Hi. I am attempting to force a re login when a session expires. My application is written in dash and uses flask as well as auth0 for authorisation.
I have set the session expiry time in both Auth0 and flask. When an action is taken and the session has expired I attempt an auth0.authorize_redirect().
My issues is that when I try to redirect to another page I receive a 302 and the page itself doesn’t load. I have read that a 302 is expected, however, I’m not sure why the login page doesn’t refresh?
Please let me know if need any more information.
Thanks in advance
Harry
- Which SDK this is regarding: authlib
- SDK Version: 0.15.2
- Platform Version: running locally on my machine using flask. version 1.1.2
- Code Snippets:
After login and authorisation a callback is triggered setting session variables locally:
@app.route('/callback', )
def callback_handling():
"""
Stores user information after login then redirects. If first login,
redirect to password change page, otherwise go straight to dashboard.
Returns
-------
Response
Redirects to specified URL
"""
# Auth0 returns changed state due to multiple logins
try:
auth0.authorize_access_token()
logging.info('Session is active...')
except MismatchingStateError:
logging.info(
f'State mismatch redirecting to force Auth0 state update')
last_active = _get_last_active()
logging.info(
f'SESSION END: {session["profile"]["email"]}: {last_active}')
session.clear()
return redirect('/login')
resp = auth0.get('userinfo')
user_info = resp.json()
# Store the user information in flask session.
session['jwt_payload'] = user_info
user_id = user_info['sub']
session['profile'] = {
'user_id': user_id,
'name': user_info['name'],
'email': user_info['email']
}
session.permanent = True
app.permanent_session_lifetime = dt.timedelta(minutes=1)
start_time = dt.datetime.utcnow()
logging.info(
f'SESSION START: {session["profile"]["email"]}: {start_time}')
session['permissions'] = get_user_commodity_permissions(user_id)
session['licensed_features'] = get_licensed_features(
session['permissions'])
return redirect(_get_login_redirect_url(user_id))
All application functions are wrapped in a ‘requires_auth’ decorator which checks session is still valid
def requires_auth(f):
@wraps(f)
def decorated(*args, **kwargs):
if 'profile' not in session or 'permissions' not in session:
return auth0.authorize_redirect(
redirect_uri=app.config.get('AUTH0_CALLBACK_URL')
)
return f(*args, **kwargs)
return decorated