Skip to content

Refactor OAuth provider code and switch from Flask-OAuthlib to Authlib #4798

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 31 commits into from
Feb 24, 2021
Merged

Refactor OAuth provider code and switch from Flask-OAuthlib to Authlib #4798

merged 31 commits into from
Feb 24, 2021

Conversation

ThiefMaster
Copy link
Member

@ThiefMaster ThiefMaster commented Feb 18, 2021
edited
Loading

  • Authlib instead of (flask-)oauthlib
  • Proper test coverage for all supported oauth flows
  • Authorization code with PKCE flow instead of implicit flow (breaking change)
  • Provider metadata endpoint (/.well-known/oauth-authorization-server)
  • Token introspection endpoint
  • Token revocation endpoint
  • Allow multiple tokens for a user/app combo (maybe group by scope to keep the total number of tokens still limited? grouping is no longer possible due to hashing, keeping up to 50 tokens for now)
  • Make PKCE flow opt-in (most apps are server-side and can just use a client secret)
  • Store oauth tokens in hashed form, maybe sha256 (no salting is needed for random tokens, and bcrypt etc are slow and thus not a good choice for API tokens)
  • Changelog entry

Regarding the breaking change, this needs an update in the checkin app which I think is the only client using the implicit flow right now. An alternative, especially since hello.js which we use in that app does not support PKCE yet (see MrSwitch/hello.js#633), could be enabling the implicit flow but allowing it only for the checkin app so we can remove it once everyone is on 3.0 and there is no need to support older Indico versions in the checkin app. (Update: The checkin system app is allowed to use the implicit grant and token-in-querystring for now)

closes #4685

@ThiefMaster ThiefMaster added this to the v3 milestone Feb 18, 2021
@ThiefMaster ThiefMaster force-pushed the oauth branch 4 times, most recently from 3274acd to de35086 Compare February 22, 2021 20:15
@ThiefMaster ThiefMaster marked this pull request as ready for review February 22, 2021 20:26
@ThiefMaster
Remove unused schema instance
9129685
@ThiefMaster
Remove weird session fallback in /api/user/
b256737 
It was never used, and the idea of using the session user if there is
any error with the oauth token (missing, invalid, whatever) is extremely
obscure and prone to errors.
@ThiefMaster
Add unit test for the complete oauth flow
b84c2ab
@ThiefMaster
Use Authlib for OAuth provider
20d92b3 
The implicit flow has been replaced with the more modern and in case of
mobile apps more secure code+pkce flow.
@ThiefMaster
Add token introspection endpoint
aaf5bb9
@ThiefMaster
Disallow 'plain' PKCE code challenge
533825a 
It's less secure and we do not really care about clients that cannot
create a SHA256 hash...
@ThiefMaster
Add well-known oauth2 metadata endpoint
3a20cff
@ThiefMaster
Allow CORS on token endpoint
ed5d1a1 
The PKCE flow can be used in browsers, so they should be able to
exchange the code for a token via CORS
@ThiefMaster
Improve error handling during authorization
da4dd67
@ThiefMaster
Return more standard oauth errors
5a3052d
@ThiefMaster
Remove obsolete oauth errors endpoint
e46068f
@ThiefMaster
Move oauth provider logic to core & split modules
96aff45
@ThiefMaster
Fix test_client with no webpack manifest
0efb8c4 
If a test results in a templte being rendered this usually looks up some
webpack bundles which we don't care about during tests and don't have
during CI.
@ThiefMaster
Add revocation endpoint
398108b
@ThiefMaster
Apply app scope restrictions to existing tokens
3dcc91d
@ThiefMaster
Rename default_scopes to allowed_scopes
c9b02ca 
The old name was just poor naming on the flask-oauthlib side, and never
had anything to do with default scopes.
@ThiefMaster
Support different tokens for different scopes
5d85467 
Also refactor how user app authorizations are stored; instead of
checking for a token, we now have a separate model holind the
authorization and granted scopes, so if an app revokes its own token,
the scopes will remain authorized in any future authorization flow the
user does.
@ThiefMaster
Remove unused property
b50b3f4
@ThiefMaster
Remove TODO comment about revoking tokens
825e8f6 
Deleting is fine, our tokens are unique so there is basically no risk of
regenerating the same token that has been revoked before.
@ThiefMaster
Fix error when jsonifying certain oauth errors
96d3f51
@ThiefMaster
Add tests for insecure oauth logic
e1ea943
@ThiefMaster
Stop expunging user from db session in tests
f404295 
Not sure why it now works without that ugly hack...
@ThiefMaster
Add some app/user link assertions to the tests
76b08a9
@ThiefMaster
Display metadata URL and add clipboard copy links
6b66bf8
@ThiefMaster
Remove unused authlib method
491dc37 
upstream removed it as well
@ThiefMaster
Make PKCE configurable
b81bc79 
Apps that are not targeting SPA/native apps do not need to allow flows
without a client secret.
@ThiefMaster
Test token reuse
b98e933
@ThiefMaster
Store OAuth tokens as SHA-256 hashes
b037581 
While not passwords, they are sensitive and there is no need to store
plaintext versions of them.
@ThiefMaster
Support implicit grant for the checkin app
cc2cab2 
This also adds support for passing the token insecurely in the query
string, but also ONLY for that app.

Like this we are not under any pressure to update the app, and we can
simply do it at some point after a proper Indico v3 release.
@ThiefMaster
Add changelog entry for oauth
dc0ea2e
@ThiefMaster
Fix merging users with oauth app auths
36de66e
javfg
javfg approved these changes Feb 24, 2021
View reviewed changes
Copy link
Contributor

@javfg javfg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, but keep in mind my still limited review value at the moment.

@ThiefMaster ThiefMaster merged commit 36de66e into indico:master Feb 24, 2021
@ThiefMaster ThiefMaster deleted the oauth branch February 24, 2021 16:49
@javfg javfg mentioned this pull request Mar 29, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@javfg javfg javfg approved these changes

@pferreir pferreir Awaiting requested review from pferreir

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v3.0
Development

Successfully merging this pull request may close these issues.

Replace flask-oauthlib with authlib
2 participants
@ThiefMaster @javfg