Expired JWT tokens in session
Closed this issue ยท 2 comments
Hello and thanks for providing this useful library.
Unfortunately when trying to use it in project I'm facing an issue I feel suppose to be handled in library. Context is that application that authenticates using oid (keycloak) also requires to read some data provided by keycloak. This is done by decoding payload from JWT token rougly as:
user_session = UserSession(flask.session)
decoded = jwt.decode(user_session.access_token, public_key, audience='account', algorithms=["RS256"])
This initially works in expected way - I'm able to query decoded
data from jwt token and work with it. Anyway once the token expires it remains to be used by flask.session
. Esentailly flask's session expiration is not synchronized / doesn't respect expiration time of jwt token. I would expect middleware to detect expiration of JWT tokens and refresh them when needed. Because at some point flask.session
stores an expired token jwt.decode
is doomed to fail with expiration error.
The only reasonable solution that comes to mind is to implement some custom management around lifetimes of session tokens but that seems like bypassing/re-implementation of something library already does (maintain tokens and authentication).
Am I missing something fundamental or am I really expected to deal with expiration of tokens in application code? What is the commonly used way to read payload data?
Hi! ๐
Expiration of tokens is already managed by this middleware, but you'll need to use OIDCAuthentication.valid_access_token()
instead of accessing UserSession(flask.session).access_token
directly to ensure you always get a valid access token (and that is assuming the provider you use issues refresh tokens).