Access token and refresh token support pac4j

[kunal sumbly]

Hi , I am new to pac4j and so far whatever examples I have seen makes pac4j a perfect fit for my use case. I wanted to know if a simple OIDC client can have access to access token and refresh token, I am assuming it would be stored from server response in profile object. Now on top of this , do we also support the logic where if access token has expired , then framework magically uses refresh token to get a new access token. Please correct me if I have misunderstood anything.

Thanks,
Kunal

[Jérôme LELEU]

Hi,

Yes, there are available in the OidcProfile.

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[kunal sumbly]

Hi Jerome, 

Thanks for your timely reply and it indeed helps. BTW I was looking at other clients as well and I found that org.pac4j.oidc.client.AzureAdClient.getAccessTokenFromRefreshToken(AzureAdProfile)  is already there, which actually gets the access token from refresh token from the OIDC server token endpoint, but my question now is should not this method/function be made generic and moved to the parent class i.e. OidcClient so that it becomes available for other clients as well? Am I missing something here? 

Thanks in advance for your reply.

[Jérôme LELEU]

Hi,

The refresh token flow is part of the OAuth 2 spec: I'm not sure it is implemented by all OIDC providers.

Thanks.

Best regards,

Jérôme

[kunal sumbly]

Thanks for your reply Jerome. I thought that since OpenId is built on the top of OAuth2.0 so it should be supported by all OIDC providers. But I am afraid, I don't know much about this so will close it here :-)

On the other hand, I am not sure how do I get access to OidcProfile object from my request. From my Security filter, DefaultSecurityLogic is getting triggered and I have access to UserProfile object in there, but not sure how to I get handle of OidcProfile object so that I can get my accesstoken and refresh token in my securityFilter. I know for the normal flow,  the access token and refresh token are returned in the Callback filter, which are then saved to the user profile in the session. Now in my scenario, I am trying to use securityFilter as the default filter for all the requests  i.e. WebFilter(/*) and am trying to handle the access token expiry logic in there itself. Hence need the handle to my tokens in there.  Am I doing something wrong?

My use case :- 

Scenario 1 (Non OIDC users)

Web request --> Security filter (Does nothing) --> Normal Login

Scenario 2 (OIDC users)

Web request --> Security filter ( OIDC auth) --> success --> Normal Login

Scenario 3 (OIDC users)

Web request --> Security filter ( already authenticated, check whether access token has expired and if yes use the refresh token logic to get a new access token and save it in the profile ) --> success --> Normal Login

[Jérôme LELEU]

Hi,

The ProfileManager is responsible of storing and retrieving the user profiles. The OidcProfile is meant to expire when the ID token is expired: https://github.com/pac4j/pac4j/blob/3.6.x/pac4j-oidc/src/main/java/org/pac4j/oidc/profile/OidcProfile.java#L151

You should customize the ProfileDefinition to return a specific profile which also checks the access token expiration.

Thanks.

Best regards,

Jérôme

[kunal sumbly]

Ah I missed that UserProfile is actually an OidcProfile and all it needs is a simple cast. Sorry for the long post :-) 

I want to re-use the AzureAdClient.getAccessTokenFromRefreshToken(AzureAdProfile) for Google OpenID connect, not sure if that will work. From what I understand , is that I will need to oauth token URL to https://oauth2.googleapis.com/token and pass it some headers and then hopefully some magic will happen and I will get back a new access token in JSON response and all I need to do is to parse the response and get the new access token back and set the new Access token back into my session OidcProfile object.  But wait I will also need to update the access token expiry time , any idea  what other attributes will I need to update. 

[kunal sumbly]

hi Jerome,
I am not able to find a clean way of updating the old user profile after renewing my access token and hitting the remote user info end point . I am currently checking the access token expiry by myself since OidcProfile.isExpired() checks the expiry of ID token which is not my usecase. And as such I am manually calling the token endpoint as well to renew my access token without using pac4j. So my question is their a way in the framework itself which I am currently missing ; to do all this logic of renewing access token and then refreshing the user profile , since access token expiry means I will need to again renew my user profile.

Thanks,
Kunal

[Jérôme LELEU]

Hi,

You should use the ProfileManager to save the updated profile.

Thanks.

Best regards,

Jérôme