2

When I try to access Liferay Portal session data it seems as it doesn't contain data stored by internal Liferay Portal processes. Is it possible to access the token that was stored in the OpenId-Connect Login process?

Basically, I was tasked with finding Software, that can make implementing a Portal, which displays functionality offered by API-Endpoints of multiple different internal Platforms easier. Currently, I'm looking at Liferay Portal 7.2. For the Login, I've used the OpenId-Connect implementation of Liferay Portal since authentication is handled by an internal Login server. The access token returned at the end of the OpenID-connect login process is an API-Token which I then want to use to access various API-Endpoints.

Currently I get the Session like this 

HttpSession httpSession = PortalUtil.getHttpServletRequest(actionRequest).getSession();

After looking at the OpenId-Connect implementation in

com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl

I then tried to get the Session Object like this.

Object openIdConnectSessionObject = httpSession.getAttribute("OPEN_ID_CONNECT_SESSION");

But at this point, openIdConnectSessionObject is always null. I have read that different scopes have different sessions, but is there a way to access this data or is Liferay Portal maybe not really fit for what I'm trying to do.

Reegan Miranda
  • 2,879
  • 6
  • 43
  • 55
Robert Engel
  • 664
  • 6
  • 13
  • Hello Robert Engel, did you have any lucky in getting the access token from the session? I have the same need. – Henrique Droog Sep 03 '19 at 17:25
  • @HenriqueDroog this is the correct way `public static String getToken(HttpSession httpSession) { return (httpSession.getAttribute(OPEN_ID_CONNECT_SESSION) instanceof OpenIdConnectSession) ? ((OpenIdConnectSession) httpSession.getAttribute(OPEN_ID_CONNECT_SESSION)) .getAccessTokenValue() : null; }` – Robert Engel Sep 09 '19 at 07:24

1 Answers1

2

There's one detail worth noting:

PortalUtil.getHttpServletRequest(actionRequest) will give you access to an artificial PortletRequest object that adheres to the HttpServletRequest interface, in case you need that for some API that expects requests from the servlet, not the portal, world.

A PortletRequest contains only parameters (and session information) directed to a particular portlet, and nothing else.

If you're interested in the actual underlying HttpServletRequest, you'll need PortalUtil.getOriginalServletRequest, which takes an HttpServletRequest as input. And you'll get that the way you've already explored. In the end, you'll have

session = PortalUtil.getOriginalServletRequest(
    PortalUtil.getHttpServletRequest(actionRequest)).getSession();

to get the actual server's session.

I've not checked if that is useful, or even an advisable solution to the problem you state, but it might bring you further along solving your problem.

Olaf Kock
  • 46,930
  • 8
  • 59
  • 90