-
Notifications
You must be signed in to change notification settings - Fork 562
feat(auth): bind DCR client credentials to issuing authorization server (SEP-2352) #998
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -200,6 +200,8 @@ pub struct StoredCredentials { | |
| pub granted_scopes: Vec<String>, | ||
| #[serde(default)] | ||
| pub token_received_at: Option<u64>, | ||
| #[serde(default)] | ||
| pub issuer: Option<String>, | ||
| } | ||
|
|
||
| impl std::fmt::Debug for StoredCredentials { | ||
|
|
@@ -212,6 +214,7 @@ impl std::fmt::Debug for StoredCredentials { | |
| ) | ||
| .field("granted_scopes", &self.granted_scopes) | ||
| .field("token_received_at", &self.token_received_at) | ||
| .field("issuer", &self.issuer) | ||
| .finish() | ||
| } | ||
| } | ||
|
|
@@ -229,6 +232,7 @@ impl StoredCredentials { | |
| token_response, | ||
| granted_scopes, | ||
| token_received_at, | ||
| issuer: None, | ||
| } | ||
| } | ||
| } | ||
|
|
@@ -1068,6 +1072,15 @@ impl AuthorizationManager { | |
| self.metadata = Some(metadata); | ||
| } | ||
|
|
||
| if let (Some(stored_issuer), Some(current_issuer)) = | ||
| (stored.issuer.as_deref(), self.metadata_issuer().as_deref()) | ||
|
Comment on lines
+1075
to
+1076
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. SEP-2352 explicitly says CIMD client IDs "are portable across authorization servers … No re-registration is required." The mismatch check here doesn't distinguish credential types. |
||
| { | ||
| if stored_issuer != current_issuer { | ||
| self.credential_store.clear().await?; | ||
| return Ok(false); | ||
| } | ||
|
Comment on lines
+1078
to
+1081
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Clearing stored credentials is destructive. Should we add a warning log here? |
||
| } | ||
|
|
||
| self.configure_client_id(&stored.client_id)?; | ||
| return Ok(true); | ||
| } | ||
|
|
@@ -1646,6 +1659,7 @@ impl AuthorizationManager { | |
| token_response: Some(token_result.clone()), | ||
| granted_scopes, | ||
| token_received_at: Some(Self::now_epoch_secs()), | ||
| issuer: self.metadata_issuer(), | ||
| }; | ||
| self.credential_store.save(stored).await?; | ||
|
|
||
|
|
@@ -1659,6 +1673,10 @@ impl AuthorizationManager { | |
| .as_secs() | ||
| } | ||
|
|
||
| fn metadata_issuer(&self) -> Option<String> { | ||
| self.metadata.as_ref().and_then(|m| m.issuer.clone()) | ||
| } | ||
|
|
||
| /// Proactive refresh buffer: refresh tokens this many seconds before they expire | ||
| /// to avoid races between token retrieval and the actual HTTP request. | ||
| const REFRESH_BUFFER_SECS: u64 = 30; | ||
|
|
@@ -1772,6 +1790,7 @@ impl AuthorizationManager { | |
| token_response: Some(token_result.clone()), | ||
| granted_scopes, | ||
| token_received_at: Some(Self::now_epoch_secs()), | ||
| issuer: self.metadata_issuer(), | ||
| }; | ||
| self.credential_store.save(stored).await?; | ||
|
|
||
|
|
@@ -2517,6 +2536,7 @@ impl AuthorizationManager { | |
| token_response: Some(token_result.clone()), | ||
| granted_scopes, | ||
| token_received_at: Some(Self::now_epoch_secs()), | ||
| issuer: self.metadata_issuer(), | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We now stamp |
||
| }; | ||
| self.credential_store.save(stored).await?; | ||
|
|
||
|
|
@@ -2639,6 +2659,7 @@ impl AuthorizationManager { | |
| token_response: Some(token_result.clone()), | ||
| granted_scopes, | ||
| token_received_at: Some(Self::now_epoch_secs()), | ||
| issuer: self.metadata_issuer(), | ||
| }; | ||
| self.credential_store.save(stored).await?; | ||
|
|
||
|
|
@@ -3006,6 +3027,7 @@ impl OAuthState { | |
| token_response: Some(credentials), | ||
| granted_scopes, | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Since |
||
| }; | ||
| manager.credential_store.save(stored).await?; | ||
|
|
||
|
|
@@ -4345,6 +4367,7 @@ mod tests { | |
| token_response: Some(token_response), | ||
| granted_scopes: vec![], | ||
| token_received_at: None, | ||
| issuer: None, | ||
| }; | ||
| let debug_output = format!("{:?}", creds); | ||
|
|
||
|
|
@@ -5224,6 +5247,7 @@ mod tests { | |
| token_response: Some(make_token_response("my-access-token", Some(3600))), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -5241,6 +5265,7 @@ mod tests { | |
| token_response: Some(make_token_response("stale-token", Some(3600))), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs() - 7200), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -5259,6 +5284,7 @@ mod tests { | |
| token_response: Some(make_token_response("no-expiry-token", None)), | ||
| granted_scopes: vec![], | ||
| token_received_at: None, | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -5276,6 +5302,7 @@ mod tests { | |
| token_response: Some(make_token_response("almost-expired", Some(3600))), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs() - 3590), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -5294,6 +5321,7 @@ mod tests { | |
| token_response: Some(make_token_response("stale-token", Some(3600))), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs() - 7200), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -5577,6 +5605,7 @@ mod tests { | |
| token_response: None, | ||
| granted_scopes: vec![], | ||
| token_received_at: None, | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -5597,6 +5626,7 @@ mod tests { | |
| token_response: Some(make_token_response("old-token", Some(3600))), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -5663,6 +5693,7 @@ mod tests { | |
| )), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }) | ||
| .await | ||
| .unwrap(); | ||
|
|
@@ -5868,6 +5899,7 @@ mod tests { | |
| )), | ||
| granted_scopes: vec!["read".to_string(), "write".to_string()], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -5905,6 +5937,7 @@ mod tests { | |
| )), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -5942,6 +5975,7 @@ mod tests { | |
| )), | ||
| granted_scopes: vec!["read".to_string()], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -5979,6 +6013,7 @@ mod tests { | |
| )), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -6017,6 +6052,7 @@ mod tests { | |
| )), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
@@ -6080,6 +6116,7 @@ mod tests { | |
| )), | ||
| granted_scopes: vec![], | ||
| token_received_at: Some(AuthorizationManager::now_epoch_secs()), | ||
| issuer: None, | ||
| }; | ||
| manager.credential_store.save(stored).await.unwrap(); | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How can external
CredentialStoreimplementors setissuer?