Refresh tokens improvements#13168
Conversation
core/trino-main/src/main/java/io/trino/server/security/oauth2/JweTokenSerializer.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/ui/OAuth2WebUiAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/ui/OAuth2WebUiAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
s2lomon
force-pushed
the
refresh-tokens-improvements
branch
from
40fe6c9 to
d4eef71
Compare
core/trino-main/src/main/java/io/trino/server/ui/OAuth2WebUiAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
s2lomon
force-pushed
the
refresh-tokens-improvements
branch
from
f374374 to
579c9b6
Compare
core/trino-main/src/main/java/io/trino/server/ui/OAuth2WebUiAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Not really related but since you're already making changes in this area we could consider adding additional tokens logging, probably behind flag, to make debugging easier. Similar to Hydra's LOG_LEAK_SENSITIVE_VALUES https://www.ory.sh/docs/ecosystem/logging
There was a problem hiding this comment.
We can discuss this offline, as it is a potential security issue. Recommendations are that we should not log anything security related, so I'm a bit hesitant.
There was a problem hiding this comment.
I agree with @s2lomon we shouldn't be logging any security tokens, passwords, or other sensitive information. Image that the logs can always be read by a malicious party and act accordingly.
There was a problem hiding this comment.
cmt msg: into account?
There was a problem hiding this comment.
Additional than in the commit message.
Praveen2112
force-pushed
the
refresh-tokens-improvements
branch
from
579c9b6 to
b0e7761
Compare
Praveen2112
left a comment
Praveen2112
left a comment
There was a problem hiding this comment.
LGTM some minor cleanups.
There was a problem hiding this comment.
no, because this method is a void one (as we modify the response in Filter, rather than creating and returning it). So I need to return somewhere, to stop further processing. Still I will change it to if-else as it seems clearer than this return;
There was a problem hiding this comment.
Should this be a part of the next commit ?
There was a problem hiding this comment.
I think it belongs here, as before we were mixing up handling error from refreshToken flow for api and non api calls.
There was a problem hiding this comment.
Additional than in the commit message.
There was a problem hiding this comment.
Can we revert this change isValidPrincipal ?
There was a problem hiding this comment.
It's just a method reordering, as I'm adding few new ones. I've not added this method (although it seems as if I did on diff)
- Extract method to keep existing conventions for response creation - Filter out outdated tokens instead of trying to obtain claims for them
Previously, only requests for ui pages were taken into account for the token refresh. After this change, every call for ui - including the api ones to fill existing charts etc. will benefit from refresh tokens. The end result is that when refresh token is enabled, user should never be asked to relog, as long as the site is active and any secure communication goes through to coordinator.
There might be a scenario when refresh token won't be issued, even if it's expected from trino coordinator. Such cases should be handled gracefully.
s2lomon
force-pushed
the
refresh-tokens-improvements
branch
from
b0e7761 to
d5371c2
Compare
When our internal token has been issued for lesser time than the refresh token from idp or if idp would start to reject already issued refresh-tokens we need to capture every possible exception and restart whole login.
s2lomon
force-pushed
the
refresh-tokens-improvements
branch
from
d5371c2 to
f9a17d3
Compare
|
@s2lomon Can you please update the RN here. |
|
Thanks for fixing this !! |
|
@s2lomon pinging again on the topic of a release note - if you'd like to propose one, I think a bugfix like this would be worth mentioning, especially if any users were running into these bugs. |
5 participants
Description
It's a fix of two potential bugs
It improves handling of oauth2 refresh tokens
It makes UI experience smother and prevents us from rejecting possibly correct TokenPairs
Related issues, pull requests, and links
Documentation
(x) No documentation is needed.
( ) Sufficient documentation is included in this PR.
( ) Documentation PR is available with #prnumber.
( ) Documentation issue #issuenumber is filed, and can be handled later.
Release notes
() No release notes entries required.
(x) Release notes entries required with the following suggested text