-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updating redirect URIs of OAuth2 applications leads to invalidation of access and refresh tokens #180
Labels
Comments
DonMartin76
added a commit
to apim-haufe-io/wicked.kong-adapter
that referenced
this issue
Mar 4, 2019
maksimlikharev
pushed a commit
to clarivate/wicked.kong-adapter
that referenced
this issue
Apr 15, 2019
* Work in progress - support all flows for portal-api * Major cleanup - take out user consumers (a never published feature), take out oauth2 functionality completely (moved to kong-oauth2) * Take out commented code * Change to ISO date, adapt to node 8, add lock file. * WIP - reference wicked-sdk from lopcal directories - this has to be changed back again * Assume Kong 0.11.2 as of wicked 0.12.5. * Bump to version 0.12.5 * Updated dependencies * Set installing wicked-sdk straight * Launch configuration for vs code * Refcatorings: - Remove 'var' in the entire code base - Use logging component from portal-env - Updated dependencies * Updated dependencies * Updated dependencies * Adaption to breaking API change (items instead of direct array) * Updated dependencies * Updated dependencies * Update to Kong 0.13.1 * Preserve calling host for swagger-ui API * Updated dependencies * Updated dependencies * Updated dependencies * Updated dependencies * Upgrade to kong 14 * Migrate to using TypeScript to enable type hinting * Take out the stupid "app" reference which was everywhere. - No idea why I did it that way back then. * Clean up commented code * Minor incompatibility between legacy and wicked SDK implementation. * Add wicked groups as additional scopes to each API. * Extract and name all Kong actions * Migrate to 0.13+ API of Kong, using routes and services * Patching and deleting plugins must be done on /plugins for services * Full typing of Kong Adapter code - allows refactoring now - Bugfix: Getting by username does not work with query parameters -> returned entire list * Don't use .total anymore, not always present * Remove "total" property - not used anymore * Add Prometheus global plugin always * hide credentials flag propagation * Patching an API plugin fixed (did not patch) - Some better logging output ("Updating consumers" only when it actually happens) * Propagate hide credentials flag * Hide credentials flag * Rework consumer syncing; now works like all other entities - Portal and Kong consumers are retrieved individually - And synced subsequently * Update package-lock * Use internal portal URL for swagger UI forwarding * Make communication with Kong more robust ("make Kong behave") * Also use redis for response-ratelimiting kong plugin * Updated dependencies * Updated dependencies * Dockerfile contained the wrong port * Updated dependencies * Updated dependencies * Experimental support for bundling APIs (common use of tokens). * Kong expects CORS methods to be string array * Ouch * Resync APIs every five minutes to check for updated scopes * Updated dependencies * Update to Kong 0.14.1 * Updated dependencies * Try to fix premature Kong Adapter exit * Don't answer 500 if Kong or wicked are not available - This would just trigger e.g. Kubernetes to restart the Kong Adapter - This is usually not necessary; the thing will restart itself after a while * Support refresh_token_ttl in kong oauth2 plugin config (#10) * Redo refresh_token_ttl changes (were not working as intended) * Fix error logging; fix tsc compiler error (@types/node version) * Updated dependencies * Part II of fix Haufe-Lexware/wicked.haufe.io#127 * Updated dependencies * Fixes Haufe-Lexware/wicked.haufe.io#140 * Fixes Haufe-Lexware/wicked.haufe.io#148 - apply redis also to Plan rate limiting * Removed package-lock.jso * Renaming of images (drop portal-) * Corrected reverse build trigger * Wrong base image for actual image, corrected. * Enable building local docker images * Fixes Haufe-Lexware/wicked.haufe.io#147 * Additional fixes for Haufe-Lexware/wicked.haufe.io#147 * Ignore build_date file * Also ignore git_* files * Bump to version 1.0.0-rc.1 * Remove versioning from portal-env.tgz * Turn off caching when building docker image * Bump to version 1.0.0-rc.2 * Endline * Support for multiple redirectUris in the Kong Adapter - Fixes parts of Haufe-Lexware/wicked.haufe.io#178 * Not used file; deleted * Added link to Haufe-Lexware/wicked.haufe.io#180 * Bump to version 1.0.0-rc.3 * Bump to version 1.0.0-rc.4 * Update morgan to 1.9.1 * Took out typescript dependency (moved to devDeps) * Update async and request * Fix typescript version for build and dev
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Due to the way the Kong Adapter deals with the synchronization of clients/application with Kong, the changing of the redirect URI of a wicked application leads to the deletion and re-creation of the oauth2 plugin of the corresponding Kong consumer. This in turn invalidates the records in the
oauth2_tokens
table of Kong, which are linked to the application via the oauth2 plugin ID ("credentials id").There is by now a warning message in the wicked UI which warns about this behavior, but it would be better if the plugin records were patched instead of deleted and recreated. This can be tricky though as the Kong Adapter must also detect dropped properties, which is implicit with the previous approach.
The place in the code has been marked with the link to this issue.
The text was updated successfully, but these errors were encountered: