[Generic] Implement refresh_user to periodically refresh OAuth tokens #475
Conversation
Requirements for token refresh: - OAuth server response includes `expires_in` and `refresh_token` - State is persisted on hub with `c.Authenticator.enable_auth_state = True`
|
Thanks for submitting your first pull request! You are awesome! 🤗 |
for more information, see https://pre-commit.ci
|
As in the next release of jupyterhub there will be authenticator user group management jupyterhub/jupyterhub#3548 what happens if we have manage_groups=true and the user's group membership changes after auth and before refresh? Your refresh code is not updating user_info['groups'] as it seem. |
|
@kkaraivanov1 Thanks for looking at the PR. I agree that group data should be refreshed as well. Is group membership info already being stored on authentication? |
|
The way I understand the intentions behind the PR I mention is if c.Authenticator.manage_groups is set AND if the GenericOAuthenticator adds the groups to user_info['groups'] they will be populated automatically. |
|
That makes sense, and thank you for the clarification. Adding support for |
| grant_type='refresh_token', | ||
| ) | ||
|
|
||
| headers = self._get_headers() |
There was a problem hiding this comment.
this one is wrong. It has to be
headers = { "Content-Type": "application/x-www-form-urlencoded" }
…expiration Follows the convention of Let's Encrypt
An attempt at OAuth token refresh, following the pattern in PR #287, without relying on tokens to be JWTs. This should address at least some of issue #398.
Requirements for token refresh:
expires_inandrefresh_tokenc.Authenticator.enable_auth_state = True(to store therefresh_token)