chore(hybrid-cloud): Delegate pipeline redis store to propagate customer domain by dashed · Pull Request #39016 · getsentry/sentry

dashed · 2022-09-19T18:00:22Z

In #38970, I had updated an OAuth2 provider implementation such that we do per-request customization by dynamically update the callback URL based on if a subdomain is present (e.g. sentry.sentry.io)

The OAuth2 spec on redirect URIs suggests that request-specific data in the callback URL be delegated to the "state" parameter.

I've undid the per-request callback URL changes added in #38970, and instead delegated to the pipeline redis store (using "state" parameter) to propagate any customer domain information.

The request flow for customer domains should look like this:

Go to https://orgslug.sentry.io
Click on social media button: https://sentry.io/identity/login/google/?referrer=login
Create unique state parameter and store orgslug customer domain in pipeline redis store.
Redirect to https://accounts.google.com/o/oauth2/auth
Perform OAuth2 authorization flow.
Redirect back to https://sentry.io/auth/sso/
Authorization code token exchange.
Retrieve orgslug customer domain from pipeline redis store, and redirect user to https://orgslug.sentry.io/auth/login
Redirect to https://orgslug.sentry.o/organizations/orgslug/issues/ (this will be an orgless slug in the future)

…mer domain

markstory

Looks good to me. Would be good to get someone from enterprise/ecosystem who is more familiar with our oauth implementation to also take a look

markstory · 2022-09-28T01:58:02Z

src/sentry/auth/providers/oauth2.py


        helper.bind_state("state", state)
+        if request.subdomain:
+            helper.bind_state("subdomain", request.subdomain)


Should a user start and SSO flow, leave the tab open with oauth dance incomplete and then open a second tab, not complete that sso, and then go back and complete the first SSO flow they could end up at the wrong place.

In practice that is unlikely to matter as they should have access to both orgs that they started SSO on.

@markstory Wouldn't the first SSO fail if the state attributed was regenerated on the second tab? We compare the state values here when the user comes back to Sentry from the authentication provider

sentry/src/sentry/auth/providers/oauth2.py

Lines 105 to 106 in 8d9f92f

if state != helper.fetch_state("state"):

return helper.error(ERR_INVALID_STATE)

I do agree in practice it shouldn't matter.

maxiuyuan

lgtm, if ur cautious i would ask @RyanSkonnord to take a look as well

…mer domain (#39016)

evanpurkhiser · 2022-10-05T06:54:17Z

If you need more help looking at this in the future. I wrote all of the pipeline and oauth stuff

dashed requested review from a team September 19, 2022 18:00

dashed requested a review from a team as a code owner September 19, 2022 18:00

dashed self-assigned this Sep 19, 2022

github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Sep 19, 2022

dashed mentioned this pull request Sep 19, 2022

chore(auth): Update sentry.identity.oauth2 to support customer domains #38973

Closed

dashed requested a review from mdtro September 19, 2022 18:03

dashed force-pushed the hybrid-cloud/oauth2-customer-domains-pipeline branch from 87d7306 to c5690c8 Compare September 19, 2022 23:57

dashed mentioned this pull request Sep 20, 2022

chore(auth): Update sentry.identity.oauth2 to support customer domains #39052

Merged

vercel bot deployed to Preview – storybook September 20, 2022 00:00 View deployment

vercel bot deployed to Preview – sentry September 20, 2022 00:00 View deployment

dashed force-pushed the hybrid-cloud/oauth2-customer-domains-pipeline branch from c5690c8 to 0ec004c Compare September 20, 2022 00:39

vercel bot deployed to Preview – sentry September 20, 2022 00:41 View deployment

vercel bot deployed to Preview – storybook September 20, 2022 00:42 View deployment

dashed force-pushed the hybrid-cloud/oauth2-customer-domains-pipeline branch from 0ec004c to fec27dd Compare September 27, 2022 00:25

vercel bot deployed to Preview – sentry September 27, 2022 00:29 View deployment

vercel bot deployed to Preview – storybook September 27, 2022 00:31 View deployment

chore(hybrid-cloud): Delegate pipeline redis store to propagate custo…

8d9f92f

…mer domain

dashed force-pushed the hybrid-cloud/oauth2-customer-domains-pipeline branch from fec27dd to 8d9f92f Compare September 27, 2022 01:55

vercel bot deployed to Preview – sentry September 27, 2022 01:57 View deployment

vercel bot deployed to Preview – storybook September 27, 2022 01:57 View deployment

markstory approved these changes Sep 28, 2022

View reviewed changes

maxiuyuan approved these changes Sep 28, 2022

View reviewed changes

dashed merged commit f12d759 into master Sep 28, 2022

dashed deleted the hybrid-cloud/oauth2-customer-domains-pipeline branch September 28, 2022 17:53

dashed mentioned this pull request Sep 29, 2022

fix(oauth2): Do not generate login redirect URL too early #39449

Merged

ryan953 pushed a commit that referenced this pull request Oct 3, 2022

chore(hybrid-cloud): Delegate pipeline redis store to propagate custo…

6900534

…mer domain (#39016)

github-actions bot locked and limited conversation to collaborators Oct 20, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(hybrid-cloud): Delegate pipeline redis store to propagate customer domain#39016

chore(hybrid-cloud): Delegate pipeline redis store to propagate customer domain#39016
dashed merged 1 commit intomasterfrom
hybrid-cloud/oauth2-customer-domains-pipeline

dashed commented Sep 19, 2022

Uh oh!

markstory left a comment

Uh oh!

markstory Sep 28, 2022

Uh oh!

dashed Sep 28, 2022

Uh oh!

dashed Sep 28, 2022

Uh oh!

maxiuyuan left a comment

Uh oh!

evanpurkhiser commented Oct 5, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

	if state != helper.fetch_state("state"):
	return helper.error(ERR_INVALID_STATE)

Uh oh!

Conversation

dashed commented Sep 19, 2022

Uh oh!

markstory left a comment

Choose a reason for hiding this comment

Uh oh!

markstory Sep 28, 2022

Choose a reason for hiding this comment

Uh oh!

dashed Sep 28, 2022

Choose a reason for hiding this comment

Uh oh!

dashed Sep 28, 2022

Choose a reason for hiding this comment

Uh oh!

maxiuyuan left a comment

Choose a reason for hiding this comment

Uh oh!

evanpurkhiser commented Oct 5, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants