Add an admin endpoint to allow authorizing server to signal token revocations #16125

H-Shay · 2023-08-16T22:23:16Z

As the title states - the endpoint removes the introspection token corresponding to the token id presented to the endpoint from the token cache.

This branch is based on the branch at #16117 and is a follow-up to that PR.

synapse/rest/admin/oidc.py

…eleted

H-Shay · 2023-08-20T23:30:51Z

synapse/rest/admin/devices.py

+        #  device_id -> introspection_token
+        # TODO: is there a way to check if the deletion request has come from MAS/OIDC
+        # authorizing server and only invalidate if that's the case?
+        if self.config.experimental.msc3861.enabled:


I am assuming this is the endpoint that MAS uses to delete devices?

Thinking about it: we should put this somewhere where all device deletion requests hit it. That way any log out / device deletion correctly ensures the device isn't usable?

Maybe in the data store?

Hilariously I started with it there and then convinced myself that was overly broad - I've moved it back now.

…/synapse into shay/revoke_token_api

erikjohnston · 2023-08-22T12:06:30Z

synapse/util/caches/expiringcache.py

@@ -140,6 +140,21 @@ def pop(self, key: KT, default: T = SENTINEL) -> Union[VT, T]:

        return value.value

+    def invalidate(self, keys: List[KT]) -> None:


invalidate on the other caches just invalidates a single key. Let's do the same thing here to avoid confusion

tests/replication/test_intro_token_invalidation.py

…oken revocations (#16125)" This reverts commit 69048f7.

H-Shay added 6 commits August 15, 2023 14:27

add an expiring cache to _introspect_token

9db3a90

add some tests

e4dfba4

newsfragment

d3841eb

requested changes

400c90d

add admin api for authorizing server to signal token revocations

f4d8665

tests

ea6029e

H-Shay requested a review from a team as a code owner August 16, 2023 22:23

newsfragment

b928e90

H-Shay mentioned this pull request Aug 16, 2023

Caching of token introspection response when using MSC3861 auth #16087

Closed

erikjohnston reviewed Aug 17, 2023

View reviewed changes

synapse/rest/admin/oidc.py Outdated Show resolved Hide resolved

synapse/rest/admin/oidc.py Outdated Show resolved Hide resolved

Base automatically changed from shay/token_cache to develop August 17, 2023 17:53

H-Shay added 4 commits August 20, 2023 14:46

add functionality to stream token invalidations over replication

ed62b90

stream token cache invalidations when token is revoked or device is d…

281212b

…eleted

tests

7d16067

Merge branch 'develop' into shay/revoke_token_api

c26939d

H-Shay commented Aug 20, 2023

View reviewed changes

H-Shay requested a review from erikjohnston August 20, 2023 23:31

erikjohnston added the X-Release-Blocker Must be resolved before making a release label Aug 21, 2023

H-Shay added 4 commits August 21, 2023 10:51

invalidate token cache when deleting device at store level

d2bf3a9

invlaidate cache when deleting in store

bf29497

Merge branch 'shay/revoke_token_api' of https://github.com/matrix-org…

14d7c65

…/synapse into shay/revoke_token_api

fix stray extra space

becf6a6

erikjohnston reviewed Aug 22, 2023

View reviewed changes

erikjohnston added 2 commits August 22, 2023 13:18

Make invalidate take a single key

ef7d25a

Lint

e03672e

clokep reviewed Aug 22, 2023

View reviewed changes

tests/replication/test_intro_token_invalidation.py Outdated Show resolved Hide resolved

erikjohnston added 2 commits August 22, 2023 13:33

License

58d49b5

Fix test

ec5f576

erikjohnston enabled auto-merge (squash) August 22, 2023 14:13

erikjohnston approved these changes Aug 22, 2023

View reviewed changes

erikjohnston merged commit 69048f7 into develop Aug 22, 2023
37 checks passed

erikjohnston deleted the shay/revoke_token_api branch August 22, 2023 14:15

sandhose mentioned this pull request Aug 31, 2023

Fix device deletion with MSC3861 enabled #16216

Closed

clokep mentioned this pull request Sep 5, 2023

Synapse-1.91.1 unittest fails with Postgres DB due to missing optional authlib dependency #16244

Closed

sandhose mentioned this pull request Sep 5, 2023

Revert MSC3861 introspection cache, admin impersonation and account lock #16258

Merged

sandhose added a commit that referenced this pull request Sep 5, 2023

Revert "Add an admin endpoint to allow authorizing server to signal t…

be3aa4e

…oken revocations (#16125)" This reverts commit 69048f7.

erikjohnston mentioned this pull request Sep 7, 2023

Reintroduce token cache for MSC3861 OIDC auth #16275

Open

matrixbot mentioned this pull request Dec 22, 2023

Reintroduce token cache for MSC3861 OIDC auth element-hq/synapse#16275

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add an admin endpoint to allow authorizing server to signal token revocations #16125

Add an admin endpoint to allow authorizing server to signal token revocations #16125

H-Shay commented Aug 16, 2023 •

edited

Loading

H-Shay Aug 20, 2023

erikjohnston Aug 21, 2023

erikjohnston Aug 21, 2023

H-Shay Aug 21, 2023

erikjohnston Aug 22, 2023

		@@ -140,6 +140,21 @@ def pop(self, key: KT, default: T = SENTINEL) -> Union[VT, T]:

		return value.value

		def invalidate(self, keys: List[KT]) -> None:

Add an admin endpoint to allow authorizing server to signal token revocations #16125

Add an admin endpoint to allow authorizing server to signal token revocations #16125

Conversation

H-Shay commented Aug 16, 2023 • edited Loading

H-Shay Aug 20, 2023

Choose a reason for hiding this comment

erikjohnston Aug 21, 2023

Choose a reason for hiding this comment

erikjohnston Aug 21, 2023

Choose a reason for hiding this comment

H-Shay Aug 21, 2023

Choose a reason for hiding this comment

erikjohnston Aug 22, 2023

Choose a reason for hiding this comment

H-Shay commented Aug 16, 2023 •

edited

Loading