Fix #30569: fix refreshing of access tokens

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/auth/impl/oidc/OpenIdReAuthorizeFilter.java

@@ -30,7 +30,6 @@
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
 import org.springframework.security.oauth2.client.RefreshTokenOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
-import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
@@ -42,6 +41,7 @@
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 import java.io.IOException;
 import java.time.Clock;
 import java.time.Duration;
@@ -50,19 +50,28 @@
 
 /**
  * Ensures that the access token of the user is refreshed when needed.
- * If the refresh token is invalid (e.g. because the session in the IdP expired), we throw a
- * {@link ClientAuthorizationRequiredException} exception such that the user is can re-login.
- *
+ * If the refresh token is invalid (e.g. because the session in the IdP expired), we first invalidate the session and then throw a
+ * {@link ClientAuthorizationRequiredException} exception such that the user can re-login.
  * This filter only applies to a limited set of requests and not to requests that are proxied to apps.
- * Otherwise, this filter would be called too much and cause too much overhead.
+ * Otherwise, this filter would be called too much and cause too much overhead. In addition, this filter should
+ * only be used on non-ajax requests. This is required for the redirect to the IDP to properly work.
+ *
+ * A special case is the /refresh-openid endpoint, which does not throw the exception (i.e. it does not cause a redirect to the IDP)
+ * but only invalidates the session. This endpoint is frequently called (at least every <40 seconds) when the user is using an app.
+ * It refreshes the OIDC session as long as possible and when it fails (e.g. because the session was revoked or reached it max life),
+ * the session is invalidated. The app page detects this and shows a message that the user was logged out.
+ *
+ * See #30569, #28976
  */
 public class OpenIdReAuthorizeFilter extends OncePerRequestFilter {
 
+    private static final RequestMatcher REFRESH_OPENID_MATCHER = new AntPathRequestMatcher("/refresh-openid");
+
     private static final RequestMatcher REQUEST_MATCHER = new OrRequestMatcher(
             new AntPathRequestMatcher("/app/**"),
             new AntPathRequestMatcher("/app_i/**"),
             new AntPathRequestMatcher("/"),
-            new AntPathRequestMatcher("/heartbeat"));
+            REFRESH_OPENID_MATCHER);
 
     @Inject
     private OAuth2AuthorizedClientManager oAuth2AuthorizedClientManager;
@@ -72,8 +81,8 @@ public class OpenIdReAuthorizeFilter extends OncePerRequestFilter {
 
     private final Clock clock = Clock.systemUTC();
 
-    // use clock skew of 20 seconds instead of 60 seconds. Otherwise, if the access token is valid for 1 minute, it would get refreshed at each request.
-    private final Duration clockSkew = Duration.ofSeconds(20);
+    // use clock skew of 40 seconds instead of 60 seconds. Otherwise, if the access token is valid for 1 minute, it would get refreshed at each request.
+    private final Duration clockSkew = Duration.ofSeconds(40);
 
     @Override
     protected void doFilterInternal(@Nonnull HttpServletRequest request, @Nonnull HttpServletResponse response, @Nonnull FilterChain chain) throws ServletException, IOException {
@@ -83,25 +92,32 @@ protected void doFilterInternal(@Nonnull HttpServletRequest request, @Nonnull Ht
             if (auth instanceof OAuth2AuthenticationToken) {
                 OAuth2AuthorizedClient authorizedClient = oAuth2AuthorizedClientService.loadAuthorizedClient(REG_ID, auth.getName());
 
-                if (accessTokenExpired(authorizedClient)) {
-                    OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest
-                            .withAuthorizedClient(authorizedClient)
-                            .principal(auth)
-                            .build();
-
-                    // re-authorize
-                    try {
-                        oAuth2AuthorizedClientManager.authorize(authorizeRequest);
-                    } catch (ClientAuthorizationException ex) {
-                        if (ex.getError().getErrorCode().equals(OAuth2ErrorCodes.INVALID_GRANT)) {
-                            // if refresh token has expired or is invalid -> re-start authorization process
-                            throw new ClientAuthorizationRequiredException(ex.getClientRegistrationId());
+                if (authorizedClient == null) {
+                    invalidateSession(request, response);
+                    return;
+                } else {
+                    if (accessTokenExpired(authorizedClient)) {
+                        OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest
+                                .withAuthorizedClient(authorizedClient)
+                                .principal(auth)
+                                .build();
+
+                        try {
+                            oAuth2AuthorizedClientManager.authorize(authorizeRequest);
+                            logger.info("Refresh");
+                        } catch (ClientAuthorizationException ex) {
+                            invalidateSession(request, response);
+                            return;
                         }
-                        throw ex;
                     }
                 }
             }
         }
+        if (REFRESH_OPENID_MATCHER.matches(request)) {
+            response.getWriter().write("{\"status\":\"success\"}");
+            response.setStatus(200);
+            return;
+        }
         chain.doFilter(request, response);
     }
 
@@ -115,4 +131,17 @@ private boolean accessTokenExpired(OAuth2AuthorizedClient authorizedClient) {
         return clock.instant().isAfter(authorizedClient.getAccessToken().getExpiresAt().minus(this.clockSkew));
     }
 
+    private void invalidateSession(@Nonnull HttpServletRequest request, @Nonnull HttpServletResponse response) throws IOException {
+        HttpSession session = request.getSession(false);
+        if (session != null) {
+            session.invalidate();
+        }
+        if (REFRESH_OPENID_MATCHER.matches(request)) {
+            response.getWriter().write("{\"status\":\"success\"}");
+            response.setStatus(200);
+        } else {
+            throw new ClientAuthorizationRequiredException(REG_ID);
+        }
+    }
+
 }