertIsInstance(user, User)
             self.assertEqual(user.first_name, "John")
             self.assertEqual(user.last_name, "Doe")
@@ -181,9 +187,9 @@ def test_group_claim_with_mirror_groups(self):
         # Remove one group
         Group.objects.filter(name="group1").delete()
 
-        backend = AdfsAuthCodeBackend()
         with patch("django_auth_adfs.backend.settings.MIRROR_GROUPS", True):
-            user = backend.authenticate(self.request, authorization_code="dummycode")
+            response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+            user = response.wsgi_request.user
             self.assertIsInstance(user, User)
             self.assertEqual(user.first_name, "John")
             self.assertEqual(user.last_name, "Doe")
@@ -197,9 +203,9 @@ def test_group_claim_without_mirror_groups(self):
         # Remove one group
         Group.objects.filter(name="group1").delete()
 
-        backend = AdfsAuthCodeBackend()
         with patch("django_auth_adfs.backend.settings.MIRROR_GROUPS", False):
-            user = backend.authenticate(self.request, authorization_code="dummycode")
+            response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+            user = response.wsgi_request.user
             self.assertIsInstance(user, User)
             self.assertEqual(user.first_name, "John")
             self.assertEqual(user.last_name, "Doe")
@@ -210,9 +216,9 @@ def test_group_claim_without_mirror_groups(self):
 
     @mock_adfs("2016", empty_keys=True)
     def test_empty_keys(self):
-        backend = AdfsAuthCodeBackend()
         with patch("django_auth_adfs.config.provider_config.signing_keys", []):
-            self.assertRaises(PermissionDenied, backend.authenticate, self.request, authorization_code='testcode')
+            response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "testcode"})
+            self.assertEqual(response.status_code, 401)
 
     @mock_adfs("2016")
     def test_group_removal(self):
@@ -227,9 +233,8 @@ def test_group_removal(self):
         self.assertEqual(user.groups.all()[0].name, "group3")
         self.assertEqual(len(user.groups.all()), 1)
 
-        backend = AdfsAuthCodeBackend()
-
-        user = backend.authenticate(self.request, authorization_code="dummycode")
+        response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+        user = response.wsgi_request.user
         self.assertIsInstance(user, User)
         self.assertEqual(user.first_name, "John")
         self.assertEqual(user.last_name, "Doe")
@@ -253,9 +258,8 @@ def test_group_removal_overlap(self):
         self.assertEqual(user.groups.all()[1].name, "group3")
         self.assertEqual(len(user.groups.all()), 2)
 
-        backend = AdfsAuthCodeBackend()
-
-        user = backend.authenticate(self.request, authorization_code="dummycode")
+        response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+        user = response.wsgi_request.user
         self.assertIsInstance(user, User)
         self.assertEqual(user.first_name, "John")
         self.assertEqual(user.last_name, "Doe")
@@ -272,9 +276,8 @@ def test_group_to_flag_mapping(self):
         }
         with patch("django_auth_adfs.backend.settings.GROUP_TO_FLAG_MAPPING", group_to_flag_mapping):
             with patch("django_auth_adfs.backend.settings.BOOLEAN_CLAIM_MAPPING", {}):
-                backend = AdfsAuthCodeBackend()
-
-                user = backend.authenticate(self.request, authorization_code="dummycode")
+                response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+                user = response.wsgi_request.user
                 self.assertIsInstance(user, User)
                 self.assertEqual(user.first_name, "John")
                 self.assertEqual(user.last_name, "Doe")
@@ -289,9 +292,8 @@ def test_boolean_claim_mapping(self):
             "is_superuser": "user_is_superuser",
         }
         with patch("django_auth_adfs.backend.settings.BOOLEAN_CLAIM_MAPPING", boolean_claim_mapping):
-            backend = AdfsAuthCodeBackend()
-
-            user = backend.authenticate(self.request, authorization_code="dummycode")
+            response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+            user = response.wsgi_request.user
             self.assertIsInstance(user, User)
             self.assertEqual(user.first_name, "John")
             self.assertEqual(user.last_name, "Doe")
@@ -312,9 +314,8 @@ def test_extended_model_claim_mapping_missing_instance(self):
             },
         }
         with patch("django_auth_adfs.backend.settings.CLAIM_MAPPING", claim_mapping):
-            backend = AdfsAuthCodeBackend()
-
-            user = backend.authenticate(self.request, authorization_code="dummycode")
+            response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+            user = response.wsgi_request.user
             self.assertIsInstance(user, User)
             self.assertEqual(user.first_name, "John")
             self.assertEqual(user.last_name, "Doe")
@@ -340,9 +341,8 @@ def create_profile(sender, instance, created, **kwargs):
             },
         }
         with patch("django_auth_adfs.backend.settings.CLAIM_MAPPING", claim_mapping):
-            backend = AdfsAuthCodeBackend()
-
-            user = backend.authenticate(self.request, authorization_code="dummycode")
+            response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "dummycode"})
+            user = response.wsgi_request.user
             self.assertIsInstance(user, User)
             self.assertEqual(user.first_name, "John")
             self.assertEqual(user.last_name, "Doe")
@@ -493,5 +493,5 @@ def test_nonexisting_user(self):
         settings.AUTH_ADFS["CREATE_NEW_USERS"] = False
         with patch("django_auth_adfs.config.django_settings", settings),\
                 patch("django_auth_adfs.backend.settings", Settings()):
-            backend = AdfsAuthCodeBackend()
-            self.assertRaises(PermissionDenied, backend.authenticate, self.request, authorization_code='testcode')
+            response = self.client.get(reverse('django_auth_adfs:callback'), data={'code': "testcode"})
+            self.assertEqual(response.status_code, 401)