Skip to content

Update oidc middleware with two new feature flags that introspect and allow posting#1054

Open
MelissaAutumn wants to merge 4 commits into
mainfrom
features/oidc-middleware-should-introspect-token
Open

Update oidc middleware with two new feature flags that introspect and allow posting#1054
MelissaAutumn wants to merge 4 commits into
mainfrom
features/oidc-middleware-should-introspect-token

Conversation

@MelissaAutumn

Copy link
Copy Markdown
Member

Fixes #380
Fixes #1053

  • auth-introspect-token-per-request forces the middleware to introspect the token every request
  • auth-allow-post-reauth allows the middleware to attempt to reauth on non-get requests

I've updated the middleware acquired from a mozilla-django-oidc PR to allow refreshing tokens on non-GET requests and making the middleware introspect the access/refresh token. These are both gated behind the above feature flags.

To test add the feature flags listed above via django admin panel and set them to true. With a short-lived access token you should hopefully experience a better experience without being bumped to the login screen. Additionally if you invalidate your token (via password reset) it should pick up on it.

An easy way to test this is to remove the active session for the currently logged in user on keycloak's admin panel. (http://keycloak:8999/admin/master/console/#/tbpro/users/). On a refresh that user should be punted to the login screen with a "refresh token is not active" debug log entry listed in the console.

This code is kinda too complex imo, suggestions for streamlining while keeping it secure are welcome. I wanted to let us roll these changes back easily if needed, so that's why they're waffled.

@MelissaAutumn MelissaAutumn self-assigned this Jul 2, 2026

@davinotdavid davinotdavid left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally with the test steps in the PR description and can verify that removing the session in Keycloak and refreshing the page punts the user to the login screen, nice!

However, if I don't refresh the page but continue to try to click around / trigger some requests, they fail the requests instead of punting the user to the login screen. Is that expected?

Not a super realistic scenario but for example if you:

  • Add a user to the allow list and go through sign-up / FTUE
  • Stay in the ToS page and in another tab / window / browser revoke access
  • As the user in ToS page, click on accept or decline and see it failing and not punting the user to login

Repeating the process but in the Paddle checkout page:

  • Add a user to the allow list and go through sign-up / FTUE
  • Go through ToS and stay in the Paddle checkout page
  • In another tab / window / browser revoke access of said user
  • As the user in Paddle checkout page, click on the UserAvatar and then Support and then click Thunderbird Pro to go back to the Paddle checkout. See that it fails to load and doesn't punt the user to login

Comment on lines +705 to +709
# POST OIDC's token introspect route to see if a token is actually active.
WAFFLE_FLAG_INTROSPECT_TOKEN_PER_REQUEST = 'auth-introspect-token-per-request'

# Allow auth middleware to try and refresh an inactive access token with an active refresh token during non-get requests
WAFFLE_FLAG_ALLOW_POST_REAUTH = 'auth-allow-post-reauth'

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be nice to add a section in README for the flags, also I just realized that we don't have an entry for MFA either (which I believe is multi-factor-authentication)

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I'll add a section in docs because readme is getting crowded.

Comment on lines +477 to +480
# is_redirectable = request.method == 'GET'
default_response = HttpResponseForbidden()
xhr_response_json = {'error': 'the authentication session has expired'}
if prompt_reauth:
if prompt_reauth: # and is_redirectable:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the is_redirectable a left over for debugging here? If so I think we should remove it to reduce confusion

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, yep. Thanks!

@MelissaAutumn

Copy link
Copy Markdown
Member Author

Thanks for testing, and yeah we should handle those. Will need to setup useFetch and have a default 302 redirect follower for that. Not too hard, but may end up with a larger change overall.

@MelissaAutumn MelissaAutumn force-pushed the features/oidc-middleware-should-introspect-token branch from 00a22a8 to d6a9113 Compare July 6, 2026 21:42
… allow posting

* `auth-introspect-token-per-request` forces the middleware to introspect the token every request
* `auth-allow-post-reauth` allows the middleware to attempt to reauth on non-get requests
@MelissaAutumn MelissaAutumn force-pushed the features/oidc-middleware-should-introspect-token branch from d6a9113 to 8ba5ec1 Compare July 7, 2026 22:46
@MelissaAutumn

Copy link
Copy Markdown
Member Author

Okay it turns out there was a bug where the refresh token was never used unless it's invalid lol. I fixed that flipped condition, so now access tokens should silently refresh correctly.

I've introduced a useFetch (much like in appointment) and sprinkled it around api calls that require auth. It's called useAuthfulFetch but I'm willing to rename it if anyone has a better suggestion. I wanted to convey that this function is for authed api calls only.

If the access token and refresh token are invalid (session invalidation iirc) then the user will be punted to the login screen via the fetch error function. In the future I think we should block page access with a modal and text explaining that they need to sign back in, but that feels like a services-ui pattern and we'll need to borrow some designers I think.

@Sancus

Sancus commented Jul 8, 2026

Copy link
Copy Markdown
Member

will go through this in the morning

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Allow refresh token to be used if the request is not GET Add middleware to introspect current access token

3 participants