-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explicitly track the key-rotation timestamp for the user's sync key #124
Comments
@bbangert not sure if this is linked into your "python spanner prototype" tree anywhere, but I wanted to flag that it should be. It won't block you from pushing ahead with implementing the storage backend, but I think it'll be needed before we can put any production users in a spanner node. (Otherwise you're going to have a hard time purging a user's old data after a password reset, because you won't have the timestamps necessary to tell which data is "old"). |
I worked through the required FxA changes over in mozilla/fxa#2570; before I head out on PTO I will take a fresh look at what corresponding changes will be needed here in tokenserver. Broadly I think it's going to look like:
I will also work on some docs that explain more clearly why each of those things are necessary; I realized that the README etc in this repo is substantially out of date :-( |
I've updated the issue description here to say more about the motivation and next steps involved. |
A brief status update here, referencing the steps in the issue description:
|
This is ready to go! |
Over in https://github.com/mozilla/fxa-auth-server/issues/2674 we're going to add a new field to the metadata returned in FxA identity assertions telling us the timestamp at which the user's key material last changed. This is similar to, but not the same as, the "generation number" that we currently track.
Let's update tokenserver to track both "fxa-generation" and "fxa-keysChangedAt" for each user, so that it can accurately construct the kid for the user's sync key. This will in turn allow the new durable sync storage server to more accurately purge data that was encrypted with an older key.
Concretely, we currently communicate
fxa_uid
andfxa_kid
fields to the storage nodes like this:Given two
fxa_kid
values, it's not possible to tell by inspection which is the "current" key-id and which is out-of-date. When we hand out scoped keys for OAuth clients, we identify the keys by a combination of timestamp and hash, which means they sort lexicographically in a useful fashion. I think we should do the same here, so we end up sending:This will allow the storage nodes to easily detect and purge data stored under old keys.
The tricky part will be doing this accurately in the presence of incomplete information, because we haven't been tracking the key-rotation timestamp for existing users. I believe we need to do the following, in order:
generation
number. Otherwise we risk locking OAuth clients out of sync once we start tracking the key-rotation timestamp properly. I'm working on a PR for this.keysChangedAt
field available to the tokenserver.keysChangedAt
alongside thegeneration
number in the db, and reporting it out in thefxa_kid
field as above.The text was updated successfully, but these errors were encountered: