Skip to content

fix login when refresh token is expired #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Amoki merged 3 commits into from
Jun 9, 2021
Merged

fix login when refresh token is expired #59

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d74b5b0
fix login when refresh token is expired
Amoki Jun 9, 2021
1abc4ae
add ability to force an identity provider
Amoki Jun 9, 2021
eaa0d90
remove console.debug
Amoki Jun 9, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ VUE_APP_VIEWER_BASE_URL=https://viewer-staging.bimdata.io
VUE_APP_OIDC_CLIENT_ID=<YOUR CLIENT ID>
VUE_APP_MAPBOX_TOKEN=pk.eyJ1IjoiYmltZGF0YSIsImEiOiJjanRrM3ljcW8yeHB1NGFwODNjZGY1czd2In0.EvPADmXo97ZLl4A_7vs59A
VUE_APP_MAX_UPLOAD_SIZE=1000000
VUE_APP_AUTHORIZED_IDENTITY_PROVIDERS=bimdataconnect

# External pages
VUE_APP_URL_BIMDATACONNECT=https://connect-staging.bimdata.io
Expand Down
6 changes: 5 additions & 1 deletion src/config/oidcConfig.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ const APP_BASE_URL = process.env.VUE_APP_BASE_URL;
const AUTHORITY = `${process.env.VUE_APP_IAM_BASE_URL}/auth/realms/bimdata`;
const OIDC_ENDPOINT = `${AUTHORITY}/protocol/openid-connect`;
const CLIENT_ID = process.env.VUE_APP_OIDC_CLIENT_ID;
const AUTHORIZED_IDENTITY_PROVIDERS = process.env.VUE_APP_AUTHORIZED_IDENTITY_PROVIDERS;

export const oidcConfig = {
// Auth request config
Expand Down Expand Up @@ -37,5 +38,8 @@ export const oidcConfig = {
userinfo_endpoint: `${OIDC_ENDPOINT}/userinfo`,
end_session_endpoint: `${OIDC_ENDPOINT}/logout`,
jwks_uri: `${OIDC_ENDPOINT}/certs`
}
},

// Limit authorized identity providers
authorizedIdentityProviders: AUTHORIZED_IDENTITY_PROVIDERS ? AUTHORIZED_IDENTITY_PROVIDERS.split(',') : [],
};
45 changes: 44 additions & 1 deletion src/server/AuthService.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,54 @@
import { UserManager, WebStorageStateStore } from "oidc-client";
import { User, UserManager, WebStorageStateStore } from "oidc-client";
import { oidcConfig } from "@/config/oidcConfig";

const userManager = new UserManager({
...oidcConfig,
userStore: new WebStorageStateStore({ store: window.localStorage })
});

/*
Monkey patch oidcUserManager to hijack login with force logout
*/
async function signinEndWithForcedLogout (url, args = {}) {
const signinResponse = await this.processSigninResponse(url);
const authorizedIdentityProviders = oidcConfig.authorizedIdentityProviders;
if (authorizedIdentityProviders.length) {
const identityProvider = signinResponse.profile.preferred_username.split('.')[0];
if (!authorizedIdentityProviders.includes(identityProvider)) {
const params = new URLSearchParams({
post_logout_redirect_uri: oidcConfig.post_logout_redirect_uri,
id_token_hint: signinResponse.id_token,
initiating_idp: identityProvider,
});
const redirectUrl = oidcConfig.metadata.end_session_endpoint + '?' + params.toString();
window.location.replace(redirectUrl);
await new Promise((resolve, reject) => {
// Wait for window.location.replace to trigger
setTimeout(resolve, 5000);
});
}
}

const user = new User(signinResponse)

if (args.current_sub) {
if (args.current_sub !== user.profile.sub) {
console.debug('UserManager._signinEnd: current user does not match user returned from signin. sub from signin: ', user.profile.sub)
throw new Error('login_required')
} else {
console.debug('UserManager._signinEnd: current user matches user returned from signin')
}
}
await this.storeUser(user)
console.debug('UserManager._signinEnd: user stored')

this._events.load(user)
return user
}
signinEndWithForcedLogout.bind(userManager)

userManager._signinEnd = signinEndWithForcedLogout

class AuthServive {
getUser() {
return userManager.getUser();
Expand Down
30 changes: 30 additions & 0 deletions src/state/auth.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,32 @@ import { reactive, readonly, toRefs, watchEffect } from "vue";
import apiClient from "@/server/api-client";
import AuthService from "@/server/AuthService";

const parseJwt = (token) => {
try {
const base64Url = token.split('.')[1];
const base64 = base64Url.replace('-', '+').replace('_', '/');
return JSON.parse(window.atob(base64));
} catch (error) {
return {};
}
}

const tokenExp = (token) => {
if (token) {
const parsed = parseJwt(token);
return parsed.exp ? parsed.exp * 1000 : null;
}
return null;
}

const tokenIsExpired = (token) => {
const tokenExpiryTime = tokenExp(token);
if (tokenExpiryTime) {
return tokenExpiryTime < new Date().getTime();
}
return false;
}

const state = reactive({
isAuthenticated: false,
accessToken: null
Expand All @@ -15,6 +41,10 @@ const authenticate = async redirectPath => {
}
if (!state.isAuthenticated) {
if (user.expired) {
if (tokenIsExpired(user.refresh_token)) {
await AuthService.signIn(redirectPath);
return;
}
// Refresh access token silently
user = await AuthService.signInSilent();
}
Expand Down