Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Refresh Token Reuse Detection #2383

Merged
merged 4 commits into from
Mar 23, 2021
Merged

feat: Refresh Token Reuse Detection #2383

merged 4 commits into from
Mar 23, 2021

Conversation

svrakitin
Copy link
Contributor

@svrakitin svrakitin commented Mar 5, 2021
edited

Related issue

Closes #2022

Proposed changes

This PR leverages support for Refresh Token reuse Detection added in ory/fosite#567. It makes hydra's Persister stop deleting refresh tokens, but deactivating them similar to whats done for authorization codes.

Modules need to be updated if PR for fosite gets merged.

Checklist

  • I have read the contributing guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security. vulnerability, I
    confirm that I got green light (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further comments

See ory/fosite#567 for fosite PR.

@svrakitin svrakitin force-pushed the refresh-token-reuse-detection branch from d3b9040 to 39bcce6 Compare March 8, 2021 13:17
@svrakitin svrakitin force-pushed the refresh-token-reuse-detection branch from 39bcce6 to 151cae4 Compare March 9, 2021 13:59
@svrakitin svrakitin marked this pull request as ready for review March 9, 2021 14:22
@svrakitin
Copy link
Contributor Author

svrakitin commented Mar 9, 2021
edited

@aeneasr No idea what happened to e2e tests, but should be good to go, let me know if I forgot to cover something.

We also need some garbage collection in place for refresh tokens. I think I've seen some other PR covering this.

@svrakitin svrakitin changed the title feat: Support refresh token reuse detection in fosite feat: Refresh Token Reuse Detection Mar 9, 2021
@svrakitin svrakitin mentioned this pull request Mar 9, 2021
Closed
aeneasr
aeneasr requested changes Mar 11, 2021
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I had reviewed 90% of the PR and for some reason stopped in the middle of it, which is why I didn't complete it.

@aeneasr No idea what happened to e2e tests, but should be good to go, let me know if I forgot to cover something.

It might make sense to add a full e2e test for refresh tokens. Writing and testing these is covered here: https://github.com/ory/hydra#e2e-tests

We also need some garbage collection in place for refresh tokens. I think I've seen some other PR covering this.

Yes, that was merged!

persistence/sql/persister_oauth2.go Show resolved Hide resolved
@svrakitin
Copy link
Contributor Author

svrakitin commented Mar 11, 2021
edited

Added e2e test to go through Auth Code Flow with PKCE in the browser and reuse refresh token. This is closer to the real scenario when it can happen. Hope this can be reused for more e2e tests in context of public clients.

CircleCI got an incident, so e2e tests failed again. Did you consider moving tests to Github Actions? :)

@svrakitin svrakitin requested a review from aeneasr March 11, 2021 21:40
@aeneasr
Copy link
Member

aeneasr commented Mar 12, 2021

CircleCI got an incident, so e2e tests failed again. Did you consider moving tests to Github Actions? :)

Yeah, unfortunately it's quite an effort to do that so it's gonna take a while as we have lots of tooling around circleci.

Sorry about the flaky e2e test - I will rerun the CI.

Is this good for another 👀 ?

@svrakitin
Copy link
Contributor Author

@aeneasr Yeah, please review.

@svrakitin
Copy link
Contributor Author

@aeneasr Please let me know if any other change is expected.

@aeneasr
Copy link
Member

aeneasr commented Mar 23, 2021

Thank you for bubbling this up in my inbox, I must have missed your push! Taking a look now

aeneasr
aeneasr approved these changes Mar 23, 2021
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thank you! 🎉🎉🎉🎉 Your contribution makes Ory better :)

@aeneasr aeneasr merged commit bc349f1 into ory:master Mar 23, 2021
@svrakitin svrakitin deleted the refresh-token-reuse-detection branch March 23, 2021 09:44
@pharman
Copy link
Contributor

pharman commented Mar 23, 2021

Sweet! 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Reuse Detection in Refresh Token Rotation
3 participants
@svrakitin @aeneasr @pharman