NOISSUE - Remove OAuth2.0 tokens from Magistrala token #2106
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dborovcanin
changed the title
dborovcanin
requested changes
Mar 7, 2024
auth/jwt/tokenizer.go
Outdated
| oauthRefreshTokenField: key.OAuth.RefreshToken, | ||
| }) | ||
|
|
||
| // when issuing an access token, the refresh token is not present and vice versa |
There was a problem hiding this comment.
Make this comment a full sentence.
auth/jwt/tokenizer.go
Outdated
Comment on lines
195
to
198
|
|
||
| // access token and refresh token are not mandatory either of them can be present | ||
| accessToken, _ := claims[oauthAccessTokenField].(string) | ||
| refreshToken, _ := claims[oauthRefreshTokenField].(string) |
There was a problem hiding this comment.
Fix according to the comment. Use only a single token (access or refresh):
if ok {
claims, ok := oauthToken.(pair)
if !ok {
return auth.Key{}, errors.Wrap(ErrParseToken, fmt.Errorf("invalid claims for %s token", provider.Name()))
}
// // access token and refresh token are not mandatory either of them can be present
// accessToken, _ := claims[oauthAccessTokenField].(string)
// refreshToken, _ := claims[oauthRefreshTokenField].(string)\
switch claims.key {
case oauthAccessTokenField:
if err := provider.Validate(ctx, claims.value)Also, fix the messy switch, since both cases do almost the same. Validation should inspect the error, since fallback to refresh may not make sense in some scenarios (revoked access, for example).
dborovcanin
force-pushed
the
split-oauth-token
branch
from
20e15f0 to
9ada86b
Compare
dborovcanin
reviewed
Mar 7, 2024
auth/jwt/tokenizer.go
Outdated
|
|
||
| // when issuing an access token, the refresh token is not present and vice versa | ||
| if key.OAuth.AccessToken != "" && key.OAuth.RefreshToken == "" { | ||
| builder.Claim(provider.Name(), map[string]interface{}{ |
There was a problem hiding this comment.
Why don't we make this a map[string]string or a struct:
type pair struct {
key string
value string
}So we have:
if key.OAuth.AccessToken != "" && key.OAuth.RefreshToken == "" {
builder.Claim(provider.Name(), pair{
key: oauthAccessTokenField,
value: key.OAuth.AccessToken,
})
}
if key.OAuth.AccessToken == "" && key.OAuth.RefreshToken != "" {
builder.Claim(provider.Name(), pair{
key: oauthRefreshTokenField,
value: key.OAuth.RefreshToken,
})
}
rodneyosodo
force-pushed
the
split-oauth-token
branch
from
9ada86b to
8a9c14c
Compare
dborovcanin
requested changes
Mar 7, 2024
rodneyosodo
force-pushed
the
split-oauth-token
branch
2 times, most recently
from
fee6c98 to
8025bf3
Compare
rodneyosodo
changed the title
rodneyosodo
force-pushed
the
split-oauth-token
branch
from
6e94aee to
d4022a5
Compare
dborovcanin
force-pushed
the
split-oauth-token
branch
from
d4022a5 to
231bd84
Compare
rodneyosodo
force-pushed
the
split-oauth-token
branch
2 times, most recently
from
4be7f43 to
e8dad89
Compare
Refactor code to enhance parsing of OAuth tokens, validate them with the provider and refresh if needed. Handle errors related to token issuance and update user's tokens. When issuing access token we don't need OAuth2.0 refresh token embedded inside it and vice versa. Signed-off-by: Rodney Osodo <28790446+rodneyosodo@users.noreply.github.com>
Signed-off-by: Rodney Osodo <28790446+rodneyosodo@users.noreply.github.com>
Signed-off-by: Rodney Osodo <28790446+rodneyosodo@users.noreply.github.com>
Signed-off-by: Rodney Osodo <28790446+rodneyosodo@users.noreply.github.com>
Signed-off-by: rodneyosodo <blackd0t@protonmail.com>
rodneyosodo
force-pushed
the
split-oauth-token
branch
from
e8dad89 to
0e8a8dd
Compare
dborovcanin
requested changes
Mar 14, 2024
users/service.go
Outdated
| OauthAccessToken: token.AccessToken, | ||
| OauthRefreshToken: token.RefreshToken, | ||
| UserId: rclient.ID, | ||
| Type: 0, |
There was a problem hiding this comment.
Use constant/enum instead of literal.
Signed-off-by: Rodney Osodo <28790446+rodneyosodo@users.noreply.github.com>
dborovcanin
approved these changes
Mar 14, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
This is a refactor PR because it refactors how OAuth2.0 works in relation to magistrala
What does this do?
Removes OAuth2.0 tokens from magistrala token
Which issue(s) does this PR fix/relate to?
No issue
Have you included tests for your changes?
Yes, I have included tests for my changes and tested them manually.
Did you document any new/modified feature?
Yes, I have added comments to the code.
Notes
Demo https://jam.dev/c/84106a0d-f6a1-43b4-92af-23d7db977041
Explanation
From https://datatracker.ietf.org/doc/html/rfc6749#section-1.4
We only use this token once when accessing identity provider to fetch user details during registration or signup