AIRAVATA-2339 Keycloak support for refreshing tokens
Project: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/commit/a37c5aa5 Tree: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/tree/a37c5aa5 Diff: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/diff/a37c5aa5 Branch: refs/heads/develop Commit: a37c5aa5a25dc72fd4eac342ce3c936ebcd99d75 Parents: f065bee Author: Marcus Christie <[email protected]> Authored: Mon Mar 27 16:03:29 2017 -0400 Committer: Marcus Christie <[email protected]> Committed: Mon Mar 27 16:03:29 2017 -0400 ---------------------------------------------------------------------- app/controllers/AccountController.php | 2 +- app/filters.php | 33 ++++++++++++------------ app/libraries/Keycloak/Keycloak.php | 41 ++++++++++++++++++++++++++++++ 3 files changed, 58 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/a37c5aa5/app/controllers/AccountController.php ---------------------------------------------------------------------- diff --git a/app/controllers/AccountController.php b/app/controllers/AccountController.php index 0c3a3fc..77b1feb 100644 --- a/app/controllers/AccountController.php +++ b/app/controllers/AccountController.php @@ -185,7 +185,7 @@ class AccountController extends BaseController $accessToken = $response->access_token; $refreshToken = $response->refresh_token; - $expirationTime = time() + $response->expires_in - 5; //5 seconds safe margin + $expirationTime = time() + $response->expires_in - 300; //5 minutes safe margin $userProfile = Keycloak::getUserProfileFromOAuthToken($accessToken); Log::debug("userProfile", array($userProfile)); http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/a37c5aa5/app/filters.php ---------------------------------------------------------------------- diff --git a/app/filters.php b/app/filters.php index a7d492a..c92ff8a 100755 --- a/app/filters.php +++ b/app/filters.php @@ -20,23 +20,22 @@ App::before(function ($request) { if(Session::has('authz-token')){ $currentTime = time(); if($currentTime > Session::get('oauth-expiration-time')){ - // TODO: implement for Keycloak - // $response = WSIS::getRefreshedOAutheToken(Session::get('oauth-refresh-code')); - // if(isset($response->access_token)){ - // $accessToken = $response->access_token; - // $refreshToken = $response->refresh_token; - // $expirationTime = time() + $response->expires_in - 300; - // $authzToken = Session::get('authz-token'); - // $authzToken->accessToken = $accessToken; - // $authzToken->claimsMap['gatewayID'] = Config::get('pga_config.airavata')['gateway-id']; - // $authzToken->claimsMap['userName'] = Session::get('username'); - // Session::put('authz-token',$authzToken); - // Session::put('oauth-refresh-code',$refreshToken); - // Session::put('oauth-expiration-time',$expirationTime); - // }else{ - // Session::flush(); - // return Redirect::to('home'); - // } + $response = Keycloak::getRefreshedOAuthToken(Session::get('oauth-refresh-code')); + if(isset($response->access_token)){ + $accessToken = $response->access_token; + $refreshToken = $response->refresh_token; + $expirationTime = time() + $response->expires_in - 300; // 5 minutes safe margin + $authzToken = Session::get('authz-token'); + $authzToken->accessToken = $accessToken; + $authzToken->claimsMap['gatewayID'] = Config::get('pga_config.airavata')['gateway-id']; + $authzToken->claimsMap['userName'] = Session::get('username'); + Session::put('authz-token',$authzToken); + Session::put('oauth-refresh-code',$refreshToken); + Session::put('oauth-expiration-time',$expirationTime); + }else{ + Session::flush(); + return Redirect::to('home'); + } } } }); http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/a37c5aa5/app/libraries/Keycloak/Keycloak.php ---------------------------------------------------------------------- diff --git a/app/libraries/Keycloak/Keycloak.php b/app/libraries/Keycloak/Keycloak.php index 446b7ad..0bfec52 100644 --- a/app/libraries/Keycloak/Keycloak.php +++ b/app/libraries/Keycloak/Keycloak.php @@ -127,6 +127,47 @@ class Keycloak { } /** + * Method to get refreshed access token + * @param $refreshToken + * @return mixed + */ + public function getRefreshedOAuthToken($refresh_token){ + + $config = $this->getOpenIDConnectDiscoveryConfiguration(); + $token_endpoint = $config->token_endpoint; + + // Init cUrl. + $r = curl_init($token_endpoint); + curl_setopt($r, CURLOPT_RETURNTRANSFER, 1); + // Decode compressed responses. + curl_setopt($r, CURLOPT_ENCODING, 1); + curl_setopt($r, CURLOPT_SSL_VERIFYPEER, $this->verify_peer); + + // Add client ID and client secret to the headers. + curl_setopt($r, CURLOPT_HTTPHEADER, array( + "Authorization: Basic " . base64_encode($this->client_id . ":" . $this->client_secret), + )); + + // Assemble POST parameters for the request. + $post_fields = "refresh_token=" . urlencode($refresh_token) . "&grant_type=refresh_token"; + + // Obtain and return the access token from the response. + curl_setopt($r, CURLOPT_POST, true); + curl_setopt($r, CURLOPT_POSTFIELDS, $post_fields); + + $response = curl_exec($r); + if ($response == false) { + die("curl_exec() failed. Error: " . curl_error($r)); + } + + //Parse JSON return object. + $result = json_decode($response); + Log::debug("getRefreshedOAuthToken response", array($result)); + + return $result; + } + + /** * Function to list users * * @return Array of usernames
