snok · daggaz · Feb 28, 2023 · Feb 28, 2023 · tim-schilling · Mar 11, 2023
diff --git a/django_auth_adfs/backend.py b/django_auth_adfs/backend.py
@@ -1,11 +1,13 @@
 import logging
+from datetime import datetime, timedelta
 
 import jwt
-from django.contrib.auth import get_user_model
+from django.contrib.auth import get_user_model, logout
 from django.contrib.auth.backends import ModelBackend
 from django.contrib.auth.models import Group
 from django.core.exceptions import (ImproperlyConfigured, ObjectDoesNotExist,
                                     PermissionDenied)
+from requests import HTTPError
 
 from django_auth_adfs import signals
 from django_auth_adfs.config import provider_config, settings
@@ -394,14 +396,47 @@ def authenticate(self, request=None, authorization_code=None, **kwargs):
             logger.debug("Authentication backend was called but no authorization code was received")
             return
 
+        # If there's no request object, we pass control to the next authentication backend
+        if request is None:
+            logger.debug("Authentication backend was called without request")
+            return
+
         # If loaded data is too old, reload it again
         provider_config.load_config()
 
         adfs_response = self.exchange_auth_code(authorization_code, request)
-        access_token = adfs_response["access_token"]
-        user = self.process_access_token(access_token, adfs_response)
+        user = self._process_adfs_response(request, adfs_response)
         return user
 
+    def _process_adfs_response(self, request, adfs_response):
+        user = self.process_access_token(adfs_response['access_token'], adfs_response)
+        request.session['_adfs_access_token'] = adfs_response['access_token']
+        expiry = datetime.now() + timedelta(seconds=adfs_response['expires_in'])
+        request.session['_adfs_token_expiry'] = expiry.isoformat()
+        if 'refresh_token' in adfs_response:
+            request.session['_adfs_refresh_token'] = adfs_response['refresh_token']
+        request.session.save()
+        return user
+
+    def process_request(self, request):
+        now = datetime.now() + settings.REFRESH_THRESHOLD
+        expiry = datetime.fromisoformat(request.session['_adfs_token_expiry'])
+        if now > expiry:
+            try:
+                self._refresh_access_token(request, request.session['_adfs_refresh_token'])
+            except (PermissionDenied, HTTPError):
+                logout(request)
+
+    def _refresh_access_token(self, request, refresh_token):
+        provider_config.load_config()
+        response = provider_config.session.post(
+            provider_config.token_endpoint,
+            data=f'grant_type=refresh_token&refresh_token={refresh_token}'
+        )
+        response.raise_for_status()
+        adfs_response = response.json()
+        self._process_adfs_response(request, adfs_response)
+
 
 class AdfsAccessTokenBackend(AdfsBaseBackend):
     """

diff --git a/django_auth_adfs/config.py b/django_auth_adfs/config.py
@@ -72,6 +72,7 @@ def __init__(self):
         self.USERNAME_CLAIM = "winaccountname"
         self.GUEST_USERNAME_CLAIM = None
         self.JWT_LEEWAY = 0
+        self.REFRESH_THRESHOLD = timedelta(minutes=5)
         self.CUSTOM_FAILED_RESPONSE_VIEW = lambda request, error_message, status: render(
             request, 'django_auth_adfs/login_failed.html', {'error_message': error_message}, status=status
         )

diff --git a/django_auth_adfs/middleware.py b/django_auth_adfs/middleware.py
@@ -4,9 +4,11 @@
 from re import compile
 
 from django.conf import settings as django_settings
+from django.contrib import auth
 from django.contrib.auth.views import redirect_to_login
 from django.urls import reverse
 
+from django_auth_adfs.backend import AdfsAuthCodeBackend
 from django_auth_adfs.exceptions import MFARequired
 from django_auth_adfs.config import settings
 
@@ -49,3 +51,17 @@ def __call__(self, request):
                     return redirect_to_login('django_auth_adfs:login-force-mfa')
 
         return self.get_response(request)
+
+
+def adfs_refresh_middleware(get_response):
+    def middleware(request):
+        try:
+            backend_str = request.session[auth.BACKEND_SESSION_KEY]
+        except KeyError:
+            pass
+        else:
+            backend = auth.load_backend(backend_str)
+            if isinstance(backend, AdfsAuthCodeBackend):
+                backend.process_request(request)
+        return get_response(request)
+    return middleware
diff --git a/tests/settings.py b/tests/settings.py
@@ -35,6 +35,7 @@
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
 
+    'django_auth_adfs.middleware.adfs_refresh_middleware',
     'django_auth_adfs.middleware.LoginRequiredMiddleware',
 )