WIP: refresh jwt

dc9eb237 · Timm Fitschen · 37af0a1c · dc9eb237
Verified Commit dc9eb237 authored 1 year ago by Timm Fitschen
--- a/pages/api/auth/[...nextauth].ts
+++ b/pages/api/auth/[...nextauth].ts
 import NextAuth from 'next-auth'
 import KeycloakProvider from 'next-auth/providers/keycloak'
-// import { UnstorageAdapter } from '@auth/unstorage-adapter'
-// import { createStorage } from 'unstorage'

-// const storage = createStorage()
+const clientId = 'gwdg-fdoman-test'
+const clientSecret = process.env.KEY_CLOAK_CLIENT_SECRET || ''
+const issuer = 'https://keycloak.sso.gwdg.de/auth/realms/academiccloud'
+
+async function refreshAccessToken (token: any) {
+  try {
+    const url =
+      issuer + '/protocol/openid-connect/token?' +
+      new URLSearchParams({
+        client_id: clientId,
+        client_secret: clientSecret,
+        grant_type: 'refresh_token',
+        refresh_token: token.refreshToken
+      }).toString()
+
+    const response = await fetch(url, {
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded'
+      },
+      method: 'POST'
+    })
+
+    const refreshedTokens = await response.json()
+
+    if (!response.ok) {
+      throw refreshedTokens
+    }
+
+    return {
+      ...token,
+      accessToken: refreshedTokens.access_token,
+      accessTokenExpires: Date.now() + refreshedTokens.expires_in * 1000,
+      refreshToken: refreshedTokens.refresh_token ?? token.refreshToken // Fall back to old refresh token
+    }
+  } catch (error) {
+    console.log(error)
+
+    return {
+      ...token,
+      error: 'RefreshAccessTokenError'
+    }
+  }
+}

 export const authOptions = {
  // adapter: UnstorageAdapter(storage),
@@ -15,12 +55,9 @@ export const authOptions = {
  providers: [
    // !!! Should be stored in .env file.
    KeycloakProvider({
-      // clientId: 'fdo-manager-webui',
-      clientId: 'gwdg-fdoman-test',
-      // clientSecret: 'ay7l6jhECSohAZsEp6HYOaoXdARMQCei',
-      clientSecret: process.env.KEY_CLOAK_CLIENT_SECRET || '',
-      // issuer: 'http://localhost:8000/auth/realms/fdo-manager',
-      issuer: 'https://keycloak.sso.gwdg.de/auth/realms/academiccloud',
+      clientId,
+      clientSecret,
+      issuer,
      // authorization: { params: { scope: 'openid profile email' } },
      profile (profile) {
        console.log('### profile', profile, '### ### ###')
@@ -38,10 +75,12 @@ export const authOptions = {
    },
    async session ({ session, user, token }: any) {
      console.log('### session', session, user, token, '### ### ###')
-      return {
-        ...session,
-        account: token.account
-      }
+
+      session.user = token.user
+      session.accessToken = token.accessToken
+      session.error = token.error
+
+      return session
    },
    async redirect ({ url, baseUrl }: any) {
      console.log('### redirect', url, baseUrl, '### ### ###')
@@ -49,13 +88,24 @@ export const authOptions = {
    },
    async jwt ({ token, user, account, profile, isNewUser }: any) {
      console.log('### jwt', token, user, account, profile, isNewUser, '### ### ###')
-      if (account) {
+
+      // Initial sign in
+      if (account && user) {
        return {
-          ...token,
-          account
+          accessToken: account.access_token,
+          accessTokenExpires: Date.now() + account.expires_in * 1000,
+          refreshToken: account.refresh_token,
+          user
        }
      }
-      return token
+
+      // Return previous token if the access token has not expired yet
+      if (Date.now() < token.accessTokenExpires) {
+        return token
+      }
+
+      // Access token has expired, try to update it
+      return refreshAccessToken(token)
    }
  },
  secret: 'UItTuD1HcGXIj8ZfHUswhYdNd40Lc325R8VlxQPUoR0='