Comments (9)
According to the comments on #538 (comment) it was decided to deprecate the DeleteOpenIDConnectSession
function because:
Not sure if it makes sense to delete the rows though as it contains info required for refreshing the oidc session
Note that discussion about "rows" is specific to how Hydra chooses to implement the storage interface.
In general, the above is not a true statement about how the fosite storage interfaces work. Note that GetOpenIDConnectSession
is only ever called by PopulateTokenEndpointResponse
in handler/openid/flow_explicit_token.go
. Also note that the PopulateTokenEndpointResponse
function only works for authorization code exchanges because the first line of the function returns an error unless the grant type is authorization_code
. Therefore, the openid session storage is only ever needed during authorization code exchange, and has no impact on refresh grants.
If Hydra's storage implementation does not want to delete openid session storage during authorization code exchange, it could choose to make its implementation of DeleteOpenIDConnectSession
a no-op, rather than deprecating DeleteOpenIDConnectSession
.
from fosite.
What about DeleteAccessTokenSession
? That also seems it is never called?
See also #798.
from fosite.
@mitar, fosite will call RevokeAccessToken
from the TokenRevocationStorage
interface instead of calling DeleteAccessTokenSession
. I'm not sure of the history or reason behind that, but it has been that way for years.
from fosite.
But that is done only in memory storage implementation. This is not done necessary in all storage implementations?
from fosite.
For example, RevokeAccessToken
is called by the token endpoint in several cases where the access token should be revoked based upon client actions. It is up to the implementor of the storage interface to cause that function to delete the access token session from storage.
However, I think you are correct that when the access token has expired, nothing in fosite will call the storage interface to tell it that the token has expired. It seems to be up to the implementor of the storage interface to handle garbage collecting old expired sessions without any help from fosite, if I understand correctly.
from fosite.
Conceptually, why it is safe to delete OIDC session after authcode is exchanged, but not the regular session? Is this because for regular session it is still needed to be able to support refresh tokens?
from fosite.
There's not a "regular session" in the fosite storage interfaces. There are CreateAuthorizeCodeSession
, CreatePKCERequestSession
, CreateOpenIDConnectSession
, CreateAccessTokenSession
, CreateRefreshTokenSession
(and maybe others?).
Each of those session storage types serve a different purpose and have a different lifecycle based on their purpose.
The data stored by CreateOpenIDConnectSession
can only be read by calling GetOpenIDConnectSession
. The only caller of GetOpenIDConnectSession
is during authorization code exchange in flow_explicit_token.go
. So if the authorization code exchange is successful, then nobody will ever call GetOpenIDConnectSession
for that session ever again, so it is safe to call DeleteOpenIDConnectSession
for it.
This lifecycle is approximately the same for the PKCE request session storage. That is also only needed during authcode exchange, and will never be needed again, so it is deleted.
However, this lifecycle is not the same for the other storage types.
Authorize code session storage lives beyond authcode exchange because fosite uses that as a place to store a true/false state that the authcode has already been exchanged. If another client later tries to exchange the same authcode again, fosite wants to treat that as a special case for security reasons.
Access token and refresh token session storage are both used during the refresh grant, so they need to live longer than the OpenID and PKCE session storage.
Is that what you were asking? Hope that helps.
from fosite.
Thanks!
from fosite.
(I am asking those questions in the context of #798.)
from fosite.
Related Issues (20)
- authorize_helper.isLoopbackAddress has flaws HOT 1
- clientCredentialsFromRequest should not expect Basic Authorization terms being URL Escaped HOT 2
- Refresh token flow handler does not set the original request ID in the handler early enough
- use mattn/go-sqlite3 v2.0.3+incompatible no the new version HOT 6
- Failed to decode `id_token_hint` when using different signer for `id_token` and others
- `iat` field in access token (JWT) issued as part of `refresh_token` grant. HOT 8
- Concurrent requests for token endpoint on auth-code flow with same code succeed. HOT 7
- Can not run the example code
- OIDC callback is always HTTPS, even when entered as HTTP HOT 1
- DefaultSigner should support key rotation
- Support per-client signing algorithm HOT 8
- Make prefix used in HMACSHAStrategy configurable
- private_key_jwt assetion tokens can have unbounded expiration which can fill data store HOT 3
- NewDefaultSession's SetSubject should set IDTokenClaims as well
- Consider upgrading to github.com/go-jose/go-jose/v4 HOT 1
- id_token_hint should not persist to storage HOT 2
- Unable to obtain expiration time of refresh tokens HOT 1
- Why does HMACStrategy.Generate uses a lock? HOT 3
- Consider upgrading to go.opentelemetry.io/otel/[email protected]
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fosite.