New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access token signature lookup bug #3485
Labels
bug
Something is not working.
Comments
+1. Same issue noticed when testing an update from 2.0.3 to 2.1.0 today. |
rauanmayemir
changed the title
Access token signature change in 2.1.0 is a breaking change
Access token signature lookup bug
Apr 11, 2023
hperl
added a commit
that referenced
this issue
Apr 11, 2023
hperl
added a commit
that referenced
this issue
Apr 11, 2023
7 tasks
aeneasr
pushed a commit
that referenced
this issue
Apr 11, 2023
@hperl Many thanks! 🙌 |
harnash
pushed a commit
to Wikia/ory-hydra
that referenced
this issue
Apr 12, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Preflight checklist
Describe the bug
After upgrading to 2.1.0 all the previously issued access tokens stop working due to a recent change in persistence.
Say I have the following generated access token (test env, not to worry):
Previously,
signature
(PK) column would containY3JSKXSGRIsoxMEfHdAEbweH-rE5p-qajxSAcoAdmxI
. But after the upgrade it will be stored as a SHA384 hash, something like54dcf7602fc6e6abf7df20f49f5cd445ee0ac431497638d69cdb013d924df5da9dff9b8040c45d40a48b3b2c8102b30d
.I believe, there is a bug here:
The raw signature is being double hashed for access tokens:
So the lookup sql query will look for
signature in (sha384_of_rawsignature, sha384_of_sha384_of_rawsignature)
instead ofsignature in (rawsignature, sha384_of_rawsignature)
.@aeneasr please acknowledge. This is a critical issue that broke the previous major upgrade, and now it's breaking the minor upgrade.
Reproducing the bug
Generate an access token in 2.0.3, upgrade hydra to 2.1.0 - previously generated access token will no longer be valid - hydra fails to retrieve the record from the
hydra_oauth2_access
due to borkedsignature
value.In 2.0.3, it only hashed the raw signature if the config was set to use JWT.
In 2.1.0, it changed to hashing signature in any case. But then the lookup is borked to querying for hash and double hash (omitting raw signatures altogether).
Same issue will happen if you repeat the steps for 1.9.x -> 2.0.3.
Except in 1.9.x, it never hashed anything. Thus, 2.0.3 broke the querying, 2.1.0 broke querying again.
Relevant log output
Relevant configuration
No response
Version
2.1.0
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response
The text was updated successfully, but these errors were encountered: