Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PXP-6617 Remove scopes from aud claim in tokens #839

Merged
merged 34 commits into from
Jun 7, 2021
Merged

PXP-6617 Remove scopes from aud claim in tokens #839

merged 34 commits into from
Jun 7, 2021

Conversation

vpsx
Copy link
Contributor

@vpsx vpsx commented Sep 23, 2020
edited
Loading

Remove scopes from aud claim in Fence-issued tokens. Add custom scope claim for scopes, along with custom validation. Use and validate aud claim as originally intended. (Previously, the aud claim was being used for both audiences and scopes, and Fence/authutils had custom validation logic for the aud claim.)

Greater detail in the commit messages.

For a short definition of the aud claim see here.

Requires these changes to authutils: uc-cdis/authutils#47

New Features

Breaking Changes

  • Remove scopes from "aud" claim in Fence-issued tokens. This means that in general, old tokens (minted by previous Fence releases) will not pass validation by this Fence.
  • Access tokens will still include scopes for compatibility with other microservices, but scopes are no longer guaranteed and should no longer be expected in the aud claim from this version on. ID tokens, refresh tokens, and API keys will not have scopes in the aud claim.
  • Add custom "scope" claim in tokens and put scopes there instead. Custom validation for scopes claim added in Authutils 6.0.1
  • Add issuer to "aud" claim (alongside other aud values--so when there is a Fence client involved, this means the aud claim will include both Fence's BASE_URL and the client_id)
  • Remove custom "aud" claim validation and use normal validation instead (by bumping to Authutils 6.0.1). This means checking that the aud claim contains a value that identifies the consuming service, i.e. Fence's BASE_URL.

Bug Fixes

Improvements

Dependency updates

Requires authutils 6.0.1.

Deployment changes

  • This commit includes patches to allow old style refresh tokens and API keys to pass new style validation, while issuing new style refresh tokens and API keys. Since refresh tokens and API keys have a default TTL of 30 days, stay on this tag for 30 days if possible.
  • Old access tokens will NOT work once this is deployed so active sessions may be temporarily interrupted.

@github-actions
Copy link

github-actions bot commented Sep 23, 2020
edited
Loading

The style in this PR agrees with black. ✔️

This formatting comment was generated automatically by a script in uc-cdis/wool.

@vpsx vpsx mentioned this pull request Sep 23, 2020
Merged
@coveralls
Copy link

coveralls commented Sep 23, 2020
edited
Loading

Pull Request Test Coverage Report for Build 11137

  • 32 of 55 (58.18%) changed or added relevant lines in 9 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.09%) to 70.684%
Changes Missing Coverage Covered Lines Changed/Added Lines %
fence/oidc/grants/refresh_token_grant.py 4 7 57.14%
fence/resources/storage/cdis_jwt.py 3 7 42.86%
fence/jwt/validate.py 3 19 15.79%
Totals Coverage Status
Change from base Build 11098: -0.09%
Covered Lines: 6047
Relevant Lines: 8555
💛 - Coveralls

@vpsx vpsx force-pushed the fix/jwt-aud branch 2 times, most recently from b46f5cb to 69da6dd Compare September 23, 2020 21:43
@lgtm-com
Copy link

lgtm-com bot commented Sep 23, 2020

This pull request fixes 1 alert when merging 69da6dd into ed8b837 - view on LGTM.com

fixed alerts:

  • 1 for Unused import

@lgtm-com
Copy link

lgtm-com bot commented Oct 9, 2020

This pull request fixes 1 alert when merging 363a4a5 into 50ff568 - view on LGTM.com

fixed alerts:

  • 1 for Unused import

@vpsx vpsx force-pushed the fix/jwt-aud branch 2 times, most recently from de3694a to 9416236 Compare April 29, 2021 22:00
This was referenced May 26, 2021
Merged
Merged
vpsx added 15 commits May 27, 2021 09:47
@vpsx
fix(jwt-aud): Rm scopes from aud claim in id tokens
7a51d60 
* Don't pass scope to audiences arg in generate_token_response
* In generate_id_token itself:
* Don't append to audiences itself; instead make a copy
* Check if client_id is None
* Don't include aud claim in token if aud is empty
@vpsx
feat(scope): Add JWT scope validation
e9548d8 
* New scope arg in validate_jwt defaults to {'openid'} but allows None
* No longer use aud claim for scopes
@vpsx
fix(aud): Pass aud to validate_jwt as string, not set
b510bfc
@vpsx
feat(scope): pass scope=None when validating session tokens
04f7da8
@vpsx
feat(scopes): Add scope claim to oidc tokens
90ecb17 
* add separate scope claim to id, refresh tkns (already in access tkns)
* rm scopes from aud claim in all tokens
* set aud claim to client_id in all oidc tokens
* also do all of the above for user API key
* update docstrings some fence.jwt.token functions
@vpsx
feat(scope): pass scopes to generate_[implicit,token]_response
9de4879
@vpsx
fix(aud): Validate aud claim in refresh token grant flow
6df3762
@vpsx
feat(scope): add scope claim to claims_supported
5e731d0
@vpsx
fix(aud): Look for scopes in scope not aud claim when validating refr…
67fd871 
…esh token
@vpsx
fix(aud): Skip aud validation in login_required fn
44b977e 
* see TECHDEBT.md for context
* also rm unused has_oauth import
@vpsx
fix(aud-to-scope): authutils require_auth_header now takes scope arg …
7760681 
…not aud arg
@vpsx
fix(aud-scope): Don't include aud in API keys; fix API key validation
72796f8
@vpsx
fix(scope): change scope param to set in require_auth_header
315d470
@vpsx
fix(aud-scope): Fix validate_request argument
5d70405
@vpsx
fix(aud-scope): Don't validate aud when blacklisting tokens
42539f3 
* previously passed 'openid' only to appease validation code, bc using aud for scopes
This was referenced Aug 31, 2021
Merged
Closed
Closed
@PlanXCyborg PlanXCyborg mentioned this pull request Sep 14, 2021
Merged
This was referenced Sep 23, 2021
Closed
Closed
This was referenced Oct 19, 2021
Merged
Merged
Merged
@PlanXCyborg PlanXCyborg mentioned this pull request Nov 17, 2021
Merged
This was referenced Nov 29, 2021
Merged
Merged
Closed
@paulineribeyre paulineribeyre mentioned this pull request Dec 13, 2021
Merged
@PlanXCyborg PlanXCyborg mentioned this pull request Dec 14, 2021
Merged
This was referenced Mar 18, 2022
Closed
Merged
This was referenced Mar 29, 2022
Closed
Closed
This was referenced Apr 30, 2022
Closed
Closed
This was referenced Jun 23, 2022
Closed
Closed
@PlanXCyborg PlanXCyborg mentioned this pull request Sep 14, 2022
Merged
@PlanXCyborg PlanXCyborg mentioned this pull request Oct 21, 2022
Closed
This was referenced Dec 18, 2023
Open
Open
Open
Open
@github-actions github-actions bot mentioned this pull request Aug 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Avantol13 Avantol13 Avantol13 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vpsx @coveralls @Avantol13 @PlanXCyborg