Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sure refreshing OAuth token is idempotent #3650

Merged
merged 7 commits into from
Dec 11, 2024
Merged

Make sure refreshing OAuth token is idempotent #3650

merged 7 commits into from
Dec 11, 2024
+672 −66

Conversation

sandhose
Copy link
Member

@sandhose sandhose commented Dec 10, 2024
edited
Loading

Fixes #2795

This can be reviewed commit by commit

It is basically:

  • keep track of the 'chain' of refresh tokens, so record the 'next' token when consuming one
  • recording when access tokens are first used (either through introspection or the userinfo endpoint)
  • make the cleanup job remove 'revoked' tokens, not the expired ones anymore. This is to make sure we keep the info whether the access token was used or not
  • then implement the "idempotence" logic on the refresh token grant

@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Dec 10, 2024
edited
Loading

Deploying matrix-authentication-service-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: e64e5f5
Status: ✅  Deploy successful!
Preview URL: https://7a059f05.matrix-authentication-service-docs.pages.dev
Branch Preview URL: https://quenting-refresh-idempotence.matrix-authentication-service-docs.pages.dev

View logs

@sandhose sandhose marked this pull request as ready for review December 10, 2024 16:55
@sandhose sandhose requested a review from reivilibre December 10, 2024 16:56
@sandhose
Record the next refresh token ID when refreshing

Verified

This commit was signed with the committer’s verified signature.
sandhose Quentin Gliech
GPG key ID: 22D62B84552719FC
Verified
Learn about vigilant mode
6f3e3a1 
This will help us determine whether we had a double-refresh happening
@sandhose
Record when access tokens are first used

Verified

This commit was signed with the committer’s verified signature.
sandhose Quentin Gliech
GPG key ID: 22D62B84552719FC
Verified
Learn about vigilant mode
45f5780
@sandhose
Cleanup revoked tokens instead of expired ones

Verified

This commit was signed with the committer’s verified signature.
sandhose Quentin Gliech
GPG key ID: 22D62B84552719FC
Verified
Learn about vigilant mode
44c27e8 
If we continue deleting expired tokens, we might not record whether the
token was used or not, and not know what to do in case of
a double-refresh.

Revoked tokens are safe to delete.

This also reduces the frequency of the cleanup job to once an hour.
@sandhose
Allow revoking refresh tokens

Verified

This commit was signed with the committer’s verified signature.
sandhose Quentin Gliech
GPG key ID: 22D62B84552719FC
Verified
Learn about vigilant mode
1f555b8 
This lets us track 'revoked' tokens separately from 'consumed' tokens.
@sandhose
Mark access token as used when calling the userinfo endpoint

Verified

This commit was signed with the committer’s verified signature.
sandhose Quentin Gliech
GPG key ID: 22D62B84552719FC
Verified
Learn about vigilant mode
e6ff907
@sandhose
Make sure the refresh token is idempotent

Verified

This commit was signed with the committer’s verified signature.
sandhose Quentin Gliech
GPG key ID: 22D62B84552719FC
Verified
Learn about vigilant mode
Loading
Loading status checks…
76137c4 
This allows using a refresh token multiple times, as long as the new
pair of tokens were not used in the meantime.
@sandhose sandhose force-pushed the quenting/refresh-idempotence branch from 89331a3 to 76137c4 Compare December 11, 2024 08:22
reivilibre
reivilibre approved these changes Dec 11, 2024
View reviewed changes
crates/handlers/src/oauth2/token.rs
&state.clock,
&mut repo,
&session,
Duration::microseconds(5 * 60 * 1000 * 1000),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there really no way to do Duration::seconds(5 * 60) lol? :D

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's the only one that can't panic, and clippy will complain that we don't document that potential panic I think? 😬

@reivilibre
Copy link
Contributor

('idempotent' seems like a misleading word since the old tokens get revoked, rather than returned again, but not sure if there's a more accurate word that matches it better)

@sandhose @reivilibre
Apply suggestions from code review

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
Loading
Loading status checks…
e64e5f5 
Co-authored-by: reivilibre <oliverw@element.io>
@sandhose sandhose merged commit 1dbed14 into main Dec 11, 2024
19 checks passed
@sandhose sandhose deleted the quenting/refresh-idempotence branch December 11, 2024 13:15
This was referenced Dec 11, 2024
Closed
Closed
@sandhose sandhose added T-Enhancement New feature of request A-Next-Gen-Auth Related to the next generation authentication APIs T-Defect Something isn't working and removed T-Enhancement New feature of request labels Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reivilibre reivilibre

Assignees
No one assigned
Labels
A-Next-Gen-Auth Related to the next generation authentication APIs T-Defect Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Refresh token request should be idempotent
2 participants
@sandhose @reivilibre