Skip to content

fix: call DeleteOpenIDConnectSession during successful authcode exchange#793

Merged
aeneasr merged 1 commit into
ory:masterfrom
cfryanr:fix-delete-openid-connect-session
Feb 13, 2024
Merged

fix: call DeleteOpenIDConnectSession during successful authcode exchange#793
aeneasr merged 1 commit into
ory:masterfrom
cfryanr:fix-delete-openid-connect-session

Conversation

@cfryanr

@cfryanr cfryanr commented Feb 12, 2024

Copy link
Copy Markdown
Contributor

Fixes #790. Please see description and comments in #790 for more information about why this is a necessary and safe change.

Remove deprecation of `DeleteOpenIDConnectSession` storage interface function and call it during
authorization code exchange. This function was not previously called. Implementors of the openid
storage interface who which to preserve the old behavior should implement this function as a
no-op which returns `nil`.

Related Issue or Design Document

Fixes #790.

Checklist

  • I have read the contributing guidelines and signed the CLA.
  • I have referenced an issue containing the design document if my change introduces a new feature.
  • I have read the security policy.
  • I confirm that this pull request does not address a security vulnerability.
    If this pull request addresses a security vulnerability,
    I confirm that I got approval (please contact security@ory.sh) from the maintainers to push the changes.
  • I have added tests that prove my fix is effective or that my feature works.
  • I have added the necessary documentation within the code base (if appropriate).

Further comments

@cfryanr cfryanr requested a review from aeneasr as a code owner February 12, 2024 18:58
@cfryanr

cfryanr commented Feb 12, 2024

Copy link
Copy Markdown
Contributor Author

The format check seems to have failed complaining about almost every copyright date in the repo. Please advise if I should update any copyright dates in this PR.

@aeneasr aeneasr merged commit c0b30f6 into ory:master Feb 13, 2024
@aeneasr

aeneasr commented Feb 13, 2024

Copy link
Copy Markdown
Member

Nice! I recently found the same issue on our prod system. I think we can also delete the PKCE entry if it's not already being deleted

@james-d-elliott

Copy link
Copy Markdown
Contributor

Small aside, this makes me think there is an issue with the tests since there is only one mock EXPECT added for DeleteOpenIDConnectSession.

@cfryanr

cfryanr commented Feb 13, 2024

Copy link
Copy Markdown
Contributor Author

Thanks for accepting the PR.

I think we can also delete the PKCE entry if it's not already being deleted

I believe those are already correctly deleted here https://github.com/ory/fosite/blob/v0.46.0/handler/pkce/handler.go#L133.

Small aside, this makes me think there is an issue with the tests since there is only one mock EXPECT added for DeleteOpenIDConnectSession.

I added two EXPECTs in the PR. One for each pre-existing happy path unit test.

@aeneasr

aeneasr commented Feb 13, 2024

Copy link
Copy Markdown
Member

You're right - those are indeed already covered!

@james-d-elliott

Copy link
Copy Markdown
Contributor

I added two EXPECTs in the PR. One for each pre-existing happy path unit test.

Oh your right my bad. I swore when I looked at the "should pass" test it didn't have one. Was really confusing why it was passing without it. But it's there!

james-d-elliott pushed a commit to james-d-elliott/fosite that referenced this pull request Feb 15, 2024
…nge (ory#793)

Remove deprecation of `DeleteOpenIDConnectSession` storage interface function and call it during
authorization code exchange. This function was not previously called. Implementors of the openid
storage interface who which to preserve the old behavior should implement this function as a
no-op which returns `nil`.

Fixes ory#790
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

openid session storage should be deleted when the authcode is exchanged

3 participants