feat: track oidc token #1518
feat: track oidc token #1518
Conversation
This feature introduce a crypt/decrypt package use for access/refresh token for now Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
remove useless handler improve general identity handler
david972
force-pushed
the
track-oidc-tokens
branch
from
f550994
to
7c66599
Compare
This feature introduce a crypt/decrypt package use for access/refresh token for now Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
remove useless handler improve general identity handler
|
currently I put all code the general identity get but I planned to move it to elsewhere if the way is validated I’ll update the tests later |
|
Thank you for the changes! I will be able to review them next week! :) |
|
I tried pushing some changes required for merging the PR to your fork & branch, but it appears that I am not allowed to do so 😕 But the good news is, giving access is easy! If the repository belongs to an organization, please add me for the project as a collaborator! |
|
just did it |
# Conflicts: # contrib/quickstart/kratos/email-password/kratos.yml # go.mod # go.sum
|
ok thank for the review |
|
I assume that I can add some unit test now |
|
I still have a few items, wait a few more minutes .) |
There was a problem hiding this comment.
Thank you! Here are some ideas. I also pushed a few changes to the naming conventions. Of course, we still need lots of tests :)
I am on holiday on friday-sunday so I can either review it tomorrow again, or next week. This is now on my priority list to get merged :)
selfservice/strategy/oidc/types.go
Outdated
| EncryptedAccessToken []byte `json:"encrypted_access_token"` | ||
| EncryptedRefreshToken []byte `json:"encrypted_refresh_token"` |
There was a problem hiding this comment.
Make these a string as []byte is base64 encoded by encoding/json
There was a problem hiding this comment.
I did but I don't know why maybe a mistake on my side but wrap and unwrap the encrypted data goes wrong.
There was a problem hiding this comment.
Yes just retried this and it did not work due to non-printable character
|
Looks like my comment partially didn't make it - the tests for the schema can be added here: https://github.com/ory/kratos/tree/master/test/schema |
|
ok I on the change try to do it before your holiday |
|
awesome! :) |
|
Sorry I've got some personal issues |
aeneasr
force-pushed
the
track-oidc-tokens
branch
from
5074b6f
to
572c970
Compare
There was a problem hiding this comment.
Hello @david972 - this is some great stuff here! Good job! Sorry it took so long to review - cryptography just takes a lot of time to look into.
I have made a couple of adjustments, but nothing too critical. One important thing would be to move the github-app feature into a spearate PR.
Another thing is regarding the required secret. I was thinking about the impact on people getting started with Ory Kratos. I remember when we introduced this feature to Ory Hydra, it was very confusing to people at first. They often lost the keys, mixed them up, and in general had issues with managing encryption keys.
So I wonder if it would make sense to have one cypher which is a noop, and use that per default? That noop cipher would not need any secret and would be the default.
If you want tighter security, you would then use e.g. xchacha-poly1305.
What do you think about that?
Thanks
Yes that sound good too me to do. And actually it let people manage whether they want or not encrypting theirs data If you give me you go I can do it very quickly |
|
You have my go! :) |
|
An other point is regarding the schema validation that require the secret how can we set it as mandatory if people choose a cypher ? |
|
It is possible with if/then - we have one example here: https://github.com/ory/kratos/blob/master/driver/config/.schema/config.schema.json#L1858 |
|
Ah and please don't forget to add the new docs page to the sidebar :) |
|
you right I had forgotten |
|
right now I fight with schema 😉 |
update sidebar docs improve schema validation and add test remove use less statement from Makefile
|
@david972 currently on vacation, but will try to give it a review as soon as I have some stable internet :) |
| Subject string `json:"subject"` | ||
| Provider string `json:"provider"` | ||
| EncryptedAccessToken string `json:"encrypted_access_token"` | ||
| EncryptedRefreshToken string `json:"encrypted_refresh_token"` | ||
| } |
There was a problem hiding this comment.
Maybe add initial_id_token too?
There was a problem hiding this comment.
What will this refer to ?
There was a problem hiding this comment.
Some systems issue an ID Token alongside the access_token. It will be available as id_token if set. Some applications might want to use this to perform additional checks! In general, this refers to OpenID Connect :)
There was a problem hiding this comment.
I saw that the id token is a jet that may contain audience and nonce. So that mean we should encrypt it as well
test/schema/fixtures/config.schema.test.failure/root.aliases_missing_secrets.yaml
Show resolved
Hide resolved
|
|
||
| func (i *Identity) getOIDCToken(r *http.Request, c cipher.Provider) error { | ||
| for credType, credential := range i.Credentials { | ||
| if credType != CredentialsTypeOIDC { |
There was a problem hiding this comment.
This is perfect- I just think you don’t need a new struct! Use what we already have with the credentials struct :)
update docs update schema validation
chore: comment useless type feat: move credential in credentials
|
Hi as discussed here is my proposal curl http://localhost:4434/identities/2587dd42-4530-4bc9-b04c-07070f32b88e
{
"id": "2587dd42-4530-4bc9-b04c-07070f32b88e",
"credentials": {
"oidc": {
"type": "oidc",
"identifiers": [
"w6d-kratos-oauth2:9482408"
],
"access_token": "gho_xxxxxxxxxxxxxxxxxxxxxx",
"created_at": "2021-09-29T19:12:48.477763Z",
"updated_at": "2021-09-29T19:12:48.477763Z"
},
"password": {
"type": "password",
"identifiers": [
"david.alexandre@w6d.io"
],
"created_at": "2021-09-29T19:12:48.481521Z",
"updated_at": "2021-09-29T19:12:48.481521Z"
}
},
...after |
great Just one thing but the password part disappear if I do I understand that the password should not appear but I expected at least to see the same information |
|
Yeah, that makes sense! |
…1818) This patch introduces the new `include_credential` query parameter to the `GET /identities` endpoint which allows administrators to receive the initial access, refresh, and ID tokens from Social Sign In (OpenID Connect / OAuth 2.0) flows. These tokens can be stored in an encrypted format (XChaCha20Poly1305 or AES-GCM) in the database if an appropriate encryption secret is set. To get started easily these values are not encrypted per default. For more information head [over to the docs](https://kratos/docs/guides/retrieve-social-sign-in-access-refresh-id-token). Closes #1518 Closes #397
Related issue
#397
@aeneasr
Proposed changes
Checklist
For the moment it's more a draft and test will be done later
contributing code guidelines.
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
Further comments