Feature: OIDC refresh token support #2664
Conversation
![codeclimate[bot]](https://avatars.githubusercontent.com/in/9403?s=60&v=4){kind=small}
john-odonnell
changed the title
|
Maybe this shouldn't be merged yet. Probably shouldn't start distributing refresh tokens until we can either accept or revoke them. |
- AuthenticationHandler class now expects a given Strategy to respond with the authenticating identity and a hash of response headers. These are passed through to the AuthenticationController. - AuthnOidc V2 Client and Strategy classes are updated to meet this expectation. - Includes RSpec and Cucumber tests validating the updated behavior.
john-odonnell
force-pushed
the
oidc-code-with-refresh
branch
from
e8ab69d to
d5fff30
Compare
| @@ -248,6 +249,12 @@ def render_authn_token(authn_token) | |||
| render(content_type => authn_token) | |||
| end | |||
|
|
|||
| def set_headers(headers_h) | |||
| headers_h.each { |key, value| | |||
| response.set_header(key, value.to_s) unless key.blank? || value.blank? | |||
There was a problem hiding this comment.
AuthenticateController#set_headers refers to 'value' more than self (maybe move it to another class?)
| unless identity.present? | ||
| raise Errors::Authentication::AuthnOidc::IdTokenClaimNotFoundOrEmpty, | ||
| @authenticator.claim_mapping | ||
| end | ||
| identity | ||
|
|
||
| return [identity, {}] if refresh_token.nil? |
There was a problem hiding this comment.
Authentication::AuthnOidc::V2::Strategy#callback performs a nil-check
| @@ -248,6 +249,12 @@ | |||
| render(content_type => authn_token) | |||
| end | |||
|
|
|||
| def set_headers(headers_h) | |||
There was a problem hiding this comment.
Do not prefix writer method names with set_.
| @@ -248,6 +249,12 @@ | |||
| render(content_type => authn_token) | |||
| end | |||
|
|
|||
| def set_headers(headers_h) | |||
| headers_h.each { |key, value| | |||
There was a problem hiding this comment.
Avoid using {...} for multi-line blocks.
| unless identity.present? | ||
| raise Errors::Authentication::AuthnOidc::IdTokenClaimNotFoundOrEmpty, | ||
| @authenticator.claim_mapping | ||
| end | ||
| identity | ||
|
|
||
| return [identity, {}] if refresh_token.nil? |
There was a problem hiding this comment.
Add empty line after guard clause.
| auth_token, headers_h = Authentication::Handler::AuthenticationHandler.new( | ||
| authenticator_type: params[:authenticator] | ||
| ).call( | ||
| parameters: params.to_hash.symbolize_keys, | ||
| request_ip: request.ip | ||
| ) |
There was a problem hiding this comment.
Reconsidering if this is the interface we want. Authn-OIDC V2 is our only auth scheme that needs to set a response header - this means each other auth scheme converted to use the AuthenticationHandler pattern will be returning an empty set of headers.
To avoid passing the response object everywhere, I experimented with passing a lambda as an optional parameter to the call method, so that while other auth schemes can do this:
auth_token = Authentication::Handler::AuthenticationHandler.new(
authenticator_type: params[:authenticator]
).call(
parameters: params.to_hash.symbolize_keys,
request_ip: request.ip
)... Authn-OIDC V2 could do this:
auth_token = Authentication::Handler::AuthenticationHandler.new(
authenticator_type: params[:authenticator]
).call(
parameters: params.to_hash.symbolize_keys,
request_ip: request.ip,
set_header: lambda { |key, value|
response.set_header(key, value) unless key.blank? or value.blank?
}
)... and the set_header block could be used in the OIDC-V2-specific Authentication::AuthnOidc::V2::Strategy class.
Refactor OIDC client to include refresh token exchange
john-odonnell
changed the title
| decoded_id_token | ||
| end | ||
|
|
||
| def verify_id_token(decoded_id_token, nonce, refresh: false) |
There was a problem hiding this comment.
Authentication::AuthnOidc::V2::Client#verify_id_token has boolean parameter 'refresh'
|
|
||
| def verify_id_token(decoded_id_token, nonce, refresh: false) | ||
| expected_nonce = nonce | ||
| if refresh && decoded_id_token.raw_attributes['nonce'].nil? |
There was a problem hiding this comment.
Authentication::AuthnOidc::V2::Client#verify_id_token is controlled by argument 'refresh'
|
|
||
| def verify_id_token(decoded_id_token, nonce, refresh: false) | ||
| expected_nonce = nonce | ||
| if refresh && decoded_id_token.raw_attributes['nonce'].nil? |
There was a problem hiding this comment.
Authentication::AuthnOidc::V2::Client#verify_id_token performs a nil-check
|
Code Climate has analyzed commit 127967c and detected 11 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 89.9%. View more on Code Climate. |
Add refresh_token logic and tests to OIDC API
|
Closing. Refresh token support was abandoned in favor of a configurable Conjur access token TTL - see #2683. |
Desired Outcome
This PR implements refresh token support for Conjur's OIDC V2 authenticator.
API Updates
/authenticatecodenoncecode_verifierX-OIDC-Refresh-Token/authenticatecodenoncecode_verifierX-OIDC-Refresh-Token/authenticaterefresh_tokennonceX-OIDC-Refresh-Token/logoutrefresh_tokennoncestateredirect_uriImplemented Changes
Connected Issue/Story
CyberArk internal issue link: [ONYX-26608]
Definition of Done
At least 1 todo must be completed in the sections below for the PR to be
merged.
Changelog
CHANGELOG update
Test coverage
changes, or
Documentation
READMEs) were updated in this PRBehavior
Security