Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add rotation support for client secrets #608

Merged
merged 1 commit into from
Jun 18, 2021

Conversation

rplnt
Copy link
Contributor

@rplnt rplnt commented Jun 9, 2021

Related issue

Issue: #590
Discussed with: @aeneasr

Proposed changes

The aim of this PR is to introduce support for rotation of client's secrets.
New interface is created that extends fosite.Client so as not to break compatibility of custom clients. The fosite.DefaultClient implements this interface by introducing RotatedSecrets field. When not set (nil), the functionality stays the same as before.

Checklist

  • I have read the contributing guidelines
    and signed the CLA.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got green light (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added necessary documentation within the code base (if
    appropriate).

Further comments

Detail of how the change above is utilized in the fosite code:

  1. check regular (main, current) secret by using GetHashedSecret method
  2. if 1. fails, try to see if provided client implements fosite.ClientWithSecretRotation
  3. if 2. succeeds, call GetRotatedHashes and loop over provided hashes to compare the secret

Some questions I have:

  • I'm not sure if the addition of this feature is documented enough, or if there is some other place I could add it to?
  • By having the checkClientSecret method be private, I'm unable to test it directly, so only a few basic scenarios were added testing it via the methods that use it. Should I opt for public method just in order to test it better? Any other preference?

@aeneasr aeneasr self-requested a review June 11, 2021 10:42
@aeneasr aeneasr self-assigned this Jun 11, 2021
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thank you for your contribution! This looks very good. Just one or two minor things :)

@@ -512,6 +537,28 @@ func TestAuthenticateClient(t *testing.T) {
}
}

// func TestCheckClientSecret(t *testing.T) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want to enable this test or remove it? :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tried to clean commit history and somewhat ended up with this there :)

Removed it now, but it relates to my last question.

add new interface and implement it for
@aeneasr
Copy link
Member

aeneasr commented Jun 17, 2021

Thank you! I think this looks good. Documentation could be added in the README, otherwise we don't really have docs. Regarding the tests, I think the current set up is sufficient!

Sorry for the long review time, I missed the force push in my notifications :/

@rplnt
Copy link
Contributor Author

rplnt commented Jun 17, 2021

@aeneasr It's all right, just let me know if there's something else needed.

Haven't found a great section to put it into, but it's in the example that is in the readme at least.

@aeneasr
Copy link
Member

aeneasr commented Jun 18, 2021

Maybe you could do a follow up PR in https://github.com/ory/fosite-example/ ? With rotation enabled there. I think that's probably the best option.

Merging this one :)

@seamory
Copy link

seamory commented Sep 9, 2022

I'm confuse what does the RotatedSecrets do? Anyone who can help me explain it? Thanks.

@rplnt
Copy link
Contributor Author

rplnt commented Sep 9, 2022

@seamory You can set RotatedSecrets in DefaultClient as a slice of secrets and when the main secret check fails the rotated secrets are checked instead. The purpose is to be able to rotate secrets without any disruption (or synchronisation between services) as multiple secrets can be valid at the same time.

Have a look here ory/fosite-example#33 (it's using changes in NewExampleStore from this PR)

@seamory
Copy link

seamory commented Sep 9, 2022

@seamory You can set RotatedSecrets in DefaultClient as a slice of secrets and when the main secret check fails the rotated secrets are checked instead. The purpose is to be able to rotate secrets without any disruption (or synchronisation between services) as multiple secrets can be valid at the same time.

Have a look here ory/fosite-example#33 (it's using changes in NewExampleStore from this PR)

Thanks, i'm clear now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants