Staging instance, all changes can be removed at any time

Skip to content

auth/backends: Use offline refresh token for Web API authentication

Previously for authenticating a Web API request, users have to sent an access token provided by Keycloak in HTTP authorization headers. But those tokens are short lived (usually a couple of minutes) and authentication will fail once they expired. So to get a new access token without login again, users have to ask a new one to Keycloak using a refresh token (generated at the same time than the access one).

So for users that need to make a large amount of authenticated API calls, they need to implement the token renewal logic from their side (see swh-web-client for instance).

For commodity of use for Web API users, simplify the OIDC authentication worflow by handling access token renewal directly in the DRF authentication backend.

This means once a user gets his offline refresh token, he can store it and uses it to authenticate all his API calls until the token gets revocated.

To limit the number of requests sent to the authentication provider (Keycloak), access tokens are put in cache until they expire (usually a couple of minutes).

Related to #1927 (closed)


Migrated from D3849 (view on Phabricator)

Merge request reports

Loading