-
-
Notifications
You must be signed in to change notification settings - Fork 4.2k
-
-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support expiration for session creation #9074
Comments
@bokeh/dev would appreciate some ideas here. I have pushed off #3458 to 2.0 since it is going to be a larger effort and possibly also have breaking changes. But I would like to introduce session expiration now in a relatively forward compatible way. With #3458 I propose to use JWT tokens which an have fields for "expiration" and "not before". Is just adding the server option |
I don't know if it's really relevant here, but maybe adding features to the existing authentication implementation is not worth it given that it doesn't rely on the state of the server. |
@p-himik I have definitely seen articles that mention putting JWT tokens as Edit: for instance at https://jwt.io/introduction/
FWIW here are some objectives, I would definitely welcome input on anything I am off-base about:
I'm 100% open to any solution that offers:
This is not an area of expertise for me so I welcome any corrections (e.g. maybe I just have some basic misunderstanding of how cookies would apply here) |
@p-himik Also I think in the helpful article you linked that the situation here might actually fall fairly well under the final "So what are JWT tokens good for?" section: |
Full disclosure - I'm not a security expert as well. I have some anecdotal experience and have read a decent amount of articles on the topic. But don't take my word for granted. The Authorization header is not preserved between requests by itself - you have to always set it yourself. This means that, if a service doesn't use cookies at all, when a user refreshes a tab they will be prompted to login again. To prevent that, you have to use cookies. And if you already use them and the authentication server is the same as the application server, there's no point in using a separate header. After all, it will force you to set it manually for each request.
And they continue to be, as long as Bokeh uses an authentication solution that doesn't rely on some state on some server (i.e. sessions in some kind of DB). But it should still be possible to implement expiration date without any issues.
If the real concern of this issue is to mitigate the damage, I don't think expiry is a good solution. After all, you will have to ask users to login again pretty often, regardless of whether the token has somehow been leaked or not.
Yes. That's why Bokeh session ID and user (authentication) session ID must be different.
User session IDs must be passed to the auth server only inside cookies.
Why is this a desired behavior? Opening a new tab would require a user to login again. I can also see how just refreshing a page is used by users all the time to get the document at its initial state (the Reset button has its issues and limitations) - this workflow would definitely be disrupted and make such users furious.
Given my concern just above, I fail to see that. |
@p-himik Thank you for this valuable discussion. I will need to take some time to digest fully. But I did want to quickly offer some additional context that may be missing: First, all of this discussion really only applies to situations where authentication has happened upstream. I.e., using the new auth hooks recently made available. In that scenario, being authenticated means that the Bokeh server will agree to create a session. In that sense, the current session id (which I was proposing to use JWT tokens for instead) really are one-time just permission tokens. In particular, in those scenarios, a user could stay logged in! It just means reloads get them new sessions on the Bokeh server:
Here is video that illustrates this: I reloaded several times, without having to log in. But I got a new (bokeh server) session each time. Logout/expiration of that side of things is handled by whatever the app creator implements in the auth module. As soon as the auth module hooks say a use is not logged in, a reload will shunt back to the login screen. The important thing to note is that that bokeh session id/tokens are just one-time permissions and I think its good to keep it that way. They are orthogonal to user auth, really an internal detail, which is also why I think a short expiry is both useful and not a burden on users. That covers a lot of ground, at least I think it is sufficient for a great many types of apps. What is given up?
Does this change anything for you? FWIW I was mostly considering JWT because there are implementations of it. |
Also I should add about the expiry. It is not expiration of the kind "boot the user out to a login screen after X amount of time". That is something we could try to figure out later. Here it is only "this one-time permission for (bokeh) session creation is good for the next X minutes and no longer" Also maybe another succinct summary: Being authenticated is a an authorization to create new bokeh server sessions, for as long as you are logged in, and the session ids/tokens are the internal mechanism to convey permission to create those new sessions. (But the bokeh server itself does not specify policy or implementation for authorization, app authors do in the auth module) Also worth mentioning: I consider session sharing ala google docs to be explicitly out of scope. |
@bryevdv Thanks! I think I'm still a bit confused, although it's hard to express the exact reason. |
Thanks @p-himik I think most of that is my lack of vocabulary and experience. I should have a simple PR for a pre-2.0 version in the next week or so. |
I think this is not going to be a huge effort but I want to clean up some functions that would end up mis-named without some changes. Rather than rush this in the release this week, pushing off to 2.0 |
This was closed in #9536 |
Encode an optional expiration timestamp with signed session id's and refuse to create the session if the id is expired. Propose adding server option
--session-expiration-duration
which will be added to UTCnow()
when the signed session id is created, and then checked against UTCnow()
when the session is to be created in the server.The text was updated successfully, but these errors were encountered: