claims: add SessionID to known claims #205

AlexCuse · 2023-04-18T15:51:06Z

marshaled to 'sid' JWT claim https://www.iana.org/assignments/jwt/jwt.xhtml#claims

cainlevy

Looks like a good direction to me!

cainlevy · 2023-04-18T16:48:42Z

app/tokens/identities/identity.go

@@ -43,6 +43,7 @@ func New(cfg *app.Config, session *sessions.Claims, accountID int, audience stri
 			Audience: jwt.Audience{audience},
 			Expiry:   jwt.NewNumericDate(time.Now().Add(cfg.AccessTokenTTL)),
 			IssuedAt: jwt.NewNumericDate(time.Now()),
+			ID:       session.ID,


I looked through https://www.iana.org/assignments/jwt/jwt.xhtml#claims to see if any well-known claims would be a good fit. What do you think of sid?

I like it kind of surprised ID in the jwt package doesn't end up there but that was mostly just my prior ignorance of this document :)

Followed same pattern as AuthTime in this commit: 219ca73

I will open PR in the go client with same - and put a comment about the embed with a link to the file here 😄

cainlevy · 2023-04-18T16:50:56Z

app/tokens/sessions/session.go

@@ -70,6 +71,7 @@ func New(store data.RefreshTokenStore, cfg *app.Config, accountID int, authorize
 			Subject:  string(refreshToken),
 			Audience: jwt.Audience{cfg.AuthNURL.String()},
 			IssuedAt: jwt.NewNumericDate(time.Now()),
+			ID:       uuid.NewString(),


UUID is also my preference. 👍

AlexCuse · 2023-04-18T20:08:43Z

moving original description here to make room for something merge worthy:

We are building MFA into our system that runs alongside authn-server and looking to deal with session refreshes. I was planning to submit a PR with an optional webhook notification that includes the old and new token values but in the process I noticed that ID in the token claims is unused - I think if we assign a value on session creation and then thread it through on refresh, we could achieve the same thing on our end without the additional call (just cache MFA status per ID instead of per token).

Open to suggestion on other ways to assign a unique ID instead of bringing in the UUID package, that felt heavy handed but wanted to get discussion on the approach started quickly. If this seems viable I will look to harden in general, if I am missing something I can go back to the webhook notification path.

cainlevy

Thanks!

AlexCuse · 2023-04-19T00:37:52Z

I added a test for session creation / parsing at least. Let me know if you have any tips on setup for TestSessionRefresher - just need to setup properly to parse the generated token and validate it carries through.

Also squashed down to a single commit to prep for merge.

cainlevy · 2023-04-19T00:58:25Z

app/services/session_refresher_test.go

@@ -41,6 +42,8 @@ func TestSessionRefresher(t *testing.T) {
 		assert.NoError(t, err)
 		assert.NotEmpty(t, identityToken)

+		// TODO: parse token and validate SessionID still set - what setup is needed?


have a look in server/test/asserts.go at AssertIDTokenResponse. i doubt it will be useful in whole, but it should provide an example of parsing and asserting on the JWT.

Ah that's nice I was trying to think of how to use the key setup for key store, didn't think to go at it through JWT library directly. Will give a go hopefully one more force push.

Need to spend a little time tomorrow to build a docker image locally but the change itself feels very straightforward don't anticipate any problems as long as we deploy the client change with our MFA stuff.

Yup that worked perfectly thanks - just force pushed the last test update.

cainlevy · 2023-04-19T20:04:49Z

Released in v1.16.0

cainlevy reviewed Apr 18, 2023

View reviewed changes

AlexCuse mentioned this pull request Apr 18, 2023

claims: add SessionID to known claims keratin/authn-go#23

Merged

AlexCuse marked this pull request as ready for review April 18, 2023 18:35

AlexCuse changed the title ~~session: assign ID and carry in claims on refresh~~ session: add ID Apr 18, 2023

AlexCuse changed the title ~~session: add ID~~ session: add SessionID to known claims Apr 18, 2023

AlexCuse changed the title ~~session: add SessionID to known claims~~ claims: add SessionID to known claims Apr 18, 2023

cainlevy approved these changes Apr 18, 2023

View reviewed changes

cainlevy reviewed Apr 19, 2023

View reviewed changes

session: assign ID and carry in claims on refresh

7a14cf6

cainlevy approved these changes Apr 19, 2023

View reviewed changes

cainlevy merged commit daf90eb into keratin:main Apr 19, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

claims: add SessionID to known claims #205

claims: add SessionID to known claims #205

AlexCuse commented Apr 18, 2023 •

edited

Loading

cainlevy left a comment

cainlevy Apr 18, 2023

AlexCuse Apr 18, 2023 •

edited

Loading

cainlevy Apr 18, 2023

AlexCuse commented Apr 18, 2023

cainlevy left a comment

AlexCuse commented Apr 19, 2023

cainlevy Apr 19, 2023

AlexCuse Apr 19, 2023

AlexCuse Apr 19, 2023

cainlevy commented Apr 19, 2023

claims: add SessionID to known claims #205

claims: add SessionID to known claims #205

Conversation

AlexCuse commented Apr 18, 2023 • edited Loading

cainlevy left a comment

Choose a reason for hiding this comment

cainlevy Apr 18, 2023

Choose a reason for hiding this comment

AlexCuse Apr 18, 2023 • edited Loading

Choose a reason for hiding this comment

cainlevy Apr 18, 2023

Choose a reason for hiding this comment

AlexCuse commented Apr 18, 2023

cainlevy left a comment

Choose a reason for hiding this comment

AlexCuse commented Apr 19, 2023

cainlevy Apr 19, 2023

Choose a reason for hiding this comment

AlexCuse Apr 19, 2023

Choose a reason for hiding this comment

AlexCuse Apr 19, 2023

Choose a reason for hiding this comment

cainlevy commented Apr 19, 2023

AlexCuse commented Apr 18, 2023 •

edited

Loading

AlexCuse Apr 18, 2023 •

edited

Loading