STCOR-796 replace x-okapi-token credentials with RTR and cookies #1410
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Move auth tokens into HTTP-only cookies and implement refresh token rotation (STCOR-671) by overriding `global.fetch` and `global.XMLHttpRequest`, disabling login when cookies are disabled (STCOR-762). This functionality is implemented behind an opt-in feature-flag (STCOR-763). The core RTR logic here is largely the same as it was in PR #1346 😬 , though with several important differences: 1. No buggy service-worker 2. Handle `fetch` and `XMLHttpRequest` 3. Disable login if cookies are disabled 4. Everything is opt-in 😌 Not _everything_ in PR #1346 was awful, despite it being reverted in \#1371 😬 . The fundamental difference here is that the global `fetch` and `XMLHttpRequest` functions have been replaced 🤢 by new implementations that handle RTR instead of intercepting such requests via the service-worker proxy. This is not lovely. It is not elegant. It isn't pretty in any way, but it is extremely simple and effective. Certainly, we want to migrate away from it, but given the options we thought it was best choice in the short-term. The options: 1. Centralized fix within stripes-core by fixing the service worker. Let's be honest, I didn't get it right in #1346 and then couldn't get it right in #1361 or #1363 or #1366 or #1369. Why would anybody possibly believe that I could get it right now? 2. Decentralized fix: handle this in each UI-* repository by exporting a new function from stripes and refactoring each UI repo to leverage the new code. Probably not a big refactor, but not a small effort. 3. Centralized fix within stripes-core by overwriting `global.fetch`. Gross, but effective, and long term we can make this a decentralized approach by exporting our new `fetch` function, doing the refactor described in 2 (above), and removing the global-overwrite once all the refactoring is done. In summary: * Replaces #1340. It was gross and I really don't want to talk about it. Let us never mention it again. * Replaces #1346. It was a terrible, horrible, no good, very bad PR. Alexander hated that PR more than lima beans. Additional requirements: * Requires folio-org/stripes-connect#223 * Requires folio-org/stripes-smart-components#1397 * Requires folio-org/stripes-webpack#125 Refs STCOR-671, FOLIO-3627 (cherry picked from commit 0361353)
Okapi and Keycloak do not handle the same situations in the same ways. * When a token is missing: * Okapi sends a 400 text/plain response * Keycloak sends a 401 application/json response * Keycloak authentication includes the extra step of exchanging the OTP for the AT/RT and that request needs the `credentials` and `mode` options * Some `loginServices` functions now retrieve the host the access from the `stripes-config` import instead of a function argument Refs STCOR-796
ryandberger
approved these changes
Jan 30, 2024
aidynoJ
approved these changes
Jan 31, 2024
Like requests to `/bl-users/login-with-expiry`, requests to `/authn/token` must be permitted without a valid AT since it is, itself, part of the request pipeline to receive an AT. `/authn/token` is the endpoint provided by `mod-login-keycloak` to exchange the OTP provided by keycloak for the AT/RT cookies provided by FOLIO.
|
zburke
added a commit
that referenced
this pull request
Mar 28, 2024
Move auth tokens into HTTP-only cookies and implement refresh token rotation (STCOR-671) by overriding global.fetch and global.XMLHttpRequest, disabling login when cookies are disabled (STCOR-762). This functionality is implemented behind an opt-in feature-flag (STCOR-763). Okapi and Keycloak do not handle the same situations in the same ways. Changes from the original implementation in PR #1376: * When a token is missing: * Okapi sends a 400 `text/plain` response * Keycloak sends a 401 `application/json` response * Keycloak authentication includes the extra step of exchanging the OTP for the AT/RT and that request needs the `credentials` and `mode` options * Some `loginServices` functions now retrieve the host the access from the `stripes-config` import instead of a function argument * always permit `/authn/token` requests to go through Refs STCOR-796, STCOR-671 (cherry picked from commit 0361353)
zburke
added a commit
that referenced
this pull request
Mar 28, 2024
Move auth tokens into HTTP-only cookies and implement refresh token rotation (STCOR-671) by overriding global.fetch and global.XMLHttpRequest, disabling login when cookies are disabled (STCOR-762). This functionality is implemented behind an opt-in feature-flag (STCOR-763). Okapi and Keycloak do not handle the same situations in the same ways. Changes from the original implementation in PR #1376: * When a token is missing: * Okapi sends a 400 `text/plain` response * Keycloak sends a 401 `application/json` response * Keycloak authentication includes the extra step of exchanging the OTP for the AT/RT and that request needs the `credentials` and `mode` options * Some `loginServices` functions now retrieve the host the access from the `stripes-config` import instead of a function argument * always permit `/authn/token` requests to go through Refs STCOR-796, STCOR-671 (cherry picked from commit 0361353)
aidynoJ
pushed a commit
that referenced
this pull request
May 6, 2024
Move auth tokens into HTTP-only cookies and implement refresh token rotation (STCOR-671) by overriding global.fetch and global.XMLHttpRequest, disabling login when cookies are disabled (STCOR-762). This functionality is implemented behind an opt-in feature-flag (STCOR-763). Okapi and Keycloak do not handle the same situations in the same ways. Changes from the original implementation in PR #1376: * When a token is missing: * Okapi sends a 400 `text/plain` response * Keycloak sends a 401 `application/json` response * Keycloak authentication includes the extra step of exchanging the OTP for the AT/RT and that request needs the `credentials` and `mode` options * Some `loginServices` functions now retrieve the host the access from the `stripes-config` import instead of a function argument * always permit `/authn/token` requests to go through Refs STCOR-796, STCOR-671 (cherry picked from commit 0361353)
ryandberger
pushed a commit
that referenced
this pull request
May 15, 2024
Move auth tokens into HTTP-only cookies and implement refresh token rotation (STCOR-671) by overriding global.fetch and global.XMLHttpRequest, disabling login when cookies are disabled (STCOR-762). This functionality is implemented behind an opt-in feature-flag (STCOR-763). Okapi and Keycloak do not handle the same situations in the same ways. Changes from the original implementation in PR #1376: * When a token is missing: * Okapi sends a 400 `text/plain` response * Keycloak sends a 401 `application/json` response * Keycloak authentication includes the extra step of exchanging the OTP for the AT/RT and that request needs the `credentials` and `mode` options * Some `loginServices` functions now retrieve the host the access from the `stripes-config` import instead of a function argument * always permit `/authn/token` requests to go through Refs STCOR-796, STCOR-671 (cherry picked from commit 0361353)
zburke
added a commit
that referenced
this pull request
Jun 11, 2024
Move auth tokens into HTTP-only cookies and implement refresh token rotation (STCOR-671) by overriding global.fetch and global.XMLHttpRequest, disabling login when cookies are disabled (STCOR-762). This functionality is implemented behind an opt-in feature-flag (STCOR-763). Okapi and Keycloak do not handle the same situations in the same ways. Changes from the original implementation in PR #1376: * When a token is missing: * Okapi sends a 400 `text/plain` response * Keycloak sends a 401 `application/json` response * Keycloak authentication includes the extra step of exchanging the OTP for the AT/RT and that request needs the `credentials` and `mode` options * Some `loginServices` functions now retrieve the host the access from the `stripes-config` import instead of a function argument * always permit `/authn/token` requests to go through Refs STCOR-796, STCOR-671 (cherry picked from commit 0361353)
zburke
added a commit
that referenced
this pull request
Sep 20, 2024
The time has come. The time is now. `keycloak-eureka` will you please merge now! You can go in a merge commit. You can squash with ease. You can go in a rebase. But please merge. Please! * STCOR-773 #1385: Handle Eureka-based discovery * #1388: handle absent `provides` property on interfaces in Settings > About * STCOR-790 #1389: Pass client-id from stripes-config to keycloak * STCOR-794 #1400: Reset pre-login tenant-selection form when navigating back to it * STCOR-795 #1399: When `users-keycloak` interface is present, use its API for password-reset * STCOR-796 #1410: replace x-okapi-token credentials with RTR and cookies * STCOR-811 #1417: retrieve AT/RT expiration data from `/authn/token` response * STCOR-812 #1416: include `X-Okapi-Tenant` header in call to `/authn/logout` * STCOR-813 #1421: correctly parse `.../_self` permissions * STCOR-810 #1418 #1427 #1429: leverage `stripes-config::config.tenantOptions` in place of deprecated tenant-entitlement values * STCOR-803 #1426: logout immediately, without confirming or redirecting through keycloak * STCOR-816 #1432: only call `/saml/check` when `login-saml` interface is present * STCOR-789 #1442: restore original URL after login * STCOR-820 #1445: optionally retrieve password-reset token from path (or query-string) * STCOR-845 #1462: correctly handle redirect after password-change * STCOR-787 #1487 #1492: retrieve clientId and tenant from stripes-config::config.tenantOptions * STCOR-859 #1489: correctly list UI apps under apps/modules/interfaces column of Settings > About * STCOR-776 #1490: show idle-session modal with countdown timer before logout * STCOR-864 #1498: correctly evaluate `typeof stripes.okapi` * STCOR-865 #1500: call `logout()` exclusively from `/logout*` routes * STCOR-834 #1491`: refactor `useUserTenantPermissions` to switch on `roles` interface presence * STCOR-866 #1502: include `/users-keycloak/_self` in list of authentication-related endpoints * STCOR-867 #1505 #1506: store permission displaynames in redux * STCOR-862 #1503: handle fixed-length-session timeout * STCOR-869 #1513: avoid storing `/logout*` as a return-to URL; ensure `/logout` is called with a valid token * STCOR-872 #1520: return query-keys from `useChunkedCQLFetch()` * STCOR-874 #1521: provide `key` to `<SessionEventContainer>` components * STCOR-873 #1519: `useChunkedCQLFetch()` should use `tenantId` argument when present * STCOR-876 #1526: restore original URL after login (regression of STCOR-789) * STCOR-885 #1531: clear original URL from storage after login-and-redirect * STCOR-889 #1536: include all reference interfaces in optionalOkapiInterfaces I said MERGE and MERGE I meant.... The time had come ... so this branch went.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Move auth tokens into HTTP-only cookies and implement refresh token rotation (STCOR-671) by overriding
global.fetchandglobal.XMLHttpRequest, disabling login when cookies are disabled (STCOR-762). This functionality is implemented behind an opt-in feature-flag (STCOR-763).Okapi and Keycloak do not handle the same situations in the same ways. Changes from the original implementation in PR #1376:
for the AT/RT and that request needs the
credentialsandmodeoptions
loginServicesfunctions now retrieve the host the access fromthe
stripes-configimport instead of a function argumentRefs STCOR-796, STCOR-671