Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

As armadillo user I want to refresh my tokens when they timeout #669

Open
2 tasks
clemens-tolboom opened this issue Feb 29, 2024 · 3 comments · May be fixed by #693
Open
2 tasks

As armadillo user I want to refresh my tokens when they timeout #669

clemens-tolboom opened this issue Feb 29, 2024 · 3 comments · May be fixed by #693
Assignees
Labels
bug 🐛 Something isn't working priority tests
Milestone

Comments

@clemens-tolboom
Copy link
Collaborator

clemens-tolboom commented Feb 29, 2024

In #121 we learned that increasing the OICD token lifetime make long R queries finish correctly.

Is seems we should add a refresh token into Armadillo ... the R side takes care of keeping the Armadillo session alive but has no business with JWT token timeout

@clemens-tolboom clemens-tolboom changed the title Should Armadillo refresh the OICD token(s)? Should Armadillo refresh the JWT/OICD token(s)? Feb 29, 2024
@clemens-tolboom clemens-tolboom added this to the Sprint 218 milestone Feb 29, 2024
@clemens-tolboom clemens-tolboom added bug 🐛 Something isn't working tests labels Mar 12, 2024
@clemens-tolboom
Copy link
Collaborator Author

clemens-tolboom commented Mar 12, 2024

Sketchy example:

spring:
  security:
    oauth2:
      authorizationserver:
        issuer: http://auth-server:9000 # Set the issuer URL for your authorization server

      client:
        articles-client: # Define your client configuration
          registration:
            client-id: articles-client
            client-secret: "{noop}secret" # Replace with your actual client secret
            client-name: Articles Client
            client-authentication-methods:
              - client_secret_basic
            authorization-grant-types:
              - authorization_code
              - refresh_token # Include refresh token grant type

but path spring.security.oauth2.client.registration.[registrationId].authorization-grant-type is listed

@clemens-tolboom
Copy link
Collaborator Author

clemens-tolboom commented Mar 20, 2024

KeyCloak OIDC

We managed to login through the UI https://dev-armadillo.molgenis.org using KeyCloak config below

Described on https://github.com/molgenis/molgenis-r-auth we see KeyCloak is not working from R

Fusion Auth

# Fusion Auth
endpoint <- discover("https://auth.molgenis.org")

does similar

curl https://auth.molgenis.org/.well-known/openid-configuration

KeyCloak

endpoint <- discover("https://auth1.molgenis.net/realms/Molgenis")

does similar

curl https://auth1.molgenis.net/realms/Molgenis/.well-known/openid-configuration

application.yml

There are some fields added for KeyCloak esp. for resourceserver

    oauth2:
      client:
        provider:
          molgenis:
            issuer-uri: https://auth1.molgenis.net/realms/Molgenis
        registration:
          molgenis:
            redirect-uri: 'https://dev-armadillo.molgenis.org/login/oauth2/code/molgenis'
            scope: openid, profile, email <=================
            client-id: Dev-Armadillo-Test
            client-secret: ...
      resourceserver:
        jwt:
          issuer-uri: https://auth1.molgenis.net/realms/Molgenis
          jwk-set-uri: https://auth1.molgenis.net/realms/Molgenis/protocol/openid-connect/certs <=======
        opaquetoken:
          introspection-url: 'https://auth1.molgenis.net/realms/Molgenis/protocol/openid-connect/token/introspect' <====
          client-id: Dev-Armadillo-Test
          client-secret: ...

Test script used

Used R script

This needs a working release-test.R libs RStudio environment.

#!/usr/bin/env Rscript

library(dsBaseClient)
library(purrr)
library(MolgenisArmadillo)

#demo_url <- "https://armadillo-demo.molgenis.net/"
#demo_url <- "http://localhost:8080/"
demo_url <- "https://dev-armadillo.molgenis.org/"

demo_token <- armadillo.get_token(demo_url)
print(demo_token)
builder <- DSI::newDSLoginBuilder()

builder$append(server = "study1", url = demo_url, profile = "xenon", token = demo_token, driver = "ArmadilloDriver", 
               table = "xenon-tests/2_1-core-1_0/nonrep")

#builder$append(server = "study1", url = demo_url, profile = "default", token = demo_token, driver = "ArmadilloDriver", 
#               table = "lifecycle/core/nonrep")
logindata <- builder$build()

conns <- DSI::datashield.login(logins = logindata, assign = T, symbol = "nonrep")

1:100000 %>% map(
  ~{
    Sys.sleep(10)
    print(.)
    print(format(Sys.time(), "%Y-%m-%dT%H:%M:%S"))
    ds.rep(x1 = 4, times = 6, length.out = NA, each = 1, source.x1 = "clientside",
          source.times = "c", source.length.out = NULL, source.each = "c",
          x1.includes.characters = FALSE, newobj = "rep.seq")
  })

@clemens-tolboom
Copy link
Collaborator Author

clemens-tolboom commented Mar 20, 2024

device login

After cloning https://github.com/molgenis/molgenis-r-auth and googling and managing KeyCloak checkboxes we tried POST-ing as form and device login works

See PR molgenis/molgenis-r-auth#18

@marikaris marikaris modified the milestones: Sprint 219, Backlog, Priority May 7, 2024
@marikaris marikaris changed the title Should Armadillo refresh the JWT/OICD token(s)? As armadillo user I want to refresh my tokens when they timeout Jun 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug 🐛 Something isn't working priority tests
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants