Fix OIDC refresh token flow when using the cookie splitter #1580
Conversation
…n set within the current request Signed-off-by: Jochen Kressin <[email protected]>
jochen-kressin
requested review from
cliu123,
cwperks,
DarshitChanpura,
davidlago,
peternied,
RyanL1997 and
stephen-crawford
as code owners
| // We don't want to mix and match between _states and .state. | ||
| // If we find the first additional cookie in _states, we | ||
| // use _states for all subsequent additional cookies | ||
| const requestHasNewerCookieState = rawRequest._states && rawRequest._states[cookiePrefix + 1]; |
There was a problem hiding this comment.
@cwperks Here I deviated a bit from the original code that I posted in your PR.
I added a check to make sure that we don't mix and match between whatever is in '_states' and '.state'.
Probably just a theoretical risk, but if the new token would use less cookies than the previous one, the unsplit cookie would contain a mix between the two without this check in place. Hope that's ok.
There was a problem hiding this comment.
This makes sense to me. We would not want to end up with a bad cookie caused due to mix-up.
jochen-kressin
changed the title
|
I removed the Draft status from this PR. While we still need integration tests for this, it probably makes sense to add those in a separate PR even though they should end up in this repository. So from my side I'd consider this PR finished unless there are any changes wanted. Feedback is always welcome :) |
| // We don't want to mix and match between _states and .state. | ||
| // If we find the first additional cookie in _states, we | ||
| // use _states for all subsequent additional cookies | ||
| const requestHasNewerCookieState = rawRequest._states && rawRequest._states[cookiePrefix + 1]; |
There was a problem hiding this comment.
This makes sense to me. We would not want to end up with a bad cookie caused due to mix-up.
|
CI is being fixed by: #1596 |
|
@DarshitChanpura Thanks for merging! As per Peter's comment: #1567 (comment), this should be backported to 1.x together with the "offending" original cookie splitting PR: #1352 What is the process for getting things into the correct branch...? |
Codecov Report
@@ Coverage Diff @@
## main #1580 +/- ##
=======================================
Coverage 66.18% 66.18%
=======================================
Files 93 93
Lines 2339 2339
Branches 317 317
=======================================
Hits 1548 1548
Misses 722 722
Partials 69 69 |
IMO they should be combine into one so we have a clean commit history. |
|
I have tested @jochen-kressin's security frontend fork with my local set up based on
|
…n set within the current request (#1580) Signed-off-by: Jochen Kressin <[email protected]> Co-authored-by: Darshit Chanpura <[email protected]> (cherry picked from commit d575e00)
…n set within the current request (#1580) Signed-off-by: Jochen Kressin <[email protected]> Co-authored-by: Darshit Chanpura <[email protected]> (cherry picked from commit d575e00)
|
Merging, for more details about the cypress failure lets followup on #1599 |
…n set within the current request (#1580) (#1603) Signed-off-by: Jochen Kressin <[email protected]> Co-authored-by: Darshit Chanpura <[email protected]> (cherry picked from commit d575e00) Co-authored-by: Jochen Kressin <[email protected]>
…n set within the current request (#1580) (#1602) Signed-off-by: Jochen Kressin <[email protected]> Co-authored-by: Darshit Chanpura <[email protected]> (cherry picked from commit d575e00) Co-authored-by: Jochen Kressin <[email protected]> Co-authored-by: Darshit Chanpura <[email protected]>
Description
This PR fixes a regression regarding the OIDC refresh token flow, caused by the move to the split cookies here: #1352
It closes #1522 and is based on the research made by @cwperks in #1569.
In short, while the refresh token flow was still working correctly, the cookie splitter would not have access to the new idToken that was written to the cookie in the process of refreshing the token. Even though the new value was written, the cookie splitter could not access that value until the next request lifecycle. This caused a "Token expired" and the user would be unauthenticated.
TODO
End to end testing, but we will most likely do that in a separate PR.
Category
Bug fix
Why these changes are required?
To make sure that the OIDC refresh token flow works as expected.
What is the old behavior before changes and new behavior after changes?
If an idToken expires while the user is idle, the user would be unauthenticated even though the IdP provided a refreshed token.
The new behaviour corrects the refresh token flow, and the user stays authenticated.
Issues Resolved
#1522
Testing
Unit tests were added
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.