-
Notifications
You must be signed in to change notification settings - Fork 466
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New OAuth2 middlewares with token persistence #2964
Conversation
Includes validation Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
- Renames `middleware.http.oauth2` to `middleware.http.oauth2.cookie` (old name remains as alias) - Adds `middleware.http.oauth2.http` Pending dapr/components-contrib#2964 Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
I remember the discussing being around keeping the existing component but having a flag instead to change the behavior. Any reason for the change of course? |
I have sent a message on Discord this morning saying that I thought it made more sense to have 2 components since the behavior is very different: one redirects, one doesn't; one works with browsers (because of cookies), the other one doesn't. I asked if anyone had objections and didn't get any. PS: the existing component is still around and in 1.12 existing configurations will work without changes (however startign in 1.13 setting |
Going forward I advise to not equate 5 hours of no responses on Discord with an explicit agreement from everyone.
That is not accurate and does not justify a new codebase with the additional maintenance overhead that it brings. The existing component does work with browsers and cookies, but as you pointed out recent changes in Azure AD breaks this scenario for that given provider.
This change in behavior can easily be captured in the existing component without requiring an entirely new one. |
Can we keep the previous decision? It seems overkill to duplicate the component in this case. Even when we did duplicate it, like in etcd, the code is mostly shared, just the param at registration is different. |
Please review the code. Just like with etcd, the code is almost entirely shared. I am the first one that doesn't want to duplicate code :) There just happens to be 2 folders, rather than 2 constructors in the same folder like for etcd, because I cannot put 2 metadata.yaml in the same folder |
Closing in favor of #2967 |
Fixes #2635
Replaces #2963
Currently the OAuth 2 middleware suffers from scalability issues as reported in #2635. Tokens obtained from the authorization server are stored in-memory in the Dapr runtime (a session ID is stored in a cookie on the client), so they do not persist if the runtime is restarted, and make it impossible to scale the application horizontally.
The most common solution to this problem is to store the tokens in the clients, as self-contained tokens such as JWTs; because tokens are sensitive, they are encrypted (using encrypted JWTs).
Two components
This PR rewrites the OAuth2 middleware and exposes 2 new components (which are mostly based on the same underlying implementation):
middleware.http.oauth2.cookie
(aliased tomiddleware.http.oauth2
for backwards-compatibility)middleware.http.oauth2.header
:Authorization
headerAuthorization
and the value of the Authorization header that clients must passWhy 2 components?
The reason why we have two flavors of the component is due to the issue described in #2963. TLDR: tokens returned by Azure AD can be too large to be stored in a cookie.
However, using headers is not a perfect 1:1 replacement:
Token encryption key
Because cookies now store the token encrypted, users need to provide an encryption key via the new metadata property
tokenEncryptionKey
:tokenEncryptionKey
is not the actual encryption key used: the Dapr runtime deterministically derives both a signing key and an encryption key from thatFuture work
middleware.http.oauth2clientcredentials
has the same issues with scalability as the OAuth2, and needs to be updated as well (and perhaps we can re-use the shared implementation of this middleware).