Renew of oAuth tokens inside the user session

[diocas]

We need to support oAuth token for accessing EOS and, in the future, to access the CS3APIs #26.

The token can, and will, be pushed while Spawning, but we also need to ensure that is renewed inside the user session. We should be able able to retrieve that information directly from the authenticator renewal process.

The best way to retrieve this information is to try to get the user auth_state directly from the JH API. If this information is not available, we create a Authenticated Service that will return this information.

[diocas]

@ricastell everything is in place except this server extension that polls JupyterHub and updates the file.

This is what I've done inside the jupyter startup script to create the file:

if [[ ! -z "$ACCESS_TOKEN" ]];
then
    log_info "Storing oAuth token for EOS"
    export OAUTH2_FILE=/tmp/eos_oauth.token
    export OAUTH2_TOKEN="FILE:$OAUTH2_FILE"
    echo -n oauth2:$ACCESS_TOKEN:$OAUTH_INSPECTION_ENDPOINT >& $OAUTH2_FILE
    chown -R $USER:$USER $OAUTH2_FILE
    chmod 600 $OAUTH2_FILE
fi

What I suggest: the extension checks if OAUTH2_FILE and OAUTH2_TOKEN are set. If so, it will "loop": right before (1min maybe?) the token is about to expire, you call JupyterHub to get the latest valid token (which JH already updated on its own) and write to the file set in OAUTH2_FILE.

To get the latest token, do the following (in Python, ofc):

$ curl -H "Authorization: token $JUPYTERHUB_API_TOKEN" $JUPYTERHUB_API_URL/users/$NB_USER

The reply contains the latest token (access_token):

{
    "kind": "user",
    "name": "username",
    "admin": true,
    "groups": [],
    "server": "/user/username/",
    "pending": null,
    "created": "2020-08-31T09:31:24.638244Z",
    "last_activity": "2020-08-31T10:43:46.033379Z",
    "servers": {
        "": {
            (...)
        }
    },
    "auth_state": {
        "access_token": "blablabla",
        "refresh_token": "blablabla",
        "oauth_user": {
            "sub": "username",
            "cern_uid": 00000,
            "preferred_username": "username",
            "cern_gid": 00000,
            "given_name": "Diogo",
            "cern_preferred_language": "EN",
            "home_institute": "CERN",
            "cern_person_id": 821079,
            "name": "Diogo Castro",
            "cern_mail_upn": "[email protected]",
            "family_name": "Castro",
            "email": "[email protected]",
            "cern_upn": "username"
        },
        "scope": [
            "oidc-cern-profile",
            "oidc-email",
            "oidc-cern-login-info",
            "oidc-client-id"
        ]
    }
}