re #270 - Added middleware to refresh access tokens

[daggaz]

This PR addresses #270

[codecov]

Codecov Report

Merging #278 (9abbcbd) into master (80adc32) will increase coverage by 0.7%.
The diff coverage is 95.4%.

@@           Coverage Diff            @@
##           master    #278     +/-   ##
========================================
+ Coverage    86.3%   87.1%   +0.7%     
========================================
  Files          11      11             
  Lines         549     590     +41     
========================================
+ Hits          474     514     +40     
- Misses         75      76      +1     

Impacted Files	Coverage Δ
django_auth_adfs/backend.py	87.1% <93.3%> (+0.7%)	⬆️
django_auth_adfs/config.py	88.0% <100.0%> (+<0.1%)	⬆️
django_auth_adfs/middleware.py	94.2% <100.0%> (+3.3%)	⬆️
django_auth_adfs/views.py	87.2% <0.0%> (+2.1%)	⬆️

[tim-schilling]

Thanks for creating this PR! I like the idea of us supporting this out of the box. It seems relatively straightforward and a common use case. My preference is to have it be entirely optional so as to not break existing user's installations when upgrading. I could be convinced otherwise though.

[tim-schilling]

We shouldn't short-circuit this functionality if the request isn't provided. django_auth_adfs.rest_framework.AdfsAccessTokenAuthentication.authenticate() will call the authenticate backend without a request.

[daggaz]

This code is in AdfsAuthCodeBackend, not the base class.

In AdfsAuthCodeBackend, request is already required to not be None. I've just made it explicit.

Before these changes, If you attempt to use AdfsAuthCodeBackend without a request, you will get an exception when it tries to generate redirect_uri in exchange_auth_code().

On a separate point, I actually think exchange_auth_code() should be pulled up from the base class to AdfsAuthCodeBackend, as it's only called from there.

[JonasKs]

Agree

[tim-schilling]

This logic should live in a middleware, not the authenticate backend.

[daggaz]

I went back and forward on this myself a few times, moving the functionality between the middleware and the backend.

In the end I opted for the backend because then the session keys (such as _adfs_refresh_token) only appeared in one place rather than being spread through multiple files.

I'm open to moving it back to the middleware though.

[JonasKs]

Agree with @tim-schilling 😊

[tim-schilling]

I don't see this session value being used anywhere. I think it can be removed.

[daggaz]

It's not used, however in my use case I do not use the auto-generated claim to group mapping, and instead directly use the data in the access token.

ADFS can be configured to spit out many different things in the access token.

I'm sure there are many other use cases where having access the to original JWT would be valuable.

[JonasKs]

I agree with @tim-schilling here, I don't really want to just add the token to the session "for the sake of it".

[tim-schilling]

This creates a dependency on django.contrib.session. I'm up in the air if we want to continue supporting that path or not.

We should add a system check to verify that the session app is installed to alert the developer sooner about a misconfiguration.

[daggaz]

The base django.contrib.auth app requires django.contrib.session already. It's not an optional dependency.

[tim-schilling]

What do you think about using logger.debug() here to capture the exception's information?

[daggaz]

I agree

[JonasKs]

I'll try to review ASAP, but I'm pretty busy these days. If we're afraid of breaking, we'll have to major bump - I don't mind that 😊

[JonasKs]

Thanks for the good PR! And for the good review, @tim-schilling 😊 I'd love to get this merged this or next week.

[tim-schilling]

Closed in favor of #343