Commit 10eb8def authored by echel0n's avatar echel0n

Fixed issue with OAuth2 tokens getting revoked due to token refreshes from web-ui.

parent 1d2a13be
......@@ -79,6 +79,10 @@ class API(object):
self.token = self.session.refresh_token(self.token_url, **extra)
def exchange_token(self, token, scope='offline_access'):
exchange = {'scope': scope, 'subject_token': token['access_token']}
self.token = sickrage.app.oidc_client.token_exchange(**exchange)
def allowed_usernames(self):
return self._request('GET', 'allowed-usernames')
......
......@@ -19,11 +19,13 @@
# along with SiCKRAGE. If not, see <http://www.gnu.org/licenses/>.
# ##############################################################################
import functools
import json
import os
import threading
import time
import traceback
from abc import ABC
from json import JSONDecodeError
from urllib.parse import urlparse, urljoin
from keycloak.exceptions import KeycloakClientError
......@@ -100,14 +102,9 @@ class BaseHandler(RequestHandler, ABC):
def get_current_user(self):
try:
if not API().token:
return
token = sickrage.app.oidc_client.refresh_token(self.get_secure_cookie('sr_refresh_token'))
self.set_secure_cookie('sr_access_token', token['access_token'])
self.set_secure_cookie('sr_refresh_token', token['refresh_token'])
token = json.loads(self.get_secure_cookie('_sr'))
return sickrage.app.oidc_client.userinfo(token['access_token'])
except (KeycloakClientError, HTTPError, OSError):
except (KeycloakClientError, HTTPError, JSONDecodeError, OSError):
pass
def render_string(self, template_name, **kwargs):
......
......@@ -18,6 +18,7 @@
# You should have received a copy of the GNU General Public License
# along with SiCKRAGE. If not, see <http://www.gnu.org/licenses/>.
# ##############################################################################
import json
from abc import ABC
import sickrage
......@@ -37,8 +38,7 @@ class LoginHandler(BaseHandler, ABC):
token = sickrage.app.oidc_client.authorization_code(code, redirect_uri)
userinfo = sickrage.app.oidc_client.userinfo(token['access_token'])
self.set_secure_cookie('sr_access_token', token['access_token'])
self.set_secure_cookie('sr_refresh_token', token['refresh_token'])
self.set_secure_cookie('_sr', json.dumps(token))
if not userinfo.get('sub'):
return self.redirect('/logout')
......@@ -67,5 +67,5 @@ class LoginHandler(BaseHandler, ABC):
redirect_uri = self.get_argument('next', "/{}/".format(sickrage.app.config.default_page))
return self.redirect("{}".format(redirect_uri))
else:
authorization_url = sickrage.app.oidc_client.authorization_url(redirect_uri=redirect_uri, scope="profile email offline_access")
authorization_url = sickrage.app.oidc_client.authorization_url(redirect_uri=redirect_uri)
return super(BaseHandler, self).redirect(authorization_url)
......@@ -29,9 +29,6 @@ class LogoutHandler(BaseHandler, ABC):
logout_uri = sickrage.app.oidc_client.get_url('end_session_endpoint')
redirect_uri = "{}://{}{}/login".format(self.request.protocol, self.request.host, sickrage.app.config.web_root)
# if self.get_secure_cookie('sr_refresh_token'):
# sickrage.app.oidc_client.logout(self.get_secure_cookie('sr_refresh_token'))
self.clear_all_cookies()
return super(BaseHandler, self).redirect('{}?redirect_uri={}'.format(logout_uri, redirect_uri))
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment