Page MenuHomeSoftware Heritage
Differential D5269

auth/backends: Fix cache TTL computation for OIDC profile
ClosedPublic
Actions

Authored by anlambert on Mar 17 2021, 5:50 PM.

Details

Reviewers
ardumont
Group Reviewers
Reviewers
Commits
rDWAPPS26e81f330e5b: auth/backends: Fix cache TTL computation for OIDC profile
Summary

The cache TTL for storing an OIDC profile must be computed from the
access token renewal date (iat field in decoded token) and not from
the OIDC session opening date (auth_time field in decoded token).

Previous implementation was computing a negative TTL (clamped to 0)
once the first issued refresh token was expired and thus the
authentication process was then failing.

Diff Detail

Repository
rDWAPPS Web applications
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

anlambert created this revision.Mar 17 2021, 5:50 PM
Herald added a reviewer: Reviewers. · View Herald TranscriptMar 17 2021, 5:50 PM
ardumont published this revision for review.Mar 17 2021, 5:54 PM
ardumont added a subscriber: ardumont.

Nice catch.

Smells like some change in swh-auth is in order heh :)

ardumont accepted this revision.Mar 17 2021, 5:54 PM
This revision is now accepted and ready to land.Mar 17 2021, 5:54 PM
swh-public-ci added a comment.Mar 17 2021, 5:58 PM

Build is green

Patch application report for D5269 (id=18881)

Rebasing onto a9aaeca40f...

Current branch diff-target is up to date.
Changes applied before test
commit 26e81f330e5b8c1294883a90efa7627f7472654b
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Mar 17 17:43:45 2021 +0100

    auth/backends: Fix cache TTL computation for OIDC profile
    
    The cache TTL for storing an OIDC profile must be computed from the
    access token renewal date (iat field in decoded token) and not from
    the OIDC session opening date (auth_time field in decoded token).
    
    Previous implementation was computing a negative TTL (clamped to 0)
    once the first issued refresh token was expired and thus the
    authentication process was then failing.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/625/ for more details.

Harbormaster completed remote builds in B19972: Diff 18881.Mar 17 2021, 5:58 PM
anlambert added a comment.EditedMar 17 2021, 6:00 PM
In D5269#133830, @ardumont wrote:

Nice catch.

Smells like some change in swh-auth is in order heh :)

Diff incoming ;-)

--> D5271

anlambert mentioned this in D5271: django/utils: Get access token renewal date from proper dict field.Mar 17 2021, 6:08 PM
Closed by commit rDWAPPS26e81f330e5b: auth/backends: Fix cache TTL computation for OIDC profile (authored by anlambert). · Explain WhyMar 17 2021, 6:13 PM
This revision was automatically updated to reflect the committed changes.
anlambert added a commit: rDWAPPS26e81f330e5b: auth/backends: Fix cache TTL computation for OIDC profile.

Revision Contents
Changeset List

PathSize
swh/
web/
auth/
2 lines
tests/
auth/
8 lines
4 lines
2 lines

Diff 18885

View Options

swh/web/auth/backends.py

Loading...
View Options

swh/web/tests/auth/keycloak_mock.py

Loading...
View Options

swh/web/tests/auth/sample_data.py

Loading...
View Options

swh/web/tests/auth/test_backends.py

Loading...
About · Developer information · Legal