Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(oauth2): revalidate access tokens #4603

Merged
merged 5 commits into from
Sep 19, 2024
Merged

feat(oauth2): revalidate access tokens #4603

merged 5 commits into from
Sep 19, 2024

Conversation

danielkelemen
Copy link
Member

related to #4585

@danielkelemen danielkelemen added ci:run Runs the integration tests for the Run distribution. ci:spring-boot Runs the integration tests for the Spring Boot starter. labels Sep 13, 2024
@danielkelemen danielkelemen self-assigned this Sep 13, 2024
@danielkelemen danielkelemen mentioned this pull request Sep 13, 2024
Closed
1 task
@danielkelemen
Copy link
Member Author

danielkelemen commented Sep 17, 2024
edited
Loading

❌ The user remains logged in after the token is expired. When I use this scope for okta:

Some details to this:
Our AuthorizeTokenFilter uses the OAuth2AuthorizedClientManager, that tries to re-authorize the client using different oauth2 grants (auth code, refresh token etc.). When none of these succeed, it just returns the existing client from the context: ref, even if it contains an already expired access token.
In AuthorizeTokenFilter we also need to handle this use-case.

Why isn't the refresh working?
Okta doesn't support the refresh grant by default, only if the offline_access scope is defined (docs).

Solution:
After the authorize re-check token expiry and clear context if it's still expired.

danielkelemen and others added 2 commits September 17, 2024 12:06
@danielkelemen
handle missing authorization grants
8b004df
@danielkelemen @yanavasileva
Update spring-boot-starter/starter-security/src/main/java/org/camunda…
742680e 
…/bpm/spring/boot/starter/security/oauth2/impl/AuthorizeTokenFilter.java

Co-authored-by: yanavasileva <[email protected]>
yanavasileva
yanavasileva reviewed Sep 17, 2024
View reviewed changes
Copy link
Member

@yanavasileva yanavasileva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 I have a comment for the clock.

Tested with Okta after log out+5 min:

2024-09-17T17:11:27.830+02:00 DEBUG 24580 --- [nio-8080-exec-7] o.c.b.s.b.s.s.o.i.AuthorizeTokenFilter   : Authorize successful, access token expiry: 2024-09-17T15:11:42.154988400Z
2024-09-17T17:11:27.831+02:00 DEBUG 24580 --- [nio-8080-exec-7] s.b.s.s.o.i.OAuth2AuthenticationProvider : Authenticated user 'peter'
2024-09-17T17:11:27.835+02:00 DEBUG 24580 --- [nio-8080-exec-7] o.c.b.s.b.s.s.o.i.OAuth2IdentityProvider : Using OAuth2IdentityProvider
2024-09-17T17:11:27.835+02:00 DEBUG 24580 --- [nio-8080-exec-7] o.c.b.s.b.s.s.o.i.OAuth2IdentityProvider : Using OAuth2IdentityProvider
2024-09-17T17:11:27.836+02:00 DEBUG 24580 --- [nio-8080-exec-7] o.c.b.s.b.s.s.o.i.OAuth2IdentityProvider : Using OAuth2IdentityProvider
2024-09-17T17:11:49.080+02:00  WARN 24580 --- [nio-8080-exec-5] o.c.b.s.b.s.s.o.i.AuthorizeTokenFilter   : Authorize failed: could not re-authorize expired access token

...main/java/org/camunda/bpm/spring/boot/starter/security/oauth2/impl/AuthorizeTokenFilter.java Outdated Show resolved Hide resolved
yanavasileva
yanavasileva approved these changes Sep 19, 2024
View reviewed changes
Copy link
Member

@yanavasileva yanavasileva left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Looks good. I re-tested okta with clear user sessions, seems fine to me. I didn't test cognito.

2024-09-19T08:49:47.941+02:00 DEBUG 29164 --- [nio-8080-exec-7] o.c.b.s.b.s.s.o.i.AuthorizeTokenFilter   : Authorize successful, access token expiry: 2024-09-19T06:54:47.511099300Z
2024-09-19T08:49:47.943+02:00 DEBUG 29164 --- [nio-8080-exec-4] s.b.s.s.o.i.OAuth2AuthenticationProvider : Authenticated user 'peter'
2024-09-19T08:49:47.943+02:00 DEBUG 29164 --- [nio-8080-exec-7] s.b.s.s.o.i.OAuth2AuthenticationProvider : Authenticated user 'peter'
2024-09-19T08:55:41.275+02:00  WARN 29164 --- [nio-8080-exec-4] o.c.b.s.b.s.s.o.i.AuthorizeTokenFilter   : Authorize failed: [invalid_grant] The refresh token is invalid or expired.

@yanavasileva
Copy link
Member

Distro-ee is failing, but it's seems flakiness or not up-to-date branch.

@danielkelemen
Copy link
Member Author

danielkelemen commented Sep 19, 2024
edited
Loading

Distro-ee is failing, but it's seems flakiness or not up-to-date branch.

Yes, something is off with the package.json, probably not up to date as I didn't change anything there.

@danielkelemen danielkelemen merged commit f8142ef into master Sep 19, 2024
2 of 3 checks passed
@danielkelemen danielkelemen deleted the 4585-oauth2-revalidation branch September 19, 2024 07:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yanavasileva yanavasileva yanavasileva approved these changes

Assignees

@danielkelemen danielkelemen

Labels
ci:run Runs the integration tests for the Run distribution. ci:spring-boot Runs the integration tests for the Spring Boot starter.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@danielkelemen @yanavasileva