-
Notifications
You must be signed in to change notification settings - Fork 11.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth: Check id token expiry date #69829
Auth: Check id token expiry date #69829
Conversation
|
df64af3
to
e7cf1c9
Compare
dc8ec83
to
a0ff662
Compare
@mgyongyosi can you take a look? @akselleirv I think your implementation is missing in the second path The context handler path will be removed soon.
can be used to enable the new path (although it should now be the default in main) |
Hello @Jguer and @mgyongyosi, I've added the expiry check to the handler you mentioned. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @akselleirv,
Thank you for your contribution to Grafana! Currently I'm working on this part, so expect some changes from upstream, but those should be minor. I left some feedback to you, could you please change your implementation based on those suggestions?
6f3a611
to
c211271
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👋 Hello @akselleirv and thank you for your contribution! As @Jguer and @mgyongyosi have suggested, you don't need to change anything at pkg/services/contexthandler/contexthandler.go
since it will be removed soon. This is already blocked from being used by the feature flag that @Jguer mentioned.
Please revert it in order to approve and merge this PR.
Please review @mgyongyosi comments.
PS I left a small non-blocking code suggestion.
Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
Thank you for the the detailed feedback @mgyongyosi! I've updated the PR with your suggested changes :) |
* Remove unnecessary contexthandler changes
9eb2389
to
059a7e9
Compare
Stellar work on this @akselleirv! ⭐ Thank you again, your PR has been merged! |
* fixed: added id token expiry check to oauth token sync * use go-jose and id token in cache * Update pkg/services/authn/authnimpl/sync/oauth_token_sync.go * refactored getOAuthTokenCacheTTL and added unit tests * Small changes to oauth_token_sync * Remove unnecessary contexthandler changes --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
* fixed: added id token expiry check to oauth token sync * use go-jose and id token in cache * Update pkg/services/authn/authnimpl/sync/oauth_token_sync.go * refactored getOAuthTokenCacheTTL and added unit tests * Small changes to oauth_token_sync * Remove unnecessary contexthandler changes --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
What is this feature?
Verify that the ID token has not expired.
Why do we need this feature?
When using the feature toggle
accessTokenExpirationCheck
it only checks for the expiry date of the access token and not the ID token. When using AzureAD to authenticate it issues an ID token which expires before the access token and it results in the user experiencing 401.Who is this feature for?
For users which uses
accessTokenExpirationCheck
.Which issue(s) does this PR fix?:
Fixes #65380
Special notes for your reviewer:
Please check that: