- Issue created by @Dylan Donkersgoed
- @dylan-donkersgoed opened merge request.
- Status changed to Needs review
over 1 year ago 6:34pm 8 March 2023
It only makes sense to merge this in if the related issue at https://www.drupal.org/project/openid_connect/issues/2923419 β¨ Method to use the refresh token Needs review is merged in.
There is a patch against the base openid_connect module that provides a method to use refresh tokens. This functionality does not work in this module because of the client secret being stored via the key module. The original patch uses the client_secret configuration parameter directly.
I would like to be able to use that functionality with this module.
This can only be reproduced with custom code since this is more of a developer-focused feature. For context you would need an OpenID client configured with the offline_access scope (see my other issue at https://www.drupal.org/project/openid_connect_windows_aad/issues/3344056 β¨ Allow configuring scope Needs review , or you could hardcode it into getClientScopes()) and some method of retrieving the refresh token it stores. In my case I store it in the session after the user logs in via OpenID:
function mymodule_openid_connect_userinfo_alter(array &$userinfo, array $context) {
if ($context['tokens']['refresh_token']) {
$tokens = \Drupal::request()->getSession()->get('openid_connect_refresh_scope.tokens');
$tokens[$context['plugin_id']]['refresh_token'] = $context['tokens']['refresh_token'];
\Drupal::request()->getSession()->set('openid_connect_refresh_scope.tokens', $tokens);
}
}
At some point after that's set up (you could do it in the same hook for testing) you need to invoke the refresh tokens method:
$client_config = $this->entityTypeManager->getStorage('openid_connect_client')->load($client_id);
$plugin_config = $plugin->getConfiguration();
$plugin_config['scopes'][] = $scope;
$plugin->setConfiguration($plugin_config);
$tokens = $plugin->refreshTokens($refresh_token);
this will result in an error like the following:
GuzzleHttp\Exception\ClientException: Client error: `POST https://BASEDOMAIN/oauth2/v2.0/token?p=POLICY` resulted in a `400 Bad Request` response: {"error":"invalid_client","error_description":"AADB2C90081: The specified client_secret does not match the expected valu (truncated...) in GuzzleHttp\Exception\RequestException::create() (line 113 of /app/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php).
because the client secret is actually the machine name of the key.
Override the method in the windows_aad plugin and use the key-based client secret.
The plugin will now override the public refreshTokens() method, but the actual API will not change.
Needs review
2.0
Code