How to validate third party auth token on server?

[Vortec4800]

I've got a custom authentication provider on the server, so there is a validateAuthData method on the server that works to validate a token. However the client (iOS in this case) only seems to validate the token on first login and never again, it just restores the original token from the keychain each launch.

Is there a way to get the system to re-validate the token? The desired behavior would be to revoke the login session (or something equivalent) if the authentication provider no longer validates tokens, like if an account is removed or disabled. Does this already exist?

[santiagosemhan]

Can you share your custom auth module? I think you can check this out https://docs.parseplatform.org/js/guide/#custom-authentication-module.
Every time you hit the server, session data is validated, so you could revoke the session and the client will be advised on the next request.

[Vortec4800]

Sure. This is a small module for Microsoft Graph SSO. The client is responsible for getting a valid OAuth token, and the server just tries to get the user's profile with the given token and make sure the user IDs match between the request and response.

I put a breakpoint on the validateAuthData function and it only ever seemed to get called during initial login and never again. Unless I'm missing what triggers re-auth?

// Returns a promise that fulfills if this user id is valid.
async function validateAuthData(authData, options) {
    // Verify access token by grabbing profile
    let profile = await profileForAuthData(authData);

    let userID = profile['id'];

    if(userID === authData.id){
        return;
    } else {
        throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Microsoft auth is invalid for this user.');
    }
}

// Returns a promise that fulfills iff this app id is valid.
function validateAppId() {
    return Promise.resolve();
}

async function profileForAuthData(authData) {
    if(!_.isUndefined(authData.cesmsgraph)){
        // Re-org auth data
        authData = authData.cesmsgraph;
    }

    let profileReponse = await request('https://graph.microsoft.com/v1.0/me').auth(null, null, true, authData['access_token']);
    let profile = JSON.parse(profileReponse);

    return profile;
}

module.exports.validateAppId = validateAppId;
module.exports.validateAuthData = validateAuthData;
module.exports.profileForAuthData = profileForAuthData;

[santiagosemhan]

The session is validated every time in https://github.com/parse-community/parse-server/blob/master/src/Auth.js#L88 . But this checks that the session is stored on parse database. I don't know if you can hook this process and revalidate token against Microsoft. (@davimacedo @dplewis )

Remember that authData is necessary in login time. Maybe revalidate it will downgrade performance.

[davimacedo]

I think there is no hook you can use to include an additional validation to the default one (against Parse Server database). Maybe beforeSessionValidation/afterSessionValidation would be a good new feature. In the meantime I'd try to add a middleware to handle this custom validation before Parse Server.

[Vortec4800]

I wouldn’t even mind something I could call client-side that asks the server to revalidate the current auth data instead of expecting the server to know when to check it. For some apps it may never need to revalidate, but for my use case we are using it to gate access to the app based on our organization’s Microsoft domain, so if you’re no longer an employee access is automatically revoked. That said checking once per app launch would be sufficient.

[santiagosemhan]

You could have an endpoint to invalidate the session when the user is no longer available. Call it when retire the employee from Microsoft domain. Or create a cron process that check the employee status and if it’s needed shutdown the session.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.