New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth: Add feature flag to move token rotation to client #65060
Conversation
You have successfully added a new CodeQL configuration |
docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks the contribution. Please review my suggestion for technical accuracy. If that works for you, please ping me to approve.
This can happen when token is deleted or we try to rotate an old token
roration is enabled
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
10fd5ef
to
d4e0a2d
Compare
* FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
What is this feature?
At the moment every request made to the grafana API can trigger a rotation. We want to move the responsibility of token rotation to the client instead.
This is all done behind a new feature toggle "ClientTokenRotation".
There are two scenarios we need to handle, page load and api request.
For page loads I have added checks in both Auth and AccessControl middleware where not authorized checks are performed. If the LookupTokenErr is ErrTokenNeedRotation we write a redirect cookie for current path and redirect to /user/auth-tokens/rotate. If token is successfully rotated we redirect the user batch to the patch set in redirect cookie. If the rotation failed (revoked, not found, expired) we redirect to login page and delete the cookie.
The second scenario is api request performed by the client. My first approach was to call the rotation endpoint if a request failed with 401 and retry the request if it was successful. This kinda works but have problems when making many concurrent request that all tries to rotate the token. If we would have a two token system (refresh and access) this would be no problem but with the current system a lot of concurrent request can cause unintended side effect, especially when running grafana in HA. We also have the problem that we cannot grantee that all plugins use backendSrv where this retry logic is implemented.
So Instead I decided to schedule the token rotation. This is done with the help of a new cookie we set that holds the number of seconds until next rotation, that I also subtract some leeway from. In order to try to not make all open tabs for a session run a token rotation I randomize a number between 1-20 and subtract that from the time we should run the rotation. When a rotation is triggered we first check if we have a new expiry time and reschedule the job in that case.
The out dated auth token stored in db can only make request for 1 minutes after a rotation has happen and then it will start getting 401:s
Fixes #
Special notes for your reviewer: