Fix HTTP_Status on OAuth2 refresh token redirect #15336
Conversation
huberty89
requested review from
lukasz-walkiewicz,
Praveen2112,
skrzypo987 and
kokosing
and removed request for
lukasz-walkiewicz
core/trino-main/src/test/java/io/trino/server/ui/TestWebUi.java
Outdated
Show resolved
Hide resolved
huberty89
force-pushed
the
huberty89/fix-oauth-refresh-on-post-method
branch
2 times, most recently
from
389c3c1
to
bb62f43
Compare
| @@ -772,6 +811,24 @@ private void assertAuth2Authentication(HttpServerInfo httpServerInfo, String acc | |||
| assertResponseCode(client, getLocation(baseUri, "/ui/unknown"), SC_NOT_FOUND); | |||
| assertResponseCode(client, getLocation(baseUri, "/ui/api/unknown"), SC_NOT_FOUND); | |||
|
|
|||
| if (refreshTokensEnabled) { | |||
| // wait till auth token expires | |||
| Thread.sleep(Duration.between(ZonedDateTime.now(), authTokenExpiration).toMillis()); | |||
There was a problem hiding this comment.
Could you issue an already expired token? To get rid of this the sleep.
| String state = newJwtBuilder() | ||
| .signWith(hmacShaKeyFor(Hashing.sha256().hashString(STATE_KEY, UTF_8).asBytes())) | ||
| .setAudience("trino_oauth_ui") | ||
| .setExpiration(Date.from(ZonedDateTime.now().plusMinutes(10).toInstant())) | ||
| .setExpiration(Date.from(authTokenExpiration.toInstant())) |
There was a problem hiding this comment.
This change is probably not needed, state is only a part of the authorization challenge https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1 so its expiration shouldn't matter.
There was a problem hiding this comment.
Right, I mixed them up, reverted
| @@ -772,6 +811,24 @@ private void assertAuth2Authentication(HttpServerInfo httpServerInfo, String acc | |||
| assertResponseCode(client, getLocation(baseUri, "/ui/unknown"), SC_NOT_FOUND); | |||
| assertResponseCode(client, getLocation(baseUri, "/ui/api/unknown"), SC_NOT_FOUND); | |||
|
|
|||
| if (refreshTokensEnabled) { | |||
There was a problem hiding this comment.
nit: extract to a method?
There was a problem hiding this comment.
Extracted because now I use this part in two places
| @@ -148,6 +152,8 @@ | |||
| private static final String TEST_PASSWORD2 = "test-password2"; | |||
| private static final String HMAC_KEY = Resources.getResource("hmac_key.txt").getPath(); | |||
| private static final PrivateKey JWK_PRIVATE_KEY; | |||
| private static final String REFRESH_TOKEN = "REFRESH_TOKEN"; | |||
| private static final int REFRESH_TOKEN_TIMEOUT_MINUTES = 5; | |||
There was a problem hiding this comment.
nit: How about using a Duration
| .putAll(OAUTH2_PROPERTIES) | ||
| .put("http-server.authentication.oauth2.jwks-url", jwkServer.getBaseUrl().toString()) | ||
| .put("http-server.authentication.oauth2.refresh-tokens", "true") | ||
| .put("http-server.authentication.oauth2.refresh-tokens.issued-token.timeout", REFRESH_TOKEN_TIMEOUT_MINUTES + "m") |
There was a problem hiding this comment.
This is a timeout for the token minted by us (i.e with access token and refresh token) - can we have a test where the minted refresh token is expired ?
There was a problem hiding this comment.
I added additional test to test if it really expires: testOAuth2AuthenticatorRefreshTokenExpiration
huberty89
force-pushed
the
huberty89/fix-oauth-refresh-on-post-method
branch
2 times, most recently
from
e6fd9b0
to
523e1f3
Compare
|
I pushed updated version. |
huberty89
force-pushed
the
huberty89/fix-oauth-refresh-on-post-method
branch
from
523e1f3
to
9a7593c
Compare
| { | ||
| claims = new DefaultClaims(createClaims()); | ||
| claims.putAll(additionalClaims); | ||
| this.accessTokenValidity = accessTokenValidity; |
huberty89
force-pushed
the
huberty89/fix-oauth-refresh-on-post-method
branch
from
9a7593c
to
a0241a8
Compare
|
I hit flaky test #15293 |
| private static void assertCookieWithRefreshToken(TestingTrinoServer server, HttpCookie authCookie, String accessToken) | ||
| { | ||
| TokenPairSerializer tokenPairSerializer = server.getInstance(Key.get(TokenPairSerializer.class)); | ||
| TokenPairSerializer.TokenPair deserialize = tokenPairSerializer.deserialize(authCookie.getValue()); |
There was a problem hiding this comment.
nit: Can we import TokenPair directly ?
| HttpCookie cookie = getOnlyElement(cookieManager.getCookieStore().getCookies()); | ||
| assertCookieWithRefreshToken(server, cookie, oauthClient.getAccessToken()); | ||
|
|
||
| String location = getLocation(baseUri, "/ui/api/query/20221206_145344_00001_qe6gw/killed"); |
There was a problem hiding this comment.
Is it possible for us to check with an existing API. The QueryId doesn't exists in the testing server right ?
There was a problem hiding this comment.
Can we use validApiLocation here ?
There was a problem hiding this comment.
I could replace all of this with:
assertResponseCode(client, getValidApiLocation(baseUri), SC_TEMPORARY_REDIRECT);
assertOk(client, getValidApiLocation(baseUri));
but getValidApiLocation returns an URL to GET endpoint and here I used PUT method.
Ok, I will replace that. It's much more readable.
When refresh token is retrieved for UI, currently we were sending HTTP Status 303, assuming that all the request will just repeat the call on the Location header. When this works for GET/PUT verbs, it does not for non-idempotent ones like POST, as every js http client should do a GET on LOCATION after 303 on POST. Due to that I change it to 307, that should force every client to repeat exactly the same request, no matter the verb. Co-authored-by: s2lomon <[email protected]>
huberty89
force-pushed
the
huberty89/fix-oauth-refresh-on-post-method
branch
from
a0241a8
to
fe1e1c8
Compare
|
Merged, thanks! |
Description
When refresh token is retrieved for UI, currently we were sending HTTP Status 303, assuming that all the request will just repeat the call on the Location header. When this works for GET/PUT verbs, it does not for non-idempotent ones like POST, as every JS HTTP client should do a GET on LOCATION after 303 on POST. Due to that I change it to 307, that should force every client to repeat the exactly the same request, no matter the verb.
This PR replaces #15184
Release notes
( ) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
(x) Release notes are required, with the following suggested text: