Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refreshed visitor access token does not have Roles directly assigned from ExtCell. #516

Closed
dixonsiu opened this issue Nov 18, 2019 · 2 comments · Fixed by #557
Closed

Refreshed visitor access token does not have Roles directly assigned from ExtCell. #516

dixonsiu opened this issue Nov 18, 2019 · 2 comments · Fixed by #557
Assignees
@shimono
Labels
bug
Projects
Current Work
Milestone
1.7.21

Comments

@dixonsiu
Copy link
Member

dixonsiu commented Nov 18, 2019
edited by shimono

Problem

When visitor access token is refreshed, the role information directly assigned from ExtCell entries.

This problem has long been there for years but somehow not found so far since it can only be observed after the token is refreshed (usually after 1 hr expiration time.)

Original Incident (from dixon)

It seems that refreshed vis token seems not working

Below are the introspected results of the tokens.

ME

Both access token and refreshed access token can access own Cell's box.

  1. Access token ("AR~vsF") to access my box:
    {
    "sub": "https://dixonsiu.appdev.personium.io/#me",
    "iss": "https://dixonsiu.appdev.personium.io/",
    "active": true,
    "exp": 1574153285,
    "iat": 1574066885,
    "client_id": "https://app-personium-calendar.appdev.personium.io/",
    "p_roles": [
    ]
    }

  2. Refresh token ("RR~2XfU") of the above:
    {
    "sub": "https://dixonsiu.appdev.personium.io/#me",
    "iss": "https://dixonsiu.appdev.personium.io/",
    "active": true,
    "exp": 1574153287,
    "iat": 1574066887,
    "client_id": "https://app-personium-calendar.appdev.personium.io/",
    "p_roles": [
    ]
    }

  3. Refreshed access token ("AR~_s0icPE") of 1:
    {
    "sub": "https://dixonsiu.appdev.personium.io/#me",
    "iss": "https://dixonsiu.appdev.personium.io/",
    "active": true,
    "exp": 1574070487,
    "iat": 1574066887,
    "client_id": "https://app-personium-calendar.appdev.personium.io/",
    "p_roles": [
    ]
    }

Friend

Only the access token can access a friend's box. After it is refreshed, it no longer accesses a friend's box anymore.

  1. Access token ("AV~cqp4...") to access a friend's box:
    p_roles not empty.

     {
     "sub": "https://dixonsiu.appdev.personium.io/#me",
     "aud": null,
     "iss": "https://shimono.appdev.personium.io/",
     "active": true,
     "exp": 1574068163,
     "iat": 1574064563,
     "client_id": "https://app-personium-calendar.appdev.personium.io/",
     "p_roles": [
         "https://appdev.personium.io/shimono/__role/calendar/CalendarViewer",
         "https://appdev.personium.io/shimono/__role/app-myboard/MyBoardViewer"
     ]
 }

  2. Refresh token ("RV~DrEWrl...") of the above:
    {
    "active": false
    }

  3. Refreshed access token ("AV~bhYm2-...") of 1:
    p_roles are empty.
    {
    "sub": "https://dixonsiu.appdev.personium.io/#me",
    "aud": null,
    "iss": "https://shimono.appdev.personium.io/",
    "active": true,
    "exp": 1574068286,
    "iat": 1574064686,
    "client_id": "https://app-personium-calendar.appdev.personium.io/",
    "p_roles": [
    ]
    }
@dixonsiu dixonsiu added the bug label Nov 18, 2019
@dixonsiu dixonsiu added this to Backlog in Current Work via automation Nov 18, 2019
@shimono shimono changed the title Refreshed visitor token cannot access target Cell's box Visitor Refreshed Token cannot access target Cell's box Nov 18, 2019
@shimono shimono changed the title Visitor Refreshed Token cannot access target Cell's box Refreshed Visitor Access Token cannot access target Cell's box Nov 18, 2019
@shimono
Copy link
Member

shimono commented Nov 19, 2019

Now after writing some tests trying to reproduce the problem, I still cannot reproduce it yet but have noticed that the role URL is in path-based format whereas the unit is obviously run in sub-domain mode. Probably the problem should lie somewhere around here.

@shimono shimono moved this from Backlog to To do in Current Work Nov 20, 2019
@shimono shimono moved this from To do to In progress in Current Work Nov 20, 2019
@shimono shimono mentioned this issue Nov 27, 2019
Merged
@shimono shimono moved this from In progress to Review in progress in Current Work Dec 26, 2019
@shimono shimono moved this from Review in progress to Done in Current Work Dec 26, 2019
@shimono shimono added this to the 1.7.21 milestone Mar 3, 2020
@shimono shimono moved this from Done to In progress in Current Work Mar 3, 2020
shimono added a commit to shimono/personium-core that referenced this issue Mar 4, 2020
@shimono
reproduction of the issue personium#516.
5db8b57
shimono added a commit to shimono/personium-core that referenced this issue Mar 4, 2020
@shimono
fix personium#516
cc46ea4
@shimono shimono mentioned this issue Mar 4, 2020
Merged
@shimono shimono moved this from In progress to Review in progress in Current Work Mar 5, 2020
@shimono shimono changed the title Refreshed Visitor Access Token cannot access target Cell's box Refreshed visitor access token does not have Roles directly assigned from ExtCell. Mar 5, 2020
@shimono
Copy link
Member

shimono commented Mar 5, 2020

Problem analyzed and fixed. (Issue Title and description also changed accordingly)

@shimono shimono linked a pull request Mar 9, 2020 that will close this issue
(Based on PR 555) Fix 516 Refreshed visitor access token does not have Roles from ExtCell. #557
Merged
Current Work automation moved this from Review in progress to Done Mar 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shimono shimono

Labels
bug
Projects
Current Work
  
Done
Milestone
1.7.21
2 participants
@shimono @dixonsiu