Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: add client_auth_method=none into tokens for clients with empty secret #2504

Merged
merged 17 commits into from
Oct 24, 2023
Merged

feature: add client_auth_method=none into tokens for clients with empty secret #2504

merged 17 commits into from
Oct 24, 2023

Conversation

strehle
Copy link
Member

@strehle strehle commented Sep 26, 2023

Internally use empty, but write none into tokens. Externally use always none, but internally empty to distinguish in the flow.
The refresh flow with an empty secret is something we allow for now.

So a combination from #2435 (external view) and
#2447 (internal view)

strehle added 13 commits August 8, 2023 15:32
@strehle
feature: add client_auth_method=none into tokens for clients with emp…
f743c47 
…ty secret

e.g. cf client.
This allows clients to see, whats really used.
According to https://oauth.net/2.1/ the empty secret can be treated as public usage
@strehle
added tests
29694a8
@strehle
refactor
e35ac38
@strehle
refactor back
45a6c41
@strehle
more tests
20b06ff
@strehle
Merge branch 'develop' of github.com:cloudfoundry/uaa into feature/ad…
792309b 
…dClientAuthToEmptySecrets
@strehle
revert defaults
0f62a83
@strehle
allow empty secret if secret policy minLength == 0
3861aa9
@strehle
Add client_auth_method=empty and add addtional tests
735740e 
empty is a valid authentication with empty secret, however it is no OAuth2 standard
@strehle
Merge branch 'develop' of github.com:cloudfoundry/uaa into feature/ad…
0649c5e 
…dClientAuthToEmptySecretsOwnMethod
@strehle
refactor
5820ce9
@strehle
Merge branch 'develop' of github.com:cloudfoundry/uaa into feature/ad…
9db7440 
…dClientAuthToEmptySecretsOwnMethod
@strehle
feature: add client_auth_method=none into tokens for clients with emp…
1831fbe 
…ty secret

Internally use empty, but write none into tokens. Externally use always none, but internally empty to distinguish in the flow.
The refresh flow with an empty secret is something we allow for now.
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/186122537

The labels on this github issue will be updated when the story is started.

@strehle strehle added this to the user_token_fixes milestone Sep 26, 2023
@peterhaochen47 peterhaochen47 added the in_review The PR is currently in review label Sep 27, 2023
@strehle strehle mentioned this pull request Sep 27, 2023
Closed
@peterhaochen47
refactor: test names & fix typos
0a7433f 
- such that it's clearer what the test cases are
@peterhaochen47
Copy link
Member

peterhaochen47 commented Sep 27, 2023
edited
Loading

@strehle Based on the title & description of this PR, it seems that this PR's sole purpose is to inject an extra claim client_auth_method=none into the token if the client that originally requested this token is a public client (either no secret or empty string secret).

But when I look at all the tests added (I use the test changes to understand the exact implications of the code changes), it looks like the PR does more than that (for example, a test is added to forbid refresh request under some conditions)? Is that true? Or are these test "backfilled tests" testing existing logics of develop branch?

To help me understand this PR better, could you summarize, point by point, all the changes included in this PR. This will help me validate my understandings & help us find out what doc edits are required.

@strehle
Copy link
Member Author

strehle commented Sep 28, 2023

@strehle Based on the title & description of this PR, it seems that this PR's sole purpose is to inject an extra claim client_auth_method=none into the token if the client that originally requested this token is a public client (either no secret or empty string secret).

But when I look at all the tests added (I use the test changes to understand the exact implications of the code changes), it looks like the PR does more than that (for example, a test is added to forbid refresh request under some conditions)? Is that true? Or are these test "backfilled tests" testing existing logics of develop branch?

To help me understand this PR better, could you summarize, point by point, all the changes included in this PR. This will help me validate my understandings & help us find out what doc edits are required.

The inject of client_auth_method=none into the token was introduced with #2138 . The feature of allowing public scenarios like authorization code flow and refresh flow without any secret was added as new feature into UAA but with constraint of doing this only if we have a rotation of the refresh token. The rotation of the refresh token is a very important feature because it limits the risk of a stolen refresh token. This feature was done because of #1448 . The origin of it is https://oauth.net/2.1/ where public usages are explicitly mentioned.

And this blocks it right now, means the mix of the public refresh exchange with this approach to limit the empty secret. The empty secret and its refresh is an existing scenario which we cannot break.
For new features we can have limitations, like you get the public refresh only with a refresh rotation....

@strehle strehle changed the title feature: add client_auth_method=none into tokens for clients with empty secret (2) feature: add client_auth_method=none into tokens for clients with empty secret Sep 29, 2023
@strehle
Copy link
Member Author

strehle commented Sep 29, 2023

@peterhaochen47 please see this PR as replacement for #2435

@peterhaochen47
Copy link
Member

I'm trying to understand the original problem (that this PR is intended to help address) better: #2193 (comment)

@strehle
Copy link
Member Author

strehle commented Oct 3, 2023

I'm trying to understand the original problem (that this PR is intended to help address) better: #2193 (comment)

This PR is needed to solve failing test b) , see #2193 (comment)

because this change add client_auth_method=none to cf client autentication and then later we can use none to identiy that it was public and public-2-public should be ok

@strehle strehle removed this from the user_token_fixes milestone Oct 6, 2023
@strehle strehle removed the in_review The PR is currently in review label Oct 13, 2023
@strehle
Copy link
Member Author

strehle commented Oct 18, 2023

@peterhaochen47 After rebase this PR is smaller and therefore maybe you can now review this much faster ?

@peterhaochen47
Copy link
Member

peterhaochen47 commented Oct 19, 2023
edited
Loading

Based on your comment, I thought that this PR was mainly for resolving the failures in #2193 which I have requested to be closed. Do you now suggest that this PR be reviewed independently without considering #2193?

@strehle
Copy link
Member Author

strehle commented Oct 19, 2023

Do you now suggest that this PR be reviewed independently without considering #2193?

Yes please do so. I had the plan to re-use this, but we may wont fix user token.

However this PR is simply about that none should appear in access_token for a not existing secret and for an empty one, so that we can treat in future both as public usage.

@strehle
Copy link
Member Author

strehle commented Oct 24, 2023

FYI: this change is not related to #2571 even if topic is empty secret.

@strehle strehle merged commit 874c62d into develop Oct 24, 2023
19 checks passed
@strehle strehle deleted the feature/addClientAuthToNone4EmptySecrets branch October 24, 2023 11:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peterhaochen47 peterhaochen47 peterhaochen47 approved these changes

@Tallicia Tallicia Awaiting requested review from Tallicia

@torsten-sap torsten-sap Awaiting requested review from torsten-sap

@adrianhoelzl-sap adrianhoelzl-sap Awaiting requested review from adrianhoelzl-sap

Assignees
No one assigned
Labels
None yet
Projects
Foundational Infrastructure Working Group
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@strehle @cf-gitbot @peterhaochen47