#include <OIDCSessionImpl.h>
Detailed Description
Default implementation of tenduke::oidc::OIDCSession.
Public Member Functions | |
| OIDCSessionImpl (std::unique_ptr< tenduke::oidc::OIDCState > state, const std::shared_ptr< const tenduke::oidc::OIDCLogin > &oidc, const std::shared_ptr< const tenduke::oidc::OIDCClient > &oidcClient, const std::shared_ptr< tenduke::time::Clock > &clock, const std::shared_ptr<::tenduke::oidc::OIDCSessionEventListener > &eventListener=nullptr, uint64_t validitySafetyMarginS=DEFAULT_SAFETY_MARGIN_S, std::chrono::milliseconds loginTimeout=DEFAULT_SESSION_LOGIN_TIMEOUT) | |
| Constructs new instance. | |
| void | ensureValidSession () override |
| Checks that the OIDC session is valid, but if it is NOT, either refreshes the access token or authenticates the user. | |
| std::string | getAccessToken () override |
| Returns access token of the session. | |
| std::shared_ptr< const tenduke::oidc::OIDCState > | getOIDCState () override |
| Returns the current OIDC-state for inspection. | |
| bool | heartbeat () override |
| Executes a heartbeat with the backend, checking that the current access token really works. | |
| void | invalidate () override |
| Invalidates the session. | |
| bool | isValid () override |
| Checks that local session is valid. | |
| void | reEstablish () override |
| Re-establishes the session: Tries first to refresh the state, if it fails, re-authenticates the user. | |
| void | refresh () override |
| Forces refresh of the session. | |
Static Public Attributes | |
| static const std::uint64_t | DEFAULT_SAFETY_MARGIN_S = 30 |
| Default safety margin in seconds for checking access token expiration. | |
Protected Member Functions | |
| virtual bool | hasRefreshableState () |
| Checks if the session has state, which can be refreshed. | |
| virtual void | refreshOrLogin () |
| Performs either refresh, or if it fails, new login. | |
| virtual void | login () |
| Performs login. | |
Protected Attributes | |
| std::shared_ptr< tenduke::oidc::OIDCState > | state |
| The OIDC-state. | |
| std::unique_ptr< tenduke::oidc::OIDCLoginRequest > | loginRequest |
| Current login request. | |
| const std::chrono::milliseconds | loginTimeout |
| Login timeout. | |
| const std::uint64_t | validitySafetyMarginS |
| Safety margin in seconds for checking if access token has expired. | |
| const std::shared_ptr< tenduke::time::Clock > | clock |
| Clock for checking session validity locally. | |
| const std::shared_ptr< const tenduke::oidc::OIDCLogin > | oidc |
| Service to perform OIDC login. | |
| const std::shared_ptr< const tenduke::oidc::OIDCClient > | oidcClient |
| The OIDC-client. | |
| const std::shared_ptr< tenduke::oidc::OIDCSessionEventListener > | notify |
| Listener for OIDC session events. | |
Constructor & Destructor Documentation
◆ OIDCSessionImpl()
| tenduke::oidc::OIDCSessionImpl::OIDCSessionImpl | ( | std::unique_ptr< tenduke::oidc::OIDCState > | state, |
| const std::shared_ptr< const tenduke::oidc::OIDCLogin > & | oidc, | ||
| const std::shared_ptr< const tenduke::oidc::OIDCClient > & | oidcClient, | ||
| const std::shared_ptr< tenduke::time::Clock > & | clock, | ||
| const std::shared_ptr<::tenduke::oidc::OIDCSessionEventListener > & | eventListener = nullptr, |
||
| uint64_t | validitySafetyMarginS = DEFAULT_SAFETY_MARGIN_S, |
||
| std::chrono::milliseconds | loginTimeout = DEFAULT_SESSION_LOGIN_TIMEOUT |
||
| ) |
Constructs new instance.
- Parameters
-
state initial state. Pass nullptrif no initial state and first activity requires loginoidc service for OIDC-login clock clock for checking if access token is still valid oidcClient OIDC-client eventListener for listening session events. Optional. validitySafetyMarginS safety margin (seconds) used when checking validity of access token. The service uses this margin to refresh the access token before expiration to avoid delays and clock-skews loginTimeout timeout for login. Prevents login to hang indefinitely e.g. when user accidentally closes the browser. When the timeout occurs, the login request is aborted and related resources are released. If the timeout is zero, no timeout is applied.
Member Function Documentation
◆ ensureValidSession()
|
overridevirtual |
Checks that the OIDC session is valid, but if it is NOT, either refreshes the access token or authenticates the user.
Call this method before doing request which uses the access token (method getAccessToken()). You do not need call this method unless you want to use access token: E.g. it is unnecessary to schedule a task for this.
Valid OIDC session requires a non-expired access token. If the access token has expired, this method tries to refresh the access token. If the refresh fails because the the refresh token has expired or if there is no valid session in the first place (i.e. there is no access token), the service starts login flow.
Note that this method cannot guarantee that the next request with the access token does not fail. For possible reasons, see method isValid().
Because of this, requests using the access token should prepare to handle HTTP 401 errors by calling this method again.
- Exceptions
-
tenduke::InterruptedException when e.g. login was aborted tenduke::TimedOut when login times out or concurrent thread times out waiting to execute this method
Implements tenduke::oidc::OIDCSession.
◆ getAccessToken()
|
overridevirtual |
Returns access token of the session.
- Returns
- the access token. Returned value is
std::string::empty()if the user has not authenticated. Note that the returned value might not be working access token if the token has expired.
- Exceptions
-
tenduke::TimedOut when concurrent access times out
Implements tenduke::oidc::OIDCSession.
◆ getOIDCState()
|
overridevirtual |
Returns the current OIDC-state for inspection.
The state MUST NOT be modified.
- Returns
- the current OIDC-state or
nullptrif there is no current state
- Exceptions
-
tenduke::TimedOut when concurrent access times out
Implements tenduke::oidc::OIDCSession.
◆ heartbeat()
|
overridevirtual |
Executes a heartbeat with the backend, checking that the current access token really works.
The heartbeat does not modify the state, even if the credentials are defunct. Typical reaction after false is to call reEstablish().
IMPORTANT: Do not call this repeatedly (e.g. schedule a task to execute heart beats). Also, you don't need to call this just before executing an API call. We trust that normally the local state is in sync with the backend and using OIDCSession::ensureValidSession() is usually enough. This method should only be used when there is doubt that the local session state is not in sync with the backend.
- Returns
trueif the check was OK and local state is still valid. Returnsfalseotherwise.
- Exceptions
-
tenduke::TimedOut when concurrent access times out tenduke::http::HTTPRequestException if the HTTP-status code indicates error tenduke::http::HTTPException in other HTTP-related issues tenduke::net::NetworkingException e.g. host not found, network connection issues
Implements tenduke::oidc::OIDCSession.
◆ invalidate()
|
overridevirtual |
Invalidates the session.
- Exceptions
-
tenduke::TimedOut when concurrent access times out
Implements tenduke::oidc::OIDCSession.
◆ isValid()
|
overridevirtual |
Checks that local session is valid.
This method checks that there is a session and it has not expired.
Note that this method only checks the local session information, it does not verify the state from the backend. This means that requests using the access token might fail even if this method returns true, because .e.g.
- The state might have expired in the backend, but the client believes that the session is valid, because there is a clock skew or some other inaccuracy
- The state might have been invalidated in the backend (e.g. by admin user)
- Returns
- -
- Exceptions
-
tenduke::TimedOut when concurrent access times out
Implements tenduke::oidc::OIDCSession.
◆ reEstablish()
|
overridevirtual |
Re-establishes the session: Tries first to refresh the state, if it fails, re-authenticates the user.
IMPORTANT: Do not call this method "just in case". Read the class documentation and heartbeat().
- Exceptions
-
tenduke::TimedOut when concurrent access times out
Implements tenduke::oidc::OIDCSession.
◆ refresh()
|
overridevirtual |
Forces refresh of the session.
Does nothing if a) there is no session or b) the session is not refreshable.
IMPORTANT: Do not call this unless you really know what you are doing. Use ensureValidSession() instead. This method only does refresh, it never logs in.
- Exceptions
-
tenduke::TimedOut when concurrent access times out
Implements tenduke::oidc::OIDCSession.
◆ refreshOrLogin()
|
protectedvirtual |
Performs either refresh, or if it fails, new login.
Reimplemented in tenduke::oidc::IdTokenSession.
Member Data Documentation
◆ notify
|
protected |
Listener for OIDC session events.
Optional.
◆ validitySafetyMarginS
|
protected |
Safety margin in seconds for checking if access token has expired.
This gives some safety against clock-skews and network delays.
The documentation for this class was generated from the following files:
- core/oidc/core/src/oidc/session/OIDCSessionImpl.h
- core/oidc/core/src/oidc/session/OIDCSessionImpl.cpp
