Skip to content

Commit 05fe6e7

Browse files
LEDfanLEDfan
committed
Fix 30646: add option to disable logout on OIDC session expire
1 parent 3026c37 commit 05fe6e7

1 file changed

Lines changed: 25 additions & 6 deletions

File tree

src/main/java/eu/openanalytics/containerproxy/auth/impl/oidc/OpenIdReAuthorizeFilter.java

Lines changed: 25 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
*/
2121
package eu.openanalytics.containerproxy.auth.impl.oidc;
2222

23+
import org.springframework.core.env.Environment;
2324
import org.springframework.security.core.Authentication;
2425
import org.springframework.security.core.context.SecurityContextHolder;
2526
import org.springframework.security.oauth2.client.ClientAuthorizationException;
@@ -36,6 +37,7 @@
3637
import org.springframework.web.filter.OncePerRequestFilter;
3738

3839
import javax.annotation.Nonnull;
40+
import javax.annotation.PostConstruct;
3941
import javax.inject.Inject;
4042
import javax.servlet.FilterChain;
4143
import javax.servlet.ServletException;
@@ -79,11 +81,21 @@ public class OpenIdReAuthorizeFilter extends OncePerRequestFilter {
7981
@Inject
8082
private OAuth2AuthorizedClientService oAuth2AuthorizedClientService;
8183

84+
@Inject
85+
private Environment environment;
86+
8287
private final Clock clock = Clock.systemUTC();
8388

8489
// use clock skew of 40 seconds instead of 60 seconds. Otherwise, if the access token is valid for 1 minute, it would get refreshed at each request.
8590
private final Duration clockSkew = Duration.ofSeconds(40);
8691

92+
private boolean ignoreLogout;
93+
94+
@PostConstruct
95+
public void init() {
96+
ignoreLogout = environment.getProperty("proxy.openid.ignore-session-expire", Boolean.class, false);
97+
}
98+
8799
@Override
88100
protected void doFilterInternal(@Nonnull HttpServletRequest request, @Nonnull HttpServletResponse response, @Nonnull FilterChain chain) throws ServletException, IOException {
89101
if (REQUEST_MATCHER.matches(request)) {
@@ -93,8 +105,10 @@ protected void doFilterInternal(@Nonnull HttpServletRequest request, @Nonnull Ht
93105
OAuth2AuthorizedClient authorizedClient = oAuth2AuthorizedClientService.loadAuthorizedClient(REG_ID, auth.getName());
94106

95107
if (authorizedClient == null) {
96-
invalidateSession(request, response);
97-
return;
108+
if (!ignoreLogout) {
109+
invalidateSession(request, response, auth);
110+
return;
111+
}
98112
} else {
99113
if (accessTokenExpired(authorizedClient)) {
100114
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest
@@ -104,10 +118,14 @@ protected void doFilterInternal(@Nonnull HttpServletRequest request, @Nonnull Ht
104118

105119
try {
106120
oAuth2AuthorizedClientManager.authorize(authorizeRequest);
107-
logger.info("Refresh");
121+
logger.debug(String.format("OpenID access token refreshed [user: %s]", auth.getName()));
108122
} catch (ClientAuthorizationException ex) {
109-
invalidateSession(request, response);
110-
return;
123+
if (!ignoreLogout) {
124+
invalidateSession(request, response, auth);
125+
return;
126+
} else {
127+
logger.debug(String.format("OpenID access token expired, internal session stays active [user: %s]", auth.getName()));
128+
}
111129
}
112130
}
113131
}
@@ -131,7 +149,8 @@ private boolean accessTokenExpired(OAuth2AuthorizedClient authorizedClient) {
131149
return clock.instant().isAfter(authorizedClient.getAccessToken().getExpiresAt().minus(this.clockSkew));
132150
}
133151

134-
private void invalidateSession(@Nonnull HttpServletRequest request, @Nonnull HttpServletResponse response) throws IOException {
152+
private void invalidateSession(@Nonnull HttpServletRequest request, @Nonnull HttpServletResponse response, Authentication auth) throws IOException {
153+
logger.debug(String.format("OpenID access token expired, invalidating internal session [user: %s]", auth.getName()));
135154
HttpSession session = request.getSession(false);
136155
if (session != null) {
137156
session.invalidate();

0 commit comments

Comments
 (0)