feat: update token on login

[david972]

Currently Kratos record the token during the registration and the setting.

If the access_token recorded has expired in the meanwhile or tokens has been revoked it would be useful to update them.
I know in case of expiration we can use the refresh token but not in case of revocation.

Related issue(s)

#1912

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security. vulnerability, I
  confirm that I got green light (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

[codecov]

Codecov Report

Attention: Patch coverage is 71.42857% with 16 lines in your changes are missing coverage. Please review.

Project coverage is 78.03%. Comparing base (696cc1b) to head (b10fdf5).
Report is 7 commits behind head on master.

❗ Current head b10fdf5 differs from pull request most recent head 5cfe3a1. Consider uploading reports for the commit 5cfe3a1 to get more accurate results

Files	Patch %	Lines
selfservice/strategy/oidc/strategy_login.go	53.84%	10 Missing and 2 partials ⚠️
identity/manager.go	75.00%	2 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2428      +/-   ##
==========================================
- Coverage   78.05%   78.03%   -0.03%     
==========================================
  Files         360      360              
  Lines       25241    25281      +40     
==========================================
+ Hits        19703    19728      +25     
- Misses       4032     4043      +11     
- Partials     1506     1510       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[aeneasr]

Looks like the commit history somehow got messed up?

[quickstar]

Really looking forward to this. @david972 this should fix this issue: #2696 right?

[AUSBird]

Agreed, I’m also really keen for this PR
Hope it gets fixed up however it needs and merged soon~

[quickstar]

Hi @aeneasr
Anything which is blocking this PR to get merged?

[aeneasr]

I merged the conflicts :) So that's good now.

What I'm a bit concerned about is that this update might break existing credentials. So this needs, IMO, two test cases:

1. Write an end-to-end test which executes social sign up, then sign in, and checks the tokens
2. Write an end-to-end test which signs up using password, then connects a new social sign in provider, then signs in using social sign in. The account should still be able to sign in using password.

I think we should also add at least one e2e test case to cover this. If you could add those, that'd be wonderful!

[david972]

Ok I'll do it

[tdipadova3rd]

@aeneasr @david972 Any blockers left? Really hoping to use this feature in an upcoming project, and happy to help out!

[david972]

@aeneasr @david972 Any blockers left? Really hoping to use this feature in an upcoming project, and happy to help out!

One more e2e test to do

[quickstar]

This is going to be awesome once merged 💯❗️👍🔥

[quickstar]

@david972, @aeneasr can I help in some regard to get this merged?

[AUSBird]

Super hyped to see this merged! Any updates on when we will see this completed? I see a formatting pipeline failed

[lunar-smh]

@david972, @aeneasr I am really interested in this change. Can I help in any way?

[luflow]

We are also in need of this change - can we contribute in any way? @aeneasr @david972

[david972]

@aeneasr
Hi,
If I do a rebase from master can we expect this PR to be merged ?

[aeneasr]

Absolutely, and tests would also need to pass :)

[david972]

Absolutely, and tests would also need to pass :)

sure
I'm on it

[kriscoleman]

Would love to see these changes released to kratos

We're experiencing needs for this and it would be a big win to have this PR merged

[david972]

All it's done

[aeneasr]

Looking pretty good already!

[aeneasr]

I think this code has a few problems:

1. toUpdate.UnmarshalConfig(toUpdate) unmarshalls on itself?
2. To update the identity we are fetching it again (within UpdateCredentials) which will mean + ~200ms for every login. We already have the correct credentials from "FindByCredentials" so let's use that credentials instead.
3. Since this adds an update to every login it can increase the login time on some databases by up to 500ms. It would be great if this was behind a feature flag and maybe even per provider (selfservice.methods.oidc.providers.0.update_tokens_on_login)
4. Please add ample tests (maybe move this into a separate function) that ensures that the credentials are correctly updated. If there is a bug, it could break login for every user using social sign in (not saying it has a bug, but tests make sure we don't have any!

[david972]

1. done
2. in progress
3. in progress
4. in progress

[david972]

@aeneasr
Can I do the update into a go routine outside the processLogin ?
Like this the login won't be altered

[aeneasr]

That probably won't work well, because the request context will be canceled by then, which will lead to a rollback in the transaction. In my view it needs to be part of the request chain

[aeneasr]

Suggested change

	export QUICKSTART_OPTIONS ?=
	export QUICKSTART_OPTIONS ?= ""

[david972]

this change is because that raising an issue if this variable is empty

[david972]

Do I have your ok for this ?

[aeneasr]

Sorry, not sure if I understand :) Does this mean the makefile will fail if QUICKSTART_OPTIONS is unset?

[david972]

yes it does, at least on mac

[aeneasr]

OK, then please revert it because the makefile is often called without these options available, for example:

make test

Thanks!