-
-
Notifications
You must be signed in to change notification settings - Fork 368
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add rotation support for client secrets #608
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thank you for your contribution! This looks very good. Just one or two minor things :)
client_authentication_test.go
Outdated
@@ -512,6 +537,28 @@ func TestAuthenticateClient(t *testing.T) { | |||
} | |||
} | |||
|
|||
// func TestCheckClientSecret(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you want to enable this test or remove it? :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tried to clean commit history and somewhat ended up with this there :)
Removed it now, but it relates to my last question.
add new interface and implement it for
Thank you! I think this looks good. Documentation could be added in the README, otherwise we don't really have docs. Regarding the tests, I think the current set up is sufficient! Sorry for the long review time, I missed the force push in my notifications :/ |
@aeneasr It's all right, just let me know if there's something else needed. Haven't found a great section to put it into, but it's in the example that is in the readme at least. |
Maybe you could do a follow up PR in https://github.com/ory/fosite-example/ ? With rotation enabled there. I think that's probably the best option. Merging this one :) |
I'm confuse what does the RotatedSecrets do? Anyone who can help me explain it? Thanks. |
@seamory You can set Have a look here ory/fosite-example#33 (it's using changes in |
Thanks, i'm clear now. |
Related issue
Issue: #590
Discussed with: @aeneasr
Proposed changes
The aim of this PR is to introduce support for rotation of client's secrets.
New interface is created that extends
fosite.Client
so as not to break compatibility of custom clients. Thefosite.DefaultClient
implements this interface by introducingRotatedSecrets
field. When not set (nil), the functionality stays the same as before.Checklist
and signed the CLA.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got green light (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
appropriate).
Further comments
Detail of how the change above is utilized in the fosite code:
GetHashedSecret
methodfosite.ClientWithSecretRotation
GetRotatedHashes
and loop over provided hashes to compare the secretSome questions I have:
checkClientSecret
method be private, I'm unable to test it directly, so only a few basic scenarios were added testing it via the methods that use it. Should I opt for public method just in order to test it better? Any other preference?