DiamondLightSource · gfrn · Nov 2, 2023 · Oct 20, 2023 · Nov 2, 2023 · Nov 2, 2023
diff --git a/api/src/Authentication/Type/OIDC.php b/api/src/Authentication/Type/OIDC.php
@@ -10,33 +10,36 @@ class OIDC extends AuthenticationParent implements AuthenticationInterface
 {
     private $providerConfig = array();
 
-    function __construct() {
-        global $sso_url, $oidc_client_id, $oidc_client_secret;
-
-        $ch = curl_init();
-        curl_setopt($ch, CURLOPT_URL, 'https://' . $sso_url . '/.well-known/openid-configuration');
-        curl_setopt($ch, CURLOPT_HEADER, 0);
-        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
-        $response = curl_exec($ch);
-        curl_close($ch);
-        $newProviderConfig = json_decode($response);
-
-        if(!$newProviderConfig
-            || !isset($newProviderConfig->userinfo_endpoint)
-            || !isset($newProviderConfig->authorization_endpoint) 
-            || !isset($newProviderConfig->token_endpoint)) {
-            error_log("OIDC Authentication provider replied with invalid JSON body");
-            return;
+    private function getEndpoints() {
+        if (empty($providerConfig)) {
+            global $sso_url, $oidc_client_id, $oidc_client_secret;
+
+            $ch = curl_init();
+            curl_setopt($ch, CURLOPT_URL, 'https://' . $sso_url . '/.well-known/openid-configuration');
+            curl_setopt($ch, CURLOPT_HEADER, 0);
+            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+            $response = curl_exec($ch);
+            curl_close($ch);
+            $newProviderConfig = json_decode($response);
+
+            if(!$newProviderConfig
+                || !isset($newProviderConfig->userinfo_endpoint)
+                || !isset($newProviderConfig->authorization_endpoint) 
+                || !isset($newProviderConfig->token_endpoint)) {
+                error_log("OIDC Authentication provider replied with invalid JSON body");
+                return;
+            }
+            $newProviderConfig->b64ClientCreds = base64_encode(
+                $oidc_client_id . ":" . $oidc_client_secret
+            );
+
+            $this->providerConfig = $newProviderConfig;
         }
-        $newProviderConfig->b64ClientCreds = base64_encode(
-            $oidc_client_id . ":" . $oidc_client_secret
-        );
-
-        $this->providerConfig = $newProviderConfig;
     }
 
     private function getUser($token)
     {        
+        $this->getEndpoints();
         $ch = curl_init();
         curl_setopt($ch, CURLOPT_URL, $this->providerConfig->userinfo_endpoint);
         curl_setopt($ch, CURLOPT_HEADER, 0);
@@ -71,6 +74,7 @@ function check()
 
     function authorise() 
     {
+        $this->getEndpoints();
         global $oidc_client_id;
         $redirect_url = Utils::filterParamFromUrl($_SERVER["HTTP_REFERER"], "code");
 
@@ -82,6 +86,7 @@ function authorise()
 
     function authenticateByCode($code) 
     {   
+        $this->getEndpoints();
         global $cacert, $oidc_client_secret, $oidc_client_id, $cookie_key;
 
         $redirect_url = Utils::filterParamFromUrl($_SERVER["HTTP_REFERER"], "code");
@@ -105,14 +110,14 @@ function authenticateByCode($code)
         }        
 
         $token = $response_json->access_token;
-
+        
         if(!$token) {
             error_log("Invalid authentication attempt, provider returned no access token");
             return false;
         }
 
         $cookieOpts = array (
-            'expires' => time() + 60*60*24,
+            'expires' => time() + $response_json->expires_in,
             'path' => '/',
             'secure' => true,
             'httponly' => true,
@@ -123,4 +128,3 @@ function authenticateByCode($code)
         return $this->getUser($token);
     }
 }
-