-
Notifications
You must be signed in to change notification settings - Fork 562
feat(auth): bind DCR client credentials to issuing authorization server (SEP-2352) #998
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -201,6 +201,8 @@ pub struct StoredCredentials { | |
| pub granted_scopes: Vec<String>, | ||
| #[serde(default)] | ||
| pub token_received_at: Option<u64>, | ||
| #[serde(default)] | ||
| pub issuer: Option<String>, | ||
| } | ||
|
|
||
| impl std::fmt::Debug for StoredCredentials { | ||
|
|
@@ -213,6 +215,7 @@ impl std::fmt::Debug for StoredCredentials { | |
| ) | ||
| .field("granted_scopes", &self.granted_scopes) | ||
| .field("token_received_at", &self.token_received_at) | ||
| .field("issuer", &self.issuer) | ||
| .finish() | ||
| } | ||
| } | ||
|
|
@@ -230,8 +233,14 @@ impl StoredCredentials { | |
| token_response, | ||
| granted_scopes, | ||
| token_received_at, | ||
| issuer: None, | ||
| } | ||
| } | ||
|
|
||
| pub fn with_issuer(mut self, issuer: Option<String>) -> Self { | ||
| self.issuer = issuer; | ||
| self | ||
| } | ||
| } | ||
|
|
||
| /// Trait for storing and retrieving OAuth2 credentials | ||
|
|
@@ -1088,6 +1097,49 @@ impl AuthorizationManager { | |
| self.metadata = Some(metadata); | ||
| } | ||
|
|
||
| if let (Some(stored_issuer), Some(current_issuer)) = | ||
| (stored.issuer.as_deref(), self.metadata_issuer().as_deref()) | ||
|
DaleSeo marked this conversation as resolved.
|
||
| { | ||
| // A CIMD client ID is the client's metadata URL, so it is | ||
| // portable across authorization servers and exempt here. | ||
| if stored_issuer != current_issuer { | ||
| if is_https_url(&stored.client_id) { | ||
| // A CIMD client ID is the client's metadata URL, so it is | ||
| // portable across authorization servers — but the tokens | ||
| // were minted by the previous AS and must not be reused. | ||
| tracing::warn!( | ||
| stored_issuer, | ||
| current_issuer, | ||
| "authorization server issuer changed; discarding tokens but keeping portable CIMD client ID" | ||
| ); | ||
| self.credential_store | ||
| .save( | ||
| StoredCredentials::new( | ||
| stored.client_id.clone(), | ||
| None, | ||
| vec![], | ||
| None, | ||
| ) | ||
| .with_issuer(self.metadata_issuer()), | ||
| ) | ||
| .await?; | ||
| self.configure_client_id(&stored.client_id)?; | ||
| return Ok(false); | ||
| } | ||
|
|
||
| tracing::warn!( | ||
| stored_issuer, | ||
| current_issuer, | ||
| "authorization server issuer changed; clearing stored credentials bound to the previous issuer" | ||
| ); | ||
| self.credential_store.clear().await?; | ||
| return Err(AuthError::AuthorizationServerMismatch { | ||
| expected_issuer: stored_issuer.to_string(), | ||
| received_issuer: current_issuer.to_string(), | ||
| }); | ||
| } | ||
| } | ||
|
|
||
| self.configure_client_id(&stored.client_id)?; | ||
| return Ok(true); | ||
| } | ||
|
|
@@ -1703,6 +1755,7 @@ impl AuthorizationManager { | |
| token_response: Some(token_result.clone()), | ||
| granted_scopes, | ||
| token_received_at: Some(Self::now_epoch_secs()), | ||
| issuer: self.metadata_issuer(), | ||
| }; | ||
| self.credential_store.save(stored).await?; | ||
|
|
||
|
|
@@ -1716,6 +1769,10 @@ impl AuthorizationManager { | |
| .as_secs() | ||
| } | ||
|
|
||
| fn metadata_issuer(&self) -> Option<String> { | ||
| self.metadata.as_ref().and_then(|m| m.issuer.clone()) | ||
| } | ||
|
|
||
| /// Proactive refresh buffer: refresh tokens this many seconds before they expire | ||
| /// to avoid races between token retrieval and the actual HTTP request. | ||
| const REFRESH_BUFFER_SECS: u64 = 30; | ||
|
|
@@ -1838,6 +1895,7 @@ impl AuthorizationManager { | |
| token_response: Some(token_result.clone()), | ||
| granted_scopes, | ||
| token_received_at: Some(Self::now_epoch_secs()), | ||
| issuer: self.metadata_issuer(), | ||
| }; | ||
| self.credential_store.save(stored).await?; | ||
|
|
||
|
|
@@ -2658,6 +2716,7 @@ impl AuthorizationManager { | |
| token_response: Some(token_result.clone()), | ||
| granted_scopes, | ||
| token_received_at: Some(Self::now_epoch_secs()), | ||
| issuer: self.metadata_issuer(), | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We now stamp
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. good catch. |
||
| }; | ||
| self.credential_store.save(stored).await?; | ||
|
|
||
|
|
@@ -2780,6 +2839,7 @@ impl AuthorizationManager { | |
| token_response: Some(token_result.clone()), | ||
| granted_scopes, | ||
| token_received_at: Some(Self::now_epoch_secs()), | ||
| issuer: self.metadata_issuer(), | ||
| }; | ||
| self.credential_store.save(stored).await?; | ||
|
|
||
|
|
@@ -3142,17 +3202,18 @@ impl OAuthState { | |
|
|
||
| *manager.current_scopes.write().await = granted_scopes.clone(); | ||
|
|
||
| let metadata = manager.discover_metadata().await?; | ||
| manager.metadata = Some(metadata); | ||
|
|
||
| let stored = StoredCredentials { | ||
| client_id: client_id.to_string(), | ||
| token_response: Some(credentials), | ||
| granted_scopes, | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: manager.metadata_issuer(), | ||
| }; | ||
| manager.credential_store.save(stored).await?; | ||
|
|
||
| let metadata = manager.discover_metadata().await?; | ||
| manager.metadata = Some(metadata); | ||
|
|
||
| manager.configure_client_id(client_id)?; | ||
|
|
||
| *self = OAuthState::Authorized(manager); | ||
|
|
@@ -4617,6 +4678,7 @@ mod tests { | |
| token_response: Some(token_response), | ||
| granted_scopes: vec![], | ||
| token_received_at: None, | ||
| issuer: None, | ||
| }; | ||
| let debug_output = format!("{:?}", creds); | ||
|
|
||
|
|
@@ -5594,6 +5656,7 @@ mod tests { | |
| token_response: Some(make_token_response("my-access-token", Some(3600))), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -5611,6 +5674,7 @@ mod tests { | |
| token_response: Some(make_token_response("stale-token", Some(3600))), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs() - 7200), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -5629,6 +5693,7 @@ mod tests { | |
| token_response: Some(make_token_response("no-expiry-token", None)), | ||
| granted_scopes: vec![], | ||
| token_received_at: None, | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -5646,6 +5711,7 @@ mod tests { | |
| token_response: Some(make_token_response("almost-expired", Some(3600))), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs() - 3590), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -5664,6 +5730,7 @@ mod tests { | |
| token_response: Some(make_token_response("stale-token", Some(3600))), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs() - 7200), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -5965,6 +6032,7 @@ mod tests { | |
| )), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }) | ||
| .await | ||
| .unwrap(); | ||
|
|
@@ -5993,6 +6061,7 @@ mod tests { | |
| token_response: None, | ||
| granted_scopes: vec![], | ||
| token_received_at: None, | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -6013,6 +6082,7 @@ mod tests { | |
| token_response: Some(make_token_response("old-token", Some(3600))), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -6103,6 +6173,7 @@ mod tests { | |
| )), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }) | ||
| .await | ||
| .unwrap(); | ||
|
|
@@ -6308,6 +6379,7 @@ mod tests { | |
| )), | ||
| granted_scopes: vec!["read".to_string(), "write".to_string()], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -6345,6 +6417,7 @@ mod tests { | |
| )), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -6382,6 +6455,7 @@ mod tests { | |
| )), | ||
| granted_scopes: vec!["read".to_string()], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -6419,6 +6493,7 @@ mod tests { | |
| )), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -6457,6 +6532,7 @@ mod tests { | |
| )), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -6520,6 +6596,7 @@ mod tests { | |
| )), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.