New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: id_token at_hash matching issue OKTA-417486 #906

Closed

shuowu wants to merge 11 commits into master from sw-fix-idToken-at_hash-matching-issue-OKTA-417486

Contributor

shuowu commented Aug 19, 2021 •

edited

Loading

This PR guarantees idToken (at_hash) can match with accessToken after token auto renew.

codecov-commenter commented Aug 24, 2021 •

edited

Loading

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

Attention: Patch coverage is 91.93548% with 5 lines in your changes missing coverage. Please review.

Project coverage is 91.98%. Comparing base (2020332) to head (18044cf).
Report is 406 commits behind head on master.

Files with missing lines	Patch %	Lines
lib/TokenManager.ts	91.80%	5 Missing ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #906      +/-   ##
==========================================
+ Coverage   91.95%   91.98%   +0.03%     
==========================================
  Files         120      120              
  Lines        3392     3407      +15     
  Branches      701      700       -1     
==========================================
+ Hits         3119     3134      +15     
  Misses        273      273

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

shuowu commented

View reviewed changes

test/spec/TokenManager/browser.ts

@@ @@ -229,107 +230,6 @@ describe('TokenManager (browser)', function() { @@
                     setupSync({}, true);
                   });
-                  it('allows renewing an idToken, without renewing accessToken', function() {

Contributor Author

shuowu Aug 24, 2021

moved to e2e

test/spec/TokenManager/browser.ts

-                    });
-                  });
-                  it('allows renewing an accessToken, without renewing idToken', function() {

Contributor Author

shuowu Aug 24, 2021

moved to e2e

test/spec/TokenManager/browser.ts

@@ @@ -547,85 +448,6 @@ describe('TokenManager (browser)', function() { @@
                       });
                     });
                   });
-                  it('automatically renews a token early when local clock offset is considered', function() {

Contributor Author

shuowu Aug 24, 2021

covered in specs/tokenManager/core.ts

test/spec/TokenManager/browser.ts

-                    });
-                  });
-                  it('renews a token early when "expireEarlySeconds" option is considered', function() {

Contributor Author

shuowu Aug 24, 2021

covered in specs/tokenManager/core.ts

test/spec/TokenManager/browser.ts

-                    });
-                  });
-                  it('does not return the token after tokens were cleared before renew promise was resolved', function() {

Contributor Author

shuowu Aug 24, 2021

Removed due to this test does not make sense. As long as the renew process starts, renewed tokens should be added to storage, original storage should not matter.

shuowu commented

View reviewed changes

lib/TokenManager.ts

@@ @@ -54,12 +54,12 @@ export const EVENT_ERROR = 'error'; @@
               interface TokenManagerState {
                 expireTimeouts: Record<string, unknown>;
-                renewPromise: Record<string, Promise<Token>>;
+                renewPromise: Promise<Token>;

Contributor Author

shuowu Aug 24, 2021

This type is not exposed, should be ok to change.

shuowu requested a review from aarongranick-okta

August 24, 2021 15:58

shuowu added 11 commits

August 25, 2021 09:55


          fix: id_token claims.at_hash matching issue

71bb16f


          update e2e config

63e4311


          update e2e config

caeb1c4


          update runner to fail when no finished tasks

fd2bcdf


          test: add e2e for implicit, pkce, refreshTokens

ad8487b

also exposes crypto module from main lib


          update unit tests

2b5f359


          update e2e config

b2cf556


          add test emit renew event (setTokens)

534b031


          changelog

e6f2da6


          allow longer expire time for auto renew e2e

08e5885


          add tests for continuous auto renew

18044cf

also removes authClient env vars

shuowu-okta force-pushed the sw-fix-idToken-at_hash-matching-issue-OKTA-417486 branch from b52375b to 18044cf Compare

August 25, 2021 13:59

aarongranick-okta approved these changes

View reviewed changes

eng-prod-CI-bot-okta pushed a commit that referenced this pull request


          feat: check idToken integrity during auto renew

c04f316

- Checks idToken integrity during token auto renew process
- Enables emitting `renewed` event for `TokenManager.setTokens` method
- Exposes `crypto` util module

OKTA-417486
<<<Jenkins Check-In of Tested SHA: 18044cf for eng_productivity_ci_bot_okta@okta.com>>>
Artifact: okta-auth-js
Files changed count: 15
PR Link: "#906"

eng-prod-CI-bot-okta closed this

jpspringall mentioned this pull request

Change in tokenManager:renew #942

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet