Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set response header if user needs to reauthenticate to enable Helsinki Profile functionality #1362

Merged
merged 2 commits into from
Sep 25, 2024
Merged

Set response header if user needs to reauthenticate to enable Helsinki Profile functionality #1362

merged 2 commits into from
Sep 25, 2024

Conversation

matti-lamppu
Copy link
Collaborator

@matti-lamppu matti-lamppu commented Sep 25, 2024
edited
Loading

🛠️ Changelog

  • Sets an X-Keycloak-Refresh-Token-Expired header in each response if the user's Keycloak refresh token has expired. This token is used for refreshing the user's Helsinki profile tokens, which are used for fetching profile information e.g. for reservation prefill operations. However, if the Keycloak refresh token has expired there is no way to get a new pair (afaik) without reauthenticating (log out and back in again). This response header can be used by the frontend to display a message, or just for debugging purposes.
  • Also adds a local configuration UNSAFE_SKIP_IAT_CLAIM_VALIDATION for skipping iat validation on Tunnistamo JWTs, which can fail locally if authentication happens too fast.

🧪 Test plan

  • Manual tests can be done, but not a blocker for release imo.

🚧 Dependencies

  • None

🎫 Tickets

  • None

@matti-lamppu
Add mechanism for indicating that re-auth is required for keycloak
272aebb
@matti-lamppu
Add a flag for skipping iat validation locally
4267cf9 
This is a hack that can be enabled for local development if you get
errors during authentication for "The token is not yet valid (iat)".
These happens due to incorrect implementation for checking issued at
time in`jwt.api_jwt.PyJWT._validate_iat` (`iat` is an int while `now`
is a float,which can be a few milliseconds off if the server
authenticated too fast).
@matti-lamppu matti-lamppu added the improvement Improves an existing feature label Sep 25, 2024
@matti-lamppu matti-lamppu self-assigned this Sep 25, 2024
@matti-lamppu matti-lamppu marked this pull request as ready for review September 25, 2024 08:27
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
32.1% Coverage on New Code (required ≥ 65%)

See analysis details on SonarCloud

@matti-lamppu matti-lamppu merged commit 313b37b into main Sep 25, 2024
5 of 6 checks passed
@matti-lamppu matti-lamppu deleted the set-response-header-for-reauth branch September 25, 2024 10:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vergama vergama vergama approved these changes

@ranta ranta Awaiting requested review from ranta

Assignees

@matti-lamppu matti-lamppu

Labels
improvement Improves an existing feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matti-lamppu @vergama