diff --git a/lib/galaxy/authnz/custos_authnz.py b/lib/galaxy/authnz/custos_authnz.py index c69b415673baa71cc2db185adf926fe5cc12bf2d..d8fd3a6f5ff20d9293a0b885e6f78219eb5965f4 100644 --- a/lib/galaxy/authnz/custos_authnz.py +++ b/lib/galaxy/authnz/custos_authnz.py @@ -128,7 +128,7 @@ class OIDCAuthnzBase(IdentityProvider): # do not refresh tokens if last token is too old skip_old_tokens_threshold_seconds = skip_old_tokens_threshold_days * 86400 # 86400 seconds in a day if int(id_token_decoded["iat"]) + skip_old_tokens_threshold_seconds < int(time.time()): - return False + raise Exception("Expired Tokens. User needs to sign in.") oauth2_session = self._create_oauth2_session() token_endpoint = self.config.token_endpoint @@ -590,6 +590,7 @@ class OIDCAuthnzBase(IdentityProvider): custos_authnz_token = self._get_custos_authnz_token(sa_session, user_id, self.config.provider) user = custos_authnz_token.user if custos_authnz_token else None + self.refresh(sa_session, custos_authnz_token, 90) return user, decoded_jwt diff --git a/lib/galaxy/authnz/managers.py b/lib/galaxy/authnz/managers.py index 0a08b56326c1b6d69cbc973f2cd71bf50eadfbb9..117258dafac211b07e20923c6f67f3ead7a60e03 100644 --- a/lib/galaxy/authnz/managers.py +++ b/lib/galaxy/authnz/managers.py @@ -298,14 +298,14 @@ class AuthnzManager: msg = f"An error occurred when refreshing user token on `{auth.provider}` identity provider: {message}" log.error(msg) return False - refreshed = backend.refresh(trans, auth, 30) + refreshed = backend.refresh(trans.sa_session, auth, 30) if refreshed: log.debug(f"Refreshed user token via `{auth.provider}` identity provider") return True except BlockingIOError: log.debug("Another process is refreshing, skipping") return True - except Exception: + except Exception as e: log.exception("An error occurred when refreshing user token") return False diff --git a/lib/galaxy/authnz/psa_authnz.py b/lib/galaxy/authnz/psa_authnz.py index 65ef74f312708956188462dd4af0d228e1a26897..70451874d32b8900be3659b137e40640f07409c3 100644 --- a/lib/galaxy/authnz/psa_authnz.py +++ b/lib/galaxy/authnz/psa_authnz.py @@ -180,7 +180,7 @@ class PSAAuthnz(IdentityProvider): extra_data["expires"] = int(expires - time.time()) user_authnz_token.set_extra_data(extra_data) - def refresh(self, trans, user_authnz_token, skip_old_tokens_threshold_days): + def refresh(self, sa_session, user_authnz_token, skip_old_tokens_threshold_days): if not user_authnz_token or not user_authnz_token.extra_data: return False # refresh tokens if they reached their half lifetime @@ -195,17 +195,17 @@ class PSAAuthnz(IdentityProvider): # do not refresh tokens if last token is too old skip_old_tokens_threshold_seconds = skip_old_tokens_threshold_days * 86400 # 86400 seconds in a day if int(user_authnz_token.extra_data["auth_time"]) + skip_old_tokens_threshold_seconds < int(time.time()): - return False + raise Exception("Expired Tokens. User needs to sign in.") if int(user_authnz_token.extra_data["auth_time"]) + int(expires) / 2 <= int(time.time()): - on_the_fly_config(trans.sa_session) + on_the_fly_config(sa_session) log.debug( f"Refreshing user token for {user_authnz_token.uid} via `{user_authnz_token.provider}` identity provider" ) if self.config["provider"] == "azure": self.refresh_azure(user_authnz_token) else: - strategy = Strategy(None, trans.sa_session, Storage, self.config) + strategy = Strategy(None, sa_session, Storage, self.config) user_authnz_token.refresh_token(strategy) log.debug( f"Refreshed user token for {user_authnz_token.uid} via `{user_authnz_token.provider}` identity provider" @@ -329,6 +329,7 @@ class PSAAuthnz(IdentityProvider): user_id = decoded_jwt["unique_name"] authnz_token = self._get_authnz_token(sa_session, user_id, self.config["provider"]) user = authnz_token.user if authnz_token else None + self.refresh(sa_session, authnz_token, 90) return user, decoded_jwt @staticmethod