-
-
Notifications
You must be signed in to change notification settings - Fork 959
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: update token on login #2428
base: master
Are you sure you want to change the base?
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #2428 +/- ##
==========================================
- Coverage 78.05% 78.03% -0.03%
==========================================
Files 360 360
Lines 25241 25281 +40
==========================================
+ Hits 19703 19728 +25
- Misses 4032 4043 +11
- Partials 1506 1510 +4 ☔ View full report in Codecov by Sentry. |
97e0b8e
to
ad2ca39
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the commit history somehow got messed up?
ad2ca39
to
82c4bf3
Compare
82c4bf3
to
fb6d6ca
Compare
Agreed, I’m also really keen for this PR |
Hi @aeneasr |
I merged the conflicts :) So that's good now. What I'm a bit concerned about is that this update might break existing credentials. So this needs, IMO, two test cases:
I think we should also add at least one e2e test case to cover this. If you could add those, that'd be wonderful! |
Ok I'll do it |
This is going to be awesome once merged 💯❗️👍🔥 |
Super hyped to see this merged! Any updates on when we will see this completed? I see a formatting pipeline failed |
@aeneasr |
Absolutely, and tests would also need to pass :) |
sure |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would love to see these changes released to kratos
We're experiencing needs for this and it would be a big win to have this PR merged
a18f91d
to
82c4bf3
Compare
c8cb8c7
to
4c14a45
Compare
All it's done |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking pretty good already!
if err := toUpdate.UnmarshalConfig(toUpdate); err != nil { | ||
return err | ||
} | ||
var toUpdateConfig = oidcCredentials | ||
k, found := toUpdateConfig.GetProvider(provider.Config().ID, claims.Subject) | ||
if !found { | ||
// Credentials are not found, we can ignore this. | ||
return nil | ||
} | ||
toUpdateConfig.Providers[k].CurrentIDToken = token.GetIDToken() | ||
toUpdateConfig.Providers[k].CurrentAccessToken = token.GetAccessToken() | ||
toUpdateConfig.Providers[k].CurrentRefreshToken = token.GetRefreshToken() | ||
toUpdate.Config, err = json.Marshal(toUpdateConfig) | ||
return errors.WithStack(err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this code has a few problems:
toUpdate.UnmarshalConfig(toUpdate)
unmarshalls on itself?- To update the identity we are fetching it again (within UpdateCredentials) which will mean + ~200ms for every login. We already have the correct credentials from "FindByCredentials" so let's use that credentials instead.
- Since this adds an update to every login it can increase the login time on some databases by up to 500ms. It would be great if this was behind a feature flag and maybe even per provider (
selfservice.methods.oidc.providers.0.update_tokens_on_login
) - Please add ample tests (maybe move this into a separate function) that ensures that the credentials are correctly updated. If there is a bug, it could break login for every user using social sign in (not saying it has a bug, but tests make sure we don't have any!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- done
- in progress
- in progress
- in progress
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aeneasr
Can I do the update into a go routine outside the processLogin ?
Like this the login won't be altered
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That probably won't work well, because the request context will be canceled by then, which will lead to a rollback in the transaction. In my view it needs to be part of the request chain
Makefile
Outdated
@@ -9,7 +9,7 @@ export PATH := .bin:${PATH} | |||
export PWD := $(shell pwd) | |||
export BUILD_DATE := $(shell date -u +"%Y-%m-%dT%H:%M:%SZ") | |||
export VCS_REF := $(shell git rev-parse HEAD) | |||
export QUICKSTART_OPTIONS ?= "" | |||
export QUICKSTART_OPTIONS ?= |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
export QUICKSTART_OPTIONS ?= | |
export QUICKSTART_OPTIONS ?= "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this change is because that raising an issue if this variable is empty
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do I have your ok for this ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, not sure if I understand :) Does this mean the makefile will fail if QUICKSTART_OPTIONS is unset?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes it does, at least on mac
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, then please revert it because the makefile is often called without these options available, for example:
make test
Thanks!
55c91e1
to
b137bf3
Compare
… update-token-on-login
Currently Kratos record the token during the registration and the setting.
If the access_token recorded has expired in the meanwhile or tokens has been revoked it would be useful to update them.
I know in case of expiration we can use the refresh token but not in case of revocation.
Related issue(s)
#1912
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
[email protected]) from the maintainers to push
the changes.
works.
Further Comments