Implement refreshing with Google #1180
Conversation
|
This is a big PR so I just have some overall questions before I dive into a review. How does the migration work? If a user already has a refresh token in the system, then they upgrade dex, what happens to the connector data associated with that refresh token? |
|
At present, they lose it I believe. I had a look through the code to try and mitigate that but couldn't see anything obvious. I'm guessing if there is a solution it would be in the storage section of the codebase. Do the SQL/K8s/Etcd storage backends have migration scripts that can be amended? |
| } else { | ||
| connectorData = session.ConnectorData | ||
| } | ||
|
|
There was a problem hiding this comment.
I guess to allow migration some code could be added here, checking if the ConnectorData is present, if not check refresh object for it. But this means putting the ConnectorData field back in the struct and would probably mean this migration code would be there forever.
I guess it depends how important you think maintaining existing refresh tokens is
|
Did a little refactoring and built an image to make it easier for anyone wanting to test these changes: |
|
Have just tested this with an existing SQL DB and realised the migrations didn't work quite as I thought they did. I've fixed this now and migrations from existing installations are now working. New image |
|
There was also an error in the updater function for offline sessions in the SQL connector, this is now fixed. |
|
I'm using this now in conjunction with #1185, would love to see both mainlined. Let me know if I can help or test in any way. |
|
@ericchiang did you have a chance to review this PR ? |
JoelSpeed
force-pushed
the
refresh-tokens
branch
from
26a083f to
540969b
Compare
|
Rebased onto latest master |
|
@ericchiang @srenatus Just been talking about this on the K8s office hours, any chance either of you have time to review? |
|
Count me out for the next few months, please: I'm on parental leave. :)
…On Wed, 20 Feb 2019, 15:43 Joel Speed, ***@***.***> wrote:
@ericchiang <https://github.com/ericchiang> @srenatus
<https://github.com/srenatus> Just been talking about this on the K8s
office hours, any chance either of you have time to review?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1180 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AA1I7t2TNEqaU-WzHG3jW7icUg2IgmnZks5vPV8pgaJpZM4RxZAe>
.
|
|
Sorry, context switching back to this PR. Did the migration strategy ever get worked out? I'm particularly interested because dex is horizontally scalable, so we have to tolerate multiple versions of dex running at the same time during a live migration. What happens with the ConnectorData in that case? |
|
Is this PR still active somehow or is this effort kind of abandoned at this point? Would love to see this merged! |
|
I dropped the ball on this a bit, but will try and take a look at #1180 (comment) and respond within the next week, sorry for the delay |
JoelSpeed
force-pushed
the
refresh-tokens
branch
from
540969b to
af1d36f
Compare
|
@ericchiang I've reverted all of the changes to remove the old connector data and added some migration code in the final commit, WDYT? I'll squash all the reverts into their original commits to clean up the history if you are happy with this migration approach |
There was a problem hiding this comment.
This should be good to merge soon.
One point though. Dex may be running in a setup where there are multiple versions of dex. If we're running vN, then upgrade to vN+1, the later version will be writing fields that vN doesn't know about (and possibly overwritting due to marshaling quirks).
Can we introduce the ConnectorData in version vN+1, but don't store any data in it until vN+2? That way by deployments run vN+2 any other versions of dex will already understand how to interpret ConnectorData.
server/handlers.go
Outdated
| } | ||
| } else if len(refresh.ConnectorData) > 0 { | ||
| // Use the old connector data if it exists, should be deleted once used | ||
| connectorData = session.ConnectorData |
There was a problem hiding this comment.
Shouldn't this be refresh.ConnectorData?
connector/oidc/oidc.go
Outdated
| @@ -224,11 +248,7 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide | |||
| Username: claims.Username, | |||
| Email: claims.Email, | |||
| EmailVerified: claims.EmailVerified, | |||
| ConnectorData: []byte(token.RefreshToken), | |||
There was a problem hiding this comment.
nit: this should probably be a marshaled struct like the existing ConnectorData, in case we want to add additional data later.
There was a problem hiding this comment.
I'm not sure I follow. Isn't token.RefreshToken opaque (probably random) data? What struct would this be then? ... 💡 Oh I see.
type cd struct {
refreshToken []byte
}
// ...
identity = connector.Identity{
UserID: idToken.Subject,
Username: claims.Username,
Email: claims.Email,
EmailVerified: claims.EmailVerified,
ConnectorData: cd{refreshToken: []byte(token.RefreshToken)},
}....yeah I think some kind of struct would be better here. 👍
server/handlers.go
Outdated
| @@ -485,6 +485,41 @@ func (s *Server) finalizeLogin(identity connector.Identity, authReq storage.Auth | |||
| s.logger.Infof("login successful: connector %q, username=%q, email=%q, groups=%q", | |||
| authReq.ConnectorID, claims.Username, email, claims.Groups) | |||
|
|
|||
| if _, ok := conn.(connector.RefreshConnector); ok { | |||
There was a problem hiding this comment.
nit: Maybe avoid this indenting?
returnURL := path.Join(s.issuerURL.Path, "/approval") + "?req=" + authReq.ID
refreshConn, ok := conn.(connector.RefreshConnector)
if !ok {
return returnURL, nil
}
session, err := s.storage.GetOfflineSessions(identity.UserID, authReq.ConnectorID)
if err != nil {
if err != storage.ErrNotFound {
// ...
}
if err := s.storage.CreateOfflineSessions(...) {
// ...
}
return returnURL, nil
}
if err := s.storage.UpdateOfflineSessions(
...
); err != nil {
// ...
}
return returnURL, nil
|
Also please squash 😃 |
|
@JoelSpeed is this PR still alive? Would love to see it go in. |
Hey, yeah it is, sorry for the delay, hoping to get some time to work on it next week, it's been pretty low priority for me unfortunately
@ericchiang I'll try and create a PR to do this next week and we can go from there. Is it worth having the fallback logic so that it tries to load from the future |
connector/oidc/oidc.go
Outdated
| } | ||
| token, err := c.oauth2Config.TokenSource(ctx, t).Token() | ||
| if err != nil { | ||
| return identity, fmt.Errorf("oidc: failed to get token: %v", err) |
There was a problem hiding this comment.
Can we make this say "... refresh token..." to differentiate it from the error logged above?
connector/oidc/oidc.go
Outdated
| @@ -224,11 +248,7 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide | |||
| Username: claims.Username, | |||
| Email: claims.Email, | |||
| EmailVerified: claims.EmailVerified, | |||
| ConnectorData: []byte(token.RefreshToken), | |||
There was a problem hiding this comment.
I'm not sure I follow. Isn't token.RefreshToken opaque (probably random) data? What struct would this be then? ... 💡 Oh I see.
type cd struct {
refreshToken []byte
}
// ...
identity = connector.Identity{
UserID: idToken.Subject,
Username: claims.Username,
Email: claims.Email,
EmailVerified: claims.EmailVerified,
ConnectorData: cd{refreshToken: []byte(token.RefreshToken)},
}....yeah I think some kind of struct would be better here. 👍
JoelSpeed
force-pushed
the
refresh-tokens
branch
from
5b84fc4 to
dd3e5b3
Compare
|
@srenatus and anyone else interested, I think I've fixed this up based on the comments provided so far, it's also been rebased on master so should now be conflict free! |
I didn't realise quite what the migration mechanism was. Have understood it now.
This reverts commit 27f3351.
This reverts commit 9c7ceabe8aebf6c740c237c5e76c21397179f901.
This reverts commit 228bdc324877bf67ecdd434503b9c1b25d8e7d28.
JoelSpeed
force-pushed
the
refresh-tokens
branch
from
bed6f4a to
3156553
Compare
|
@quantonganh I've rebased as requested, should be up to date with master now @bonifaido Do you have any time to review this? I think I've addressed all of the comments made so far I'm keen to get this done by the end of the year, I'm changing role and I'm not sure I'll have opportunity to test changes as easily from January |
|
Thanks @bonifaido and everyone else who has reviewed or had intrigue in this over the last couple of years! 🎉 |
Fixes: #863
I've read through the document provided in this comment by @ericchiang and implemented the changes he describes.
I've been testing it with the memory storage and connecting to Google so far and everything seems to be working (Added lots of Prints while debugging).
Have had two clients set up, logged the same user into A, then into B (updating the refresh token since A's is now invalid), then refreshed client A, which used the token retrieved by client B to refresh.
I believe this should now allow the creation of a specific Google connector, in turn allowing someone to implement retrieval of groups using their Admin Directory API