Add support for refresh_token to device flow auth #2947
Conversation
Sovietaced
requested review from
wild-endeavor,
kumare3,
eapolinario,
pingsutw,
cosmicBboy,
samhita-alla,
thomasjpfan and
Future-Outlier
as code owners
|
I think this still needs a little work. |
|
what's missing, @Sovietaced ? |
Need to use the auth client to get a new access token using the refresh token. I'll ping you when I'm done. Working on it now. |
Sovietaced
force-pushed
the
issue-6044
branch
from
9364cac
to
2187d27
Compare
Signed-off-by: Jason Parraga <[email protected]>
Sovietaced
force-pushed
the
issue-6044
branch
from
2187d27
to
7e3713a
Compare
| @@ -303,6 +303,7 @@ def _credentials_from_response(self, auth_token_resp) -> Credentials: | |||
| """ | |||
| response_body = auth_token_resp.json() | |||
| refresh_token = None | |||
| expires_in = None | |||
There was a problem hiding this comment.
There was a warning about this possibly not being defined in my editor due to the if statement below.
Signed-off-by: Jason Parraga <[email protected]>
| @@ -119,7 +119,11 @@ def get_token( | |||
| raise AuthenticationError("Status Code ({}) received from IDP: {}".format(response.status_code, response.text)) | |||
|
|
|||
| j = response.json() | |||
| return j["access_token"], j["expires_in"] | |||
| refresh_token = None | |||
There was a problem hiding this comment.
One thing to note is that you can actually receive the refresh token in the body. In our internal implementation we add a check like this:
if refresh_token:
body["refresh_token"] = refresh_tokenand then later:
j = response.json()
# Check if refresh_token already existed and was sent with the body, or if we are getting it for the first time
if refresh_token or "refresh_token" in j and j["refresh_token"] is not None:
return j["access_token"], j["refresh_token"], j["expires_in"]
else:
logging.debug("Refresh token was not received in the response, only storing access token")
return j["access_token"], None, j["expires_in"]There was a problem hiding this comment.
Not sure what you mean, wouldn't that be adding the refresh token into the request payload?
There was a problem hiding this comment.
Yes, that's correct. I believe you do need both the refresh_token + the associated grant type "refresh_token" in the request payload parameters per OAuth2.0 spec - https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens
There was a problem hiding this comment.
So what this would mean is that you fetch the pre-existing refresh token if there is one, alongside the request payload.
There was a problem hiding this comment.
I see. I think I'm confused because the code that I modified that uses this currently just passes grant type DEVICE_CODE. The code path that I'm using to refresh the token (which I copied from the PKCE auth) uses an auth client as opposed to the token client and that has worked for us.
There was a problem hiding this comment.
I think I could reuse the token client if I made that change you suggested, let me try that.
There was a problem hiding this comment.
That seems to work. Added in fe8277b
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #2947 +/- ##
=======================================
Coverage 76.49% 76.49%
=======================================
Files 200 200
Lines 20901 20919 +18
Branches 2689 2692 +3
=======================================
+ Hits 15989 16003 +14
- Misses 4195 4197 +2
- Partials 717 719 +2 ☔ View full report in Codecov by Sentry. 🚨 Try these New Features:
|
Signed-off-by: Jason Parraga <[email protected]>
Tracking issue
Closes flyteorg/flyte#6044
Why are the changes needed?
Device flow auth did not support refresh tokens which makes the pyflyte user experience less enjoyable since you may need to login often.
What changes were proposed in this pull request?
Passes along the refresh token from the token response to the code which writes it to the keyring.
How was this patch tested?
Unit tests as well as in our production environment.
Check all the applicable boxes