Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Track OIDC tokens #1818

Merged
merged 62 commits into from
Oct 12, 2021
Merged

Track OIDC tokens #1818

merged 62 commits into from
Oct 12, 2021

Conversation

aeneasr
Copy link
Member

@aeneasr aeneasr commented Oct 8, 2021
edited
Loading

feat: API to return access, refresh, id tokens from social sign in

This patch introduces the new include_credential query parameter to the GET /identities endpoint which allows administrators to receive the initial access, refresh, and ID tokens from Social Sign In (OpenID Connect / OAuth 2.0) flows.

These tokens can be stored in an encrypted format (XChaCha20Poly1305 or AES-GCM) in the database if an appropriate encryption secret is set. To get started easily these values are not encrypted per default.

For more information head over to the docs.

Closes #1518
Closes #397

david972 and others added 30 commits July 12, 2021 23:28
@david972
feat: track oidc token (#397)
e96363a 
This feature introduce a crypt/decrypt package use for access/refresh token for now

Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
@david972
chore: apply format
989ac60 
Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
@david972
refact: change crypto package
7c66599 
remove useless handler
improve general identity handler
@david972
feat: track oidc token (#397)
78eff4e 
This feature introduce a crypt/decrypt package use for access/refresh token for now

Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
@david972
chore: apply format
4b3e136 
Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
@david972
refact: change crypto package
ea5b2f2 
remove useless handler
improve general identity handler
@david972
Merge branch 'track-oidc-tokens' of github.com:w6d-io/kratos into tra…
973367b 
…ck-oidc-tokens
@david972
feat: improve make quickstart-dev command to add flexibility in devel…
f91a998 
…opment
@david972
fix: Implicit memory aliasing in for loop
e878027
@aeneasr
Merge remote-tracking branch 'origin/master' into track-oidc-tokens
2dfbed3 
# Conflicts:
#	contrib/quickstart/kratos/email-password/kratos.yml
#	go.mod
#	go.sum
@aeneasr
chore: code review
c4d58d2
@aeneasr
chore: code review
8e8bf21
@david972
add cipher test
b725733 
docs: add reveal_credentials in api
docs: add releal creadential guide
docs: insert AES note in secret key rotations
config: set right attribute in config schema
conifg: improve SecretsAES method
add AES test in config
improvement: use cipher from registry in identity handler
chore: remove useless method and remove useless struct
@david972
feat: track oidc token (#397)
59adf23 
This feature introduce a crypt/decrypt package use for access/refresh token for now

Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
@david972
chore: apply format
36516e0 
Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
@david972
refact: change crypto package
5c27b0f 
remove useless handler
improve general identity handler
@david972
feat: track oidc token (#397)
88e65a2 
This feature introduce a crypt/decrypt package use for access/refresh token for now

Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
@david972
chore: apply format
7bb613f 
Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
@david972
refact: change crypto package
3d5b850 
remove useless handler
improve general identity handler
@david972
feat: improve make quickstart-dev command to add flexibility in devel…
7e68f79 
…opment
@david972
fix: Implicit memory aliasing in for loop
bfd802d
@aeneasr @david972
chore: code review
8e92caa
@aeneasr @david972
chore: code review
bef6171
@david972
add cipher test
1d1803f 
docs: add reveal_credentials in api
docs: add releal creadential guide
docs: insert AES note in secret key rotations
config: set right attribute in config schema
conifg: improve SecretsAES method
add AES test in config
improvement: use cipher from registry in identity handler
chore: remove useless method and remove useless struct
@david972
Merge branch 'track-oidc-tokens' of github.com:w6d-io/kratos into tra…
e49a978 
…ck-oidc-tokens
@david972
update cipher beaviour
0faa149
@david972
chore: do format
d5d36a8 
Signed-off-by: David ALEXANDRE <david.alexandre@w6d.io>
@david972
add schema test
8d1ff25 
fix aes test
@david972
add github apps provider
82187cb
@david972
cipher: aes: switch byte array to string
95481ed
@aeneasr aeneasr force-pushed the track-oidc-tokens branch from 1b9ccc8 to f4c8d08 Compare October 8, 2021 11:16
@aeneasr aeneasr force-pushed the track-oidc-tokens branch from 65cd7b5 to d9cda5c Compare October 8, 2021 12:48
@david972
Copy link
Contributor

david972 commented Oct 8, 2021
edited
Loading

Good
Just one thing
If I do

curl 'http://localhost:4434/identities/2587dd42-4530-4bc9-b04c-07070f32b88e'
{
  "id": "2587dd42-4530-4bc9-b04c-07070f32b88e",
  "credentials": {
    "oidc": {
      "type": "oidc",
      "identifiers": [
        "w6d-kratos-oauth2:9482408",
        "w6d-kratos-test:9482408"
      ],
      "created_at": "2021-09-29T19:12:48.477763Z",
      "updated_at": "2021-10-08T20:29:49.946745Z"
    },
    "password": {
      "type": "password",
      "identifiers": [
        "david.alexandre@w6d.io"
      ],
      "created_at": "2021-09-29T19:12:48.481521Z",
      "updated_at": "2021-10-08T20:29:49.943148Z"
    }
  },
  "schema_id": "default",
  "schema_url": "http://127.0.0.1:4433/schemas/default",
  "state": "active",
  "traits": {
    "name": {
      "last": "ALEXANDRE",
      "first": "David"
    },
    "email": "david.alexandre@w6d.io"
  },
  "verifiable_addresses": [
    {
      "id": "1c9b6016-7325-493f-bd34-9daa1110ad9d",
      "value": "david.alexandre@w6d.io",
      "verified": false,
      "via": "email",
      "status": "sent",
      "created_at": "2021-09-29T19:12:48.472902Z",
      "updated_at": "2021-10-08T20:29:49.938865Z"
    }
  ],
  "recovery_addresses": [
    {
      "id": "cf7afd7a-d092-439d-a360-108408ccfc5c",
      "value": "david.alexandre@w6d.io",
      "via": "email",
      "created_at": "2021-09-29T19:12:48.475019Z",
      "updated_at": "2021-10-08T20:29:49.940551Z"
    }
  ],
  "created_at": "2021-09-29T19:12:48.47087Z",
  "updated_at": "2021-09-29T19:12:48.47087Z"
}

but the password part disappear if I do

curl 'http://localhost:4434/identities/2587dd42-4530-4bc9-b04c-07070f32b88e?include_credential=oidc'
{
  "id": "2587dd42-4530-4bc9-b04c-07070f32b88e",
  "credentials": {
    "oidc": {
      "type": "oidc",
      "identifiers": [
        "w6d-kratos-oauth2:9482408",
        "w6d-kratos-test:9482408"
      ],
      "config": {
        "providers": [
          {
            "initial_id_token": "",
            "subject": "9482408",
            "provider": "w6d-kratos-oauth2",
            "initial_access_token": "gho_xxxxxxxxxx",
            "initial_refresh_token": ""
          },
          {
            "initial_id_token": "",
            "subject": "9482408",
            "provider": "w6d-kratos-test",
            "initial_access_token": "ghu_xxxxxxxxxx",
            "initial_refresh_token": "ghr_xxxxxxxxxx"
          }
        ]
      },
      "created_at": "2021-09-29T19:12:48.477763Z",
      "updated_at": "2021-10-08T20:29:49.946745Z"
    }
  },
  "schema_id": "default",
  "schema_url": "http://127.0.0.1:4433/schemas/default",
  "state": "active",
  "traits": {
    "name": {
      "last": "ALEXANDRE",
      "first": "David"
    },
    "email": "david.alexandre@w6d.io"
  },
  "verifiable_addresses": [
    {
      "id": "1c9b6016-7325-493f-bd34-9daa1110ad9d",
      "value": "david.alexandre@w6d.io",
      "verified": false,
      "via": "email",
      "status": "sent",
      "created_at": "2021-09-29T19:12:48.472902Z",
      "updated_at": "2021-10-08T20:29:49.938865Z"
    }
  ],
  "recovery_addresses": [
    {
      "id": "cf7afd7a-d092-439d-a360-108408ccfc5c",
      "value": "david.alexandre@w6d.io",
      "via": "email",
      "created_at": "2021-09-29T19:12:48.475019Z",
      "updated_at": "2021-10-08T20:29:49.940551Z"
    }
  ],
  "created_at": "2021-09-29T19:12:48.47087Z",
  "updated_at": "2021-09-29T19:12:48.47087Z"
}

I understand that the password should not appear but I expected at least to see the same information

@david972
Copy link
Contributor

david972 commented Oct 9, 2021
edited
Loading

@aeneasr
What do you think ?

@aeneasr
Copy link
Member Author

aeneasr commented Oct 12, 2021

@david972 addressed!

@aeneasr aeneasr merged commit 198991a into master Oct 12, 2021
@aeneasr aeneasr deleted the track-oidc-tokens branch October 12, 2021 10:04
@aeneasr
Copy link
Member Author

aeneasr commented Oct 12, 2021

@david972 thank you for your hard work!

@david972
Copy link
Contributor

david972 commented Oct 12, 2021
edited
Loading

@aeneasr
🎉
Awesome long journey happy to help for that
Now let's go on the search feature

This was referenced Oct 13, 2021
Merged
Merged
@alexandrebrg alexandrebrg mentioned this pull request Nov 21, 2021
Closed
6 tasks
@factoidforrest
Copy link

We are fetching the tokens using this feature, but where we are having difficulty is if someone unauthenticates our app from the oidc host side, invalidating the token, and then reauthenticates again. it seems like, in this case, kratos simply throws out the new tokens.
Granted this is somewhat rare, but it's totally unrecoverable when it does happen, meaning we can never use these tokens. I suspect this is why they're called "initial" tokens.

I understand Hydra exists for this case, but I am also of the opinion that kratos has all the data it needs and a place to store it, it wouldn't be hard for it to do so.

Perhaps I am incorrect and we are not using it properly, we are mistaken, or have missed some configuration flag. Thanks!

@tdipadova3rd
Copy link

We are fetching the tokens using this feature, but where we are having difficulty is if someone unauthenticates our app from the oidc host side, invalidating the token, and then reauthenticates again. it seems like, in this case, kratos simply throws out the new tokens. Granted this is somewhat rare, but it's totally unrecoverable when it does happen, meaning we can never use these tokens. I suspect this is why they're called "initial" tokens.

I understand Hydra exists for this case, but I am also of the opinion that kratos has all the data it needs and a place to store it, it wouldn't be hard for it to do so.

Perhaps I am incorrect and we are not using it properly, we are mistaken, or have missed some configuration flag. Thanks!

@factoidforrest I see this issue as well. Why not replace the tokens on every login flow with the new ones issued by the OIDC provider?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@david972 david972 david972 left review comments

@zepatrik zepatrik Awaiting requested review from zepatrik

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Keep track of Access and Refresh Tokens from OIDC flows
4 participants
@aeneasr @david972 @factoidforrest @tdipadova3rd