https://discuss.eodc.eu/t/job-does-not-recognize-new-access-token/123

At a first glance the token refreshment works. The token is fetched and stored. However setting the new expiry time fails, because of a wrong field access.

Expiry Time setting at login:

Expiry Time setting at refresh:

So this should be an easy fix, but needs testing.

On further investigation. There is no refresh token in the credentials.

Adding the related follow up questions from the forum:

Two related follow-up questions:
How to deal with jobs that run longer than 15 minutes?
Is it necessary to have a browser tab open up to notify the user on “Authentication complete. Please close this page and return to R.”? The R console already informs the user with “Login successful”.

@soxofaan - could you help us out here? How have you solved this in the python client? Is there a way to involve EGI here? Or do we have to go through their helpdesk?
Maybe also you have an idea @m-mohr.

This seems related: https://discuss.eodc.eu/t/processing-aborted-repeatedly-due-to-authorization-token-expired/72/5

Do you request the offline_access scope? https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

Thanks to @m-mohr. I can get the missing refresh_token when I add "offline_access" to the scopes.

login(
  login_type = "oidc",
  provider = "egi",
  config = list(
    client_id = <client-id>,
    secret = <secret>,
    scopes = c("openid", "email", "eduperson_entitlement","offline_access")))

In the future I want the client to handle that internally, but for now the work-around should suffice. Probably its best if the user can still manually overwrite / set parameters in case some configurations are broken.

sorry for late response, but I was a bit out due to corona.

Do you request the offline_access scope

indeed, with EGI the "offline_access" scope is a requirement for refresh tokens

By default, the default clients should be used and the user doesn't need to specify scopes. It's still valuable to allow the user to override though. And in a non-"openEO platform" environment a reasonable default should be chosen, which is probably what is used right now.

It's still valuable to allow the user to override though.

I'm not sure that makes sense conceptually (for R- and Python client usage), because user nor client do something with the scopes, it's the back-end that requests the userinfo

In any case, the user should indeed not be expected to specify the scopes, it's the backend that specifies them under /credentials/oidc

Are you talking generally or specific to Platform, @soxofaan ?

generally about openEO API

@flahn What's the intended behavior now? I assume the R client just adds the offline_access token automatically in case it's missing? Or does the user need to specify it manually all the time?

Since it does not appear in the response from openeo platform I add it manually, as EGI does in fact offer it. And this happens always, because why would the user have it otherwise.

So if I call login(login_type = "oidc",provider = "egi") the client requests all scopes for the default client ID chosen automatically + offline_access if it's not present yet?

Yes. You can even neglect login_type="oidc" if you state a provider.

Then this should be solved although I haven't checked whether I really get a refresh_token.

Hmm... I'm not sure whether it's more useful to specify the login_type of the provider. I guess it depends on the use case?!