Expired JWT tokens in session

[turboMaCk]

Hello and thanks for providing this useful library.

Unfortunately when trying to use it in project I'm facing an issue I feel suppose to be handled in library. Context is that application that authenticates using oid (keycloak) also requires to read some data provided by keycloak. This is done by decoding payload from JWT token rougly as:

user_session = UserSession(flask.session)
decoded = jwt.decode(user_session.access_token, public_key, audience='account', algorithms=["RS256"])

This initially works in expected way - I'm able to query decoded data from jwt token and work with it. Anyway once the token expires it remains to be used by flask.session. Esentailly flask's session expiration is not synchronized / doesn't respect expiration time of jwt token. I would expect middleware to detect expiration of JWT tokens and refresh them when needed. Because at some point flask.session stores an expired token jwt.decode is doomed to fail with expiration error.

The only reasonable solution that comes to mind is to implement some custom management around lifetimes of session tokens but that seems like bypassing/re-implementation of something library already does (maintain tokens and authentication).

Am I missing something fundamental or am I really expected to deal with expiration of tokens in application code? What is the commonly used way to read payload data?

[zamzterz]

Hi! 👋

Expiration of tokens is already managed by this middleware, but you'll need to use OIDCAuthentication.valid_access_token() instead of accessing UserSession(flask.session).access_token directly to ensure you always get a valid access token (and that is assuming the provider you use issues refresh tokens).

[turboMaCk]

Thanks a lot @zamzterz I can confirm this works exactly as I expected.

I wrongly assumed oidc_auth decorator would take care of token refreshing but it makes sense that this effect of renewal of token is deferred to call of this method.