Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ARXIVCE-2684] upstream develop to master #326

Merged
merged 38 commits into from
Oct 16, 2024
Merged

[ARXIVCE-2684] upstream develop to master #326

merged 38 commits into from
Oct 16, 2024

Conversation

dginev
Copy link
Contributor

@dginev dginev commented Oct 16, 2024

PR brings #299 and #325 from develop to master

@ntai-arxiv
OpenID connect client library - eyeing toward deploying keycloak
9d528f7
@ntai-arxiv
Work dump
4765e51
@ntai-arxiv
Add JWT token making interface
c1d4037
@ntai-arxiv
User claim dictionary slightly smaller. Apprently, nginx default head…
7ccb479 
…er buffer size is 4k, and the claim == token being bloated is not a good idea.
@ntai-arxiv
Redo - simplify
0a76ef3
@ntai-arxiv
Update Role names - less cryptic.
e4d4bfd
@ntai-arxiv
Add client secret support.
03df0e9
@ntai-arxiv
logout URL is no longer a proprety, it's now a function and you can p…
5b6c747 
…rovide alternate logout URL.

claims gets id_token property.
@ntai-arxiv
oops.
de6dbcd
@ntai-arxiv
naming is hard.
1f0b695
@ntai-arxiv
Redo the oidc and user claims - make cookie/claims smaller.
ecfc74c
@ntai-arxiv
:(
4934e21
@ntai-arxiv
Start of bridging the oauth2 cookie to legacy.
49a18a8
@ntai-arxiv
some progerss made.
cc0597a
@ntai-arxiv
1 - Add "aud" checking to pass for oidc_idp.py
2ee7f64 
2 - user_claims.py - token needs more diet. Gave up on including access and id tokens in the secret part. Only encrypt the user's property part. Access token is only needed for talking to Keycloak, and payload is for us.
3. Creating tapir session needs transaction. It is adding the tapir session successfully.
@ntai-arxiv
Ues all but "aud" token verity.
190a236 
I'm not understanding why Keycloak made account has no "aud" while using legacy auth has it. In any rate, I think we don't care where the accounts come from.

Token pack/unpack was totally busted, and now fixed.
@ntai-arxiv
Support refreshing access token. The claims now includes the refresh …
f23b810 
…toke for it. The payload size is a bit tight.
@ntai-arxiv
" " space was a bad choice for the delimiter.
ca287e1
@ntai-arxiv
Finish off implementing the token refresh. The refresh is untested fo…
4c6b9ac 
…r now.
@ntai-arxiv
Nit fix, and use user_id rather than email for setting up Tapir. user…
80f658c 
…_id doesn't change while email may.
@ntai-arxiv
Merge branch 'develop' into ntai/openid-connect-step-1
44ed197
@ntai-arxiv
Remove the "transaction" thing. It broke. Also fix a stupidity.
df06d5a
@ntai-arxiv
Change the token format and make it future proof by a version prefix.
bfb93c6 
User claim's user ID "may not be integer" in rare occasion so be defensive.

 Fix the refresh token handling.
@ntai-arxiv
Include the token expiration timestamp in the return value of encode_…
a86117c 
…jwt_token
@ntai-arxiv
refresh token, the function now only need the refresh token only rath…
1ca5c01 
…er than the user claims.
@ntai-arxiv
Try not using access token (usu payload) instead for the user claims.…
683177a 
… This saves about 1k in size.

validate_access_token may not be RSA key. This isn't implementing the other key types but needs some research that which key type is the smallest.
@ntai-arxiv
Just curious what's in the refresh token. it may not work and it's okay.
399fb44
@ntai-arxiv
Merge branch 'develop' into ntai/openid-connect-step-1
1c7c86d
@ntai-arxiv
Fix test_keycloak.py to run in the github action.
c71dab8
@ntai-arxiv
no --headless exist for pytest.
29e262a
@dginev dginev requested a review from a team October 16, 2024 15:54
@dginev dginev merged commit bb4edc4 into master Oct 16, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonathanhyoung jonathanhyoung jonathanhyoung approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dginev @jonathanhyoung @ntai-arxiv