[All] Fix handling of expired id tokens when userdata_from_id_token is True
#795
Conversation
This fix is only be relevant when `userdata_from_id_token` is True.
consideRatio
changed the title
userdata_from_id_token is True
There was a problem hiding this comment.
As you've pointed out this code is difficult to navigate, so ideally we should add a test.
test_refresh_user currently deletes the access_token to trigger a refresh
oauthenticator/oauthenticator/tests/test_generic.py
Lines 587 to 588 in 6d08bf2
so maybe we can parametrize it to test an expired id_token? Or refactor the test to mock
jwt.decode?
| # opt-in to what we want to check | ||
| verify_signature=False, | ||
| verify_aud=True, | ||
| verify_exp=True, | ||
| ), |
There was a problem hiding this comment.
| ), | |
| require=["exp"], | |
| ), |
https://pyjwt.readthedocs.io/en/stable/api.html
Warning
exp, iat and nbf will only be verified if present. Please pass respective value to require if you want to make sure that they are always present (and therefore always verified if verify_exp, verify_iat, and verify_nbf respectively is set to True).
|
This code looks good and sensible to me. To get started on a test, here's a way to create and validate an expired token: key = b'asdf'
expired_token = jwt.encode({"exp": time.time() - 10}, key)
jwt.decode(expired_token, key, algorithms=["HS256"])
---------------------------------------------------------------------------
ExpiredSignatureErrorWe could make it valid for one second and then wait for it to expire and call refresh. I'm not sure how easy mocking pyjwt verification into the future is via public APIs, but mocking |
|
If you are looking at this I would encourage you to combine this: #790 into the feature. Instead of looking at if the token is expired, look at if it is or is about to expire within some buffer. id tokens can be used outside the context of the refresh process for lots of useful things. Knowing they are not expired exactly when the refresh is called is not as helpful IMO. |
This is meant to resolve #793, which is an issue including an excellent overview of the situation.
DRAFT: I don't trust my own work yet, and think maybe the interaction between
refresh_useranduserdata_from_id_tokendoesn't make sense. If refresh_user is called, we shouldn't reuse the id_token no matter if its expired or not, right? I think we currently try to reuse it if refresh_user is called. Anyone is most welcome to take over by opening a new PR or pushing commits to this PR, I'm not confident I'll find time to figure this out properly.