feat(refresh_tokens): add refresh_tokens to /token endpoint

[seanmonstar]

All good to go-ish.

Any test cases I missed with scopes?

Fixes #209

[pdehaan]

Add space before token?

[pdehaan]

Is this missing a "?"? It seems like we added token above and have 7 fields, but only 6 ?s.

[vladikoff]

nit: Seconds that this access_token should be valid. ->

The amount of time the access_token is valid for in seconds or
The auth_token expiration time in seconds

[rfk]

Suggest bolding Seconds here like you've done in the lists below

[vladikoff]

nit: expiration.accessTokenInSeconds? is this format used anywhere else? (adding S and Ms)?

[seanmonstar]

I don't know if we use this convention anywhere else. I think we try to use milliseconds whenever we can, but the spec claims that the expires_at value should be in seconds...

[rfk]

I like millisecond timestamps too, but I think it will be against the grain when interfacing with existing OAuth, JWT and other related specs, which all seem to use timestamps in seconds.

For example, this was one of the trickest parts of trying to bring the legacy BrowserID assertion format into line with the final JWT spec. It caused a pretty funny (and thankfully low-impact) security bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1096106

In the interests of consistency, I suggest we grit our teeth and use integer second timestamps throughout the public API.

[vladikoff]

nit: group vars with the top var token = {}. rename var token = {}; to something like tokenData = {} to avoid _token vs token

[vladikoff]

Nit: Scopes requested not allowed -> i.e Requested scopes are not allowed

[vladikoff]

Should we file a "good first bug" for this?

[seanmonstar]

I'm not sure if it'd be an "easy" bug...

[vladikoff]

old code from generateToken left here.

[rfk]

refresh tokens will be mandatory

IIUC there are cases in the OAuth spec where we're forbidden from delivering refresh tokens, e.g. when using implicit grant clients. Perhaps we can weaken this to something like "refresh tokens will be teh default behaviour".

[seanmonstar]

Woops, this was the first thing I wrote in this PR. It didn't reflect that changes that we'd always expire the token now. Updated the text.

[seanmonstar]

woo, build finally passes

[rfk]

I was going to go all grammar pedant on this and suggest s/less/fewer/, but Wikipedia tells me [1] that it's actually fine to use "less" with count nouns and I should learn to relax and enjoy life without worrying about made-up grammatical rules dating from 1770...

[1] https://en.wikipedia.org/wiki/Fewer_vs._less

[seanmonstar]

wuts grammer

[rfk]

Mixing seconds and milliseconds in this response seems like a recipe for trouble.

More broadly, I think it makes sense to copy the behaviour of existing oauth and/or openid-connect servers where there's precedent. In this case both specs seem to suggest using expires_in with a relative timestamp in seconds, e.g: http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse

[rfk]

Do you think it would be useful to track a lastUsedAt for refresh tokens? We might want to e.g. expire tokens that have not been used in months. Doesn't have to be part of the initial landing, but something to think about.

[seanmonstar]

It probably would be useful, yes. Those that ignore the refresh token could be inadvertently generating new ones every time, and that would load up the table with a bunch of refresh tokens that sit there forever, ready to be guessed?

[rfk]

nit: it may be clearer to name this e.g. tokenId or tokenHash rather than just token

[rfk]

Hmm...I see that would be inconsistent with the naming in the mysql backend, where we use token for the column name. Probably not worth it then.

[rfk]

Whoops, I think I accidentally commented on the commit rather than the diff; hopefully those two comments make sense.

This looks great @seanmonstar, thanks for separating the commits for review. Please rebase when ready.

[seanmonstar]

nits addressed, squashed into 1.

[rfk]

I filed #275 as a follow-on for tracking last-used-at timestamps on refresh tokens.

[rfk]

The access_type parameter will require support from the content-server; I filed mozilla/fxa-content-server#2589

@seanmonstar I'm sure you'd be most welcome to dive in and implement that part of it as well, if you were feeling adventurous :-)

[rfk]

According to puppet-config, our active production reliers are:

I've dug into these, and the only one that I think we need to be careful with is pocket. I'll send them an email and make sure we've got a clear path forward.

[rfk]

(Migrating from IRC discussion)

Talking to Pocket, they'd like for all of their existing access_tokens to keep working after the switch, and I think this is a fair enough request. We can achieve this by migating existing access tokens to become refresh tokens, staging the rollout like this:

1. Merge this code and get it out there and deployed for testing purposes
2. Pocket update their code, test, and start requesting refresh tokens
3. We do a db update to convert their previous access tokens into refresh tokens, perhaps using a timestamp-based filter to select only the ones that were created from a refresh token.

To give us enough time between (2) and (3) we could increase the default access_token lifetime to something longer, so we don't break things in the meantime. Once reliers are migrated over we can drop it back down to a shorter lifetime.

@seanmonstar thoughts?

[seanmonstar]

To upgrade Pocket's tokens:

INSERT INTO refreshTokens (token, clientId, userId, email, scope, createdAt)
  (SELECT token, clientId, userId, email, scope, createdAt FROM tokens WHERE clientId = '$POCKET_CLIENT_ID', createdAt < MIN(SELECT createdAt from refresh_tokens WHERE clientId = '$POCKET_CLIENT_ID'));
DELETE FROM tokens WHERE clientId = '$POCKET_CLIENT_ID', MIN(SELECT createdAt from refresh_tokens WHERE clientId = '$POCKET_CLIENT_ID');

[rfk]

To give us enough time between (2) and (3) we could increase the default access_token lifetime to something longer

@seanmonstar points out that this won't work, since expiry is based on token creation time. But thinking about it some more, this won't matter anyway. As long as pocket doesn't try to use the tokens between when they're created and when we switch them to refresh magic, nothing will break.

[seanmonstar]

Alternatively, default expiration could be set to something ridiculous at first, and then re-adjusted afterwards.

[seanmonstar]

rebased to master

[rfk]

I think, based on IRC conversation, that we can do the above deployment plan on top of the code as it currently sits. @seanmonstar can I get an official r? from you on that plan, and if so, I think this is ready to merge.

[seanmonstar]

Yea that plan seems fine to me.

[rfk]

Should this assert a particular response code?

[rfk]

n/m, I see the helper function does this internally. That's not clear from the name, but I'll file a follow-up bug about it.

[rfk]

I wonder if we should add a comment here about why it's being renamed, since we probably won't remember in a few month's time.

[seanmonstar]

Seems obvious to me, since token is now ambiguous, more specific names were needed.

[rfk]

@seanmonstar my last-minute nits notwithstanding, I think we're solid here. Let's land this as soon as train-40 has been cut, and maximise testing time in the wild. r+ \o/