Automatically renew the access token (MarketPlace)

[csadorf]

As a user I would like my access token to be automatically renewed such that my session does not time out while I am logged in.

[csadorf]

See for example: https://stackoverflow.com/a/51387379

[unkcpz]

There is no easy way to make the test without using the aiidalab. It is no long able to get the access_token and refresh_token from inspect tool of browser. I also tried https://creodias.eu/-/how-to-generate-keycloak-token-using-web-browser-console- to get the token but not working for MarketPlace which says VM182:1 Uncaught ReferenceError: keycloak is not defined.

But I can get the refresh_token by using aiidalab deployment where I read and set the token in login phase. I use exactly the same way suggested by https://stackoverflow.com/questions/51386337/refresh-access-token-via-refresh-token-in-keycloak/51387379#51387379
The client_id is request from https://www.materials-marketplace.eu/auth/realms/marketplace/protocol/openid-connect/userinfo of sub(maybe this is the problem, the sub is not the client_id?) with my access_token.

Here is my postman request.

[unkcpz]

In the stackoverflow post, it says for some cases it may also need client_secret, I don't know where to get this field (I forget where we get this oauth_client_secret in MP aiidalab deployment 😅). Meanwhile, I think the in logicrefresh_token should be enough to renew the access_token.

[csadorf]

@unkcpz I don't fully understand your comments. Is it possible or not possible? What is the current blocker?

We have the following values available to us in the user session:

aiidalab-docker-stack-demo/marketplace/oauthenticator.py

Lines 26 to 28 in b78e55e

	spawner.environment['MP_HOST'] = "https://{{ marketplace_host }}"
	spawner.environment['MP_ACCESS_TOKEN'] = auth_state['access_token']
	spawner.environment['MP_REFRESH_TOKEN'] = auth_state['refresh_token']

In addition, we have the following information attached to the configuration of the authenticator:

aiidalab-docker-stack-demo/.github/workflows/config-template.yaml.j2

Lines 90 to 93 in b78e55e

	c.MarketplaceOAuthenticator.enable_auth_state = True
	c.MarketplaceOAuthenticator.client_id = "{{ oauth_client_id }}"
	c.MarketplaceOAuthenticator.client_secret = "{{ oauth_client_secret }}"
	c.MarketplaceOAuthenticator.oauth_callback_url = 'https://{{ jh_host }}/hub/oauth_callback'

[unkcpz]

I don't fully understand your comments. Is it possible or not possible? What is the current blocker?

The blocker is the c.MarketplaceOAuthenticator.client_secret is set but after the authenticate phase it is not accessible anymore only if we find a way to store it as an environment variable such as the access/refresh_token. Moreover, from the post https://stackoverflow.com/a/51387379 it should not require client_secret to renew the access_token, only refresh_token is enough, but this is not working for MarketPlace's keycloak.

[csadorf]

only refresh_token is enough, but this is not working for MarketPlace's keycloak.

@unkcpz Did you inquire with Pablo or Yoav about this?

[unkcpz]

Sorry, I forget about this. Will open an issue now.

Edit: issue open in Marketplace gitlab repo https://gitlab.cc-asp.fraunhofer.de/MarketPlace/platform/issue-reporting/-/issues/125.