-
-
Notifications
You must be signed in to change notification settings - Fork 931
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: track oidc token #1518
feat: track oidc token #1518
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thank you for working on this! I have a couple of comments which we need to improve prior to merge :)
This feature introduce a crypt/decrypt package use for access/refresh token for now Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
remove useless handler improve general identity handler
f550994
to
7c66599
Compare
This feature introduce a crypt/decrypt package use for access/refresh token for now Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
remove useless handler improve general identity handler
currently I put all code the general identity get but I planned to move it to elsewhere if the way is validated I’ll update the tests later |
Thank you for the changes! I will be able to review them next week! :) |
I tried pushing some changes required for merging the PR to your fork & branch, but it appears that I am not allowed to do so 😕
But the good news is, giving access is easy! If the repository belongs to an organization, please add me for the project as a collaborator! |
just did it |
# Conflicts: # contrib/quickstart/kratos/email-password/kratos.yml # go.mod # go.sum
ok thank for the review |
I assume that I can add some unit test now |
I still have a few items, wait a few more minutes .) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! Here are some ideas. I also pushed a few changes to the naming conventions. Of course, we still need lots of tests :)
I am on holiday on friday-sunday so I can either review it tomorrow again, or next week. This is now on my priority list to get merged :)
selfservice/strategy/oidc/types.go
Outdated
EncryptedAccessToken []byte `json:"encrypted_access_token"` | ||
EncryptedRefreshToken []byte `json:"encrypted_refresh_token"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make these a string as []byte
is base64 encoded by encoding/json
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did but I don't know why maybe a mistake on my side but wrap and unwrap the encrypted data goes wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes just retried this and it did not work due to non-printable character
Looks like my comment partially didn't make it - the tests for the schema can be added here: https://github.com/ory/kratos/tree/master/test/schema |
ok I on the change try to do it before your holiday |
awesome! :) |
Sorry I've got some personal issues |
5074b6f
to
572c970
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @david972 - this is some great stuff here! Good job! Sorry it took so long to review - cryptography just takes a lot of time to look into.
I have made a couple of adjustments, but nothing too critical. One important thing would be to move the github-app feature into a spearate PR.
Another thing is regarding the required secret. I was thinking about the impact on people getting started with Ory Kratos. I remember when we introduced this feature to Ory Hydra, it was very confusing to people at first. They often lost the keys, mixed them up, and in general had issues with managing encryption keys.
So I wonder if it would make sense to have one cypher which is a noop, and use that per default? That noop cipher would not need any secret and would be the default.
If you want tighter security, you would then use e.g. xchacha-poly1305.
What do you think about that?
Thanks
Yes that sound good too me to do. And actually it let people manage whether they want or not encrypting theirs data If you give me you go I can do it very quickly |
You have my go! :) |
An other point is regarding the schema validation that require the secret how can we set it as mandatory if people choose a cypher ? |
It is possible with if/then - we have one example here: https://github.com/ory/kratos/blob/master/driver/config/.schema/config.schema.json#L1858 |
Ah and please don't forget to add the new docs page to the sidebar :) |
you right I had forgotten |
right now I fight with schema 😉 |
update sidebar docs improve schema validation and add test remove use less statement from Makefile
@david972 currently on vacation, but will try to give it a review as soon as I have some stable internet :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great stuff! We’re very close :)
Subject string `json:"subject"` | ||
Provider string `json:"provider"` | ||
EncryptedAccessToken string `json:"encrypted_access_token"` | ||
EncryptedRefreshToken string `json:"encrypted_refresh_token"` | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add initial_id_token too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What will this refer to ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some systems issue an ID Token alongside the access_token
. It will be available as id_token
if set. Some applications might want to use this to perform additional checks! In general, this refers to OpenID Connect :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok got it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I saw that the id token is a jet that may contain audience and nonce. So that mean we should encrypt it as well
test/schema/fixtures/config.schema.test.failure/root.aliases_missing_secrets.yaml
Show resolved
Hide resolved
|
||
func (i *Identity) getOIDCToken(r *http.Request, c cipher.Provider) error { | ||
for credType, credential := range i.Credentials { | ||
if credType != CredentialsTypeOIDC { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is perfect- I just think you don’t need a new struct! Use what we already have with the credentials struct :)
update docs update schema validation
chore: comment useless type feat: move credential in credentials
Hi as discussed here is my proposal curl http://localhost:4434/identities/2587dd42-4530-4bc9-b04c-07070f32b88e
{
"id": "2587dd42-4530-4bc9-b04c-07070f32b88e",
"credentials": {
"oidc": {
"type": "oidc",
"identifiers": [
"w6d-kratos-oauth2:9482408"
],
"access_token": "gho_xxxxxxxxxxxxxxxxxxxxxx",
"created_at": "2021-09-29T19:12:48.477763Z",
"updated_at": "2021-09-29T19:12:48.477763Z"
},
"password": {
"type": "password",
"identifiers": [
"david.alexandre@w6d.io"
],
"created_at": "2021-09-29T19:12:48.481521Z",
"updated_at": "2021-09-29T19:12:48.481521Z"
}
},
... after
|
great Just one thing
but the password part disappear if I do
I understand that the password should not appear but I expected at least to see the same information |
Yeah, that makes sense! |
…1818) This patch introduces the new `include_credential` query parameter to the `GET /identities` endpoint which allows administrators to receive the initial access, refresh, and ID tokens from Social Sign In (OpenID Connect / OAuth 2.0) flows. These tokens can be stored in an encrypted format (XChaCha20Poly1305 or AES-GCM) in the database if an appropriate encryption secret is set. To get started easily these values are not encrypted per default. For more information head [over to the docs](https://kratos/docs/guides/retrieve-social-sign-in-access-refresh-id-token). Closes #1518 Closes #397
Related issue
#397
@aeneasr
Proposed changes
Checklist
For the moment it's more a draft and test will be done later
contributing code guidelines.
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
Further comments