OCPBUGS-52843: Make loginMethod implementations responsible for token reviews
#14859
Conversation
so that each loginMethod can determine how tokens should be reviewed based on how they store token state. Signed-off-by: Bryce Palmer <[email protected]>
openshift-ci-robot
added
jira/severity-critical
|
@everettraven: This pull request references Jira Issue OCPBUGS-52843, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
From test perspective, pre-merge test result of https://issues.redhat.com/browse/OCPBUGS-52843?focusedId=26772156&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-26772156 looks good, the bug is fixed. |
openshift-ci
bot
added
the
qe-approved
|
/jira refresh |
openshift-ci-robot
added
the
jira/valid-bug
|
@everettraven: This pull request references Jira Issue OCPBUGS-52843, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
removed
the
jira/invalid-bug
|
/assign @TheRealJon |
There was a problem hiding this comment.
@everettraven Thanks for this fix!
I have a couple of ideas:
Could we just use sessions to validate the token for standard OIDC implementation? I didn't implement this part of the code, but IIUC, sessions should only exist for valid user tokens. @liouk might have helped with sessions, and might be able to clarify.
If that's not a valid approach, is there a way that we could just implement a token-getter method on loginMethod, instead of repeating most of the ReviewToken method?
I'm not following. Would you mind elaborating further what you're thinking here?
We certainly could. We could also have a function that is used by each My reasoning for the repetition was strictly for the case of each For example, if we decided we wanted to validate the JWT tokens in the OAuth2 |
If sessions are invalidated on logout and expire at the appropriate time, then they represent a valid user token, although I could see a few scenarios where our sessions could be out of sync with the cluster. So, I think I answered my own question there.
The down side is that we have to keep both current ReviewToken methods in sync with each other if any part of the repeated code gets updated. I like the idea of at least factoring out a shared helper for the repeated logic. That still leaves room for later updates, but DRYs up the current implementation. |
I'll meet you halfway and do that. I've got my own opinions on the DRY stuff, but no reason to go into a philosophical discussion here :) |
…oken method Signed-off-by: Bryce Palmer <[email protected]>
everettraven
force-pushed
the
bugfix/oidc-token-review-failure
branch
from
ac2a99f to
72f53f8
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: everettraven The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@TheRealJon Update made. Let me know if there is anything else! |
|
/retest-required |
|
@everettraven: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/retest-required |
|
@TheRealJon Bumping this |
In OCPBUGS-52843 it was discovered that the monitoring plugin for console was not present when the
ExternalOIDCfeature is enabled and an external OIDC provider is configured.Upon further investigation, it looked like token reviews were failing based on the console log messages of:
E0310 10:02:30.125150 1 middleware.go:51] TOKEN_REVIEW: 'GET monitoring-plugin/plugin-manifest.json' unauthorized, invalid user token, invalid bearer tokenDigging into the console code showed that the
OAuth2Authenticator.ReviewToken()method was pulling the token from the session token cookie. It seems that when using the OpenShift OAuth server this cookie is the actual access token, but when an external OIDC provider is configured this is a random string that is used as a session identifier for console's backend to map to an access token.This PR fixes this bug by moving the responsibility of reviewing the token to the configured
loginMethod.