jooby-pac4j oidc: never renew profile?

[tkarlinski]

Hello,

I'm having an issue with renewing the profile after has expired (for OIDC flow).

The problem arises because the profile is cleared every time in the ProfileManager, as the class has not set the config. Consequently, the profile is never renewed.

Take a look at the code:
In Pac4JModule the current user is set as follows:

application.setCurrentUser(new Pac4jCurrentUser());

The current user class has the following method:

  public Object apply(Context ctx) {
    Pac4jContext pac4jContext = Pac4jContext.create(ctx);
    ProfileManager pm = new ProfileManager(pac4jContext, pac4jContext.getSessionStore());
    return pm.getProfile().orElse(null);
  }

Here, we have an initialized ProfileManager without a config. The config should probably be set using the public method of ProfileManager setConfig(Config config).

The getProfile method calls the removeOrRenewExpiredProfiles method in ProfileManager, which includes the following condition:

    protected void removeOrRenewExpiredProfiles(final LinkedHashMap<String, UserProfile> profiles, final boolean readFromSession) {
        var profilesUpdated = false;
        for (final var entry : profiles.entrySet()) {
            final var key = entry.getKey();
            final var profile = entry.getValue();
            if (profile.isExpired()) {
                LOGGER.debug("Expired profile: {}", profile);
                profilesUpdated = true;
                profiles.remove(key);
                if (config != null && profile.getClientName() != null) {
                    final var client = config.getClients().findClient(profile.getClientName());
                    if (client.isPresent()) {
                        try {
                            final var newProfile = client.get().renewUserProfile(profile, context, sessionStore);
                            if (newProfile.isPresent()) {
                                LOGGER.debug("Renewed by profile: {}", newProfile);
                                profiles.put(key, newProfile.get());
                            }
                        } catch (final RuntimeException e) {
                            logger.error("Unable to renew the user profile for key: {}", key, e);
                        }
                    }
                }
            }
        }
        if (profilesUpdated) {
            saveAll(profiles, readFromSession);
        }
    }

In the method you see the condition

if (config != null && profile.getClientName() != null) {

I suspect that this condition will always be null when ProfileManager is called by Pac4jCurrentUser, resulting in the profile always being cleared.

Could you please advise me on how to bypass this problem? Or perhaps it should be fixed?

Thank you.

[tkarlinski]

ps. The setCurrentUser we can't override because the method add new "current user" instead of set

application.setCurrentUser(new Pac4jCurrentUser());

[edgarespinawt]

Would you like to send a PR?

Thanks

[tkarlinski]

Ok, I created PR. That works for my problem.