OAuth migration | Force user to sign in if Access token auth_time older than 30 minutes
#1300
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
raphaelkabo
changed the title
auth_time older than 30 minutes
raphaelkabo
changed the title
auth_time older than 30 minutesauth_time older than 30 minutes
This is a workaround for an Okta behaviour where some user types won't be asked to reauthenticate even when max_age is set on the OAuth request. We check the auth_time of the ID token ourselves in the identity middleware, ensuring that it is within max_age. If it isn't, we revoke the access token, clear the token cookies, and redirect the browser to the Gateway /reauthenticate endpoint, which always shows a sign-in form.
raphaelkabo
force-pushed
the
rk/okta-validate-auth-time
branch
from
6ef9a3d to
d94524e
Compare
coldlink
approved these changes
Jan 29, 2024
|
Overdue on PROD (merged by @raphaelkabo 15 minutes and 4 seconds ago) What's gone wrong? |
|
Seen on PROD (merged by @raphaelkabo 46 minutes and 52 seconds ago) Please check your changes! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
Context
After deploying #1294 and enabling Okta on PROD manage-frontend, we discovered an Okta behaviour which was undocumented in the sense that it was only documented in a modal in the UI, three layers down, after you clicked a specific radio button, and the actual documentation completely contradicted it:
One is reminded of a quote from The Hitchhiker's Guide To The Galaxy:
What this means in practice is that, when passing the
max_ageparameter when requesting OAuth tokens:max_ageFEDERATIONorSOCIALtypes (i.e. social login users who have never set a password) will never be forced to sign in again as long as their global Okta session is not expired. This is probably most of our social users.This behaviour means that we can't reliably enforce the MMA behaviour where a user must reauthenticate if they last authenticated more than 30 minutes ago using Okta settings alone.
For this reason, this PR adds the following check into
identityMiddleware:auth_timeclaim longer than 30 minutes in the past?/reauthenticateroute. This route always shows a signin form, irrespective of any session set in the browser. This essentially replicates the previous, IDAPI behaviour in MMA.signedInNotRecentlybut allowed to proceed to the route. This again replicates the old IDAPI behaviour.The
auth_timeclaimAccording to the OpenID spec, and confirmed by Okta, the
auth_timeclaim is "Time when the End-User authentication occurred" in UNIX seconds, which in Okta land means the last time the user actively authenticated, i.e. created their Okta session. The OpenID spec states thatauth_timeis returned whenever themax_ageparameter is sent in the OAuth request, which in MMA is always. The Okta docs state thatauth_timeis a 'base claim', always returned. We've added logging in the check forauth_timewhich will give us data on missingauth_timeclaims, if any.Further reading for nerds here:
Other changes
auth_timebehaviour, which sets the Oktamax_ageto a very short value and attempts to refresh the page, expecting to be redirected.async, the top-level middleware does this once and passes it down the chain. This also required a lot of refactoring in tests.identityMiddlewareerror states to a new frontend error page,/sign-in-error, which shows a more helpful message and a link to sign out, which is likely to resolve edge-case sign in issues:Testing