Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add checks for auth token validity #185

Open
2 of 4 tasks
Sigfried opened this issue Dec 2, 2022 · 2 comments
Open
2 of 4 tasks

Add checks for auth token validity #185

Sigfried opened this issue Dec 2, 2022 · 2 comments
Assignees
@joeflack4
Labels
ease:3/3 3: easiest
Milestone
9. Unplanned

Comments

@Sigfried
Copy link
Collaborator

Sigfried commented Dec 2, 2022
edited by joeflack4

Overview

Check token validity early and often.

Sub-tasks

  • 1. If enclave_wrangler request fails, check if token is dead, and print err about that if so.
  • 2. If token will expire soon (e.g. 2 weeks), print warning.
  • 3. Check on server start
  • 4. Optional: Check on schedule (e.g. daily) (harder)

Additional details

Here's how:

➜ curl -XGET https://unite.nih.gov/multipass/api/me -H "Authorization: Bearer $PALANTIR_ENCLAVE_AUTHENTICATION_BEARER_TOKEN"
{
  "id": "6387db50-9f12-48d2-b7dc-e8e88fdf51e3",
  "username": "UNITEConceptSetBulk@nih.gov",
  "attributes": {
    "multipass:organization": [
      "NIH"
    ],
    "multipass:email:primary": [
      "UNITEConceptSetBulk@nih.gov"
    ],
    "multipass:organization-rid": [
      "ri.multipass..organization.73f45502-dee1-46e9-ab49-64a738b13971"
    ],
    "upn": [
      "UNITEConceptSetBulkImportUser@nih.gov"
    ],
    "multipass:realm": [
      "nih-adfs"
    ],
    "multipass:realm-name": [
      "NIH Auth"
    ]
  }
}

➜ curl -XGET https://unite.nih.gov/multipass/api/token/ttl -H "Authorization: Bearer $PALANTIR_ENCLAVE_AUTHENTICATION_BEARER_TOKEN"
12654423

That last number is time-to-live in seconds.

I'm not sure where to run these checks. When the time is getting close, we need to ask Mariam Deacy to generate a new one for us.
@joeflack4
Copy link
Member

joeflack4 commented Dec 3, 2022
edited

I guess it's not a bad idea to do this. We can produce an error message that will be much clearer about what is going on and what to do (e.g. we can provide instructions in the error message w/ a link / how to renew).

When to do this though?

a. Proactively

We can check on every request, not just errors, and if it's going to expire soon, produce a warning with a lot of the same details. Perhaps we can set a config variable for how long before expiration we should warn. Maybe 2 weeks? Disadvantage is that this slows down the request cycle.

b. Reactively

Check only during exception handling. Advantage is that it won't slow down request cycle by doing a proactive check.

@Sigfried
Copy link
Collaborator Author

Sigfried commented Dec 5, 2022

Not every request. maybe when server starts, or daily

@joeflack4 joeflack4 changed the title Add check for auth token validity Add checks for auth token validity Feb 22, 2023
@joeflack4 joeflack4 added this to the Unplanned milestone Apr 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joeflack4 joeflack4

Labels
ease:3/3 3: easiest
Projects
TermHub
Status: 3. Backlog
Milestone
9. Unplanned
Development

No branches or pull requests
2 participants
@Sigfried @joeflack4