Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure user authentication sessions are independent #364

Merged
merged 5 commits into from
Oct 12, 2023
Merged

Ensure user authentication sessions are independent #364

merged 5 commits into from
Oct 12, 2023

Conversation

esune
Copy link
Member

@esune esune commented Oct 12, 2023

Resolves #362

Previously, the user authentication sessions was always leaning on the same "fake user" in the Userinfo database to store data temporarily. This lead to issues when multiple concurrent authentication requests were attempted: data from a user authentication session would pollute other user authentication sessions, leaking information.

The fix involved:

  • defining a custom VCUserinfo class that overrides the methods in Userinfo responsible for returning data
  • ensuring each authentication request is associated with a new, random user identifier to prevent polluting existing data
  • in order to support both scenarios were the proof defines/doesn't define a subject_identifier, the generation of the claims object was updated to only include the sub claim if the proof-request defines one, and ensuring the token endpoint accounts for the custom sub, if present.

@esune
Use custom VCUserinfo as stateless user database
c337531 
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
@esune
Only add sub to claims if proof-request specifies one
3b84357 
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
@esune
Ensure each auth requests refers to a new user, use custom sub when i…
5d326dc 
…ssuing token

Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
@esune
Update tests to match new claim structure
f4db88b 
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
@esune esune requested review from Jsyro and jamshale October 12, 2023 21:40
@esune
Update launch.json example to support library debugging
c56143a 
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
jamshale
jamshale approved these changes Oct 12, 2023
View reviewed changes
Copy link
Contributor

@jamshale jamshale left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd need to study this more to fully understand why the problem occurred.

It looks like you know what you're doing though 👍

@esune
Copy link
Member Author

esune commented Oct 12, 2023

I'd need to study this more to fully understand why the problem occurred.

It looks like you know what you're doing though 👍

Added two notes to try and clarify, but I am confident this is the right approach. It definitely was painful to figure out what the underlying library was doing 😅

@esune esune merged commit 3b493c1 into bcgov:2.0-development Oct 12, 2023
2 checks passed
@esune esune deleted the fix/subject-identifier branch October 12, 2023 22:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamshale jamshale jamshale approved these changes

@Jsyro Jsyro Awaiting requested review from Jsyro

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@esune @jamshale