Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenId Connect integration #147

Merged
merged 6 commits into from
Jan 12, 2024
Merged

OpenId Connect integration #147

merged 6 commits into from
Jan 12, 2024

Conversation

timonegk
Copy link
Member

No description provided.

@timonegk timonegk requested a review from lilioid October 25, 2023 12:36
lilioid
lilioid requested changes Dec 15, 2023
View reviewed changes
bitpoll/base/openid.py Outdated Show resolved Hide resolved
@Akasch
Copy link
Member

Akasch commented Dec 15, 2023

I see caching for the Auth-Tokens: is it checked to revoke the tokens if the user changes his password or perform a logout on the central SSO?

@lilioid
Copy link
Member

lilioid commented Dec 15, 2023

I see caching for the Auth-Tokens: is it checked to revoke the tokens if the user changes his password or perform a logout on the central SSO?

Those are tokens not issued for a user but to the application itself (sometimes its called service account authentication). There is no user involved who can change their password.

@Akasch
Copy link
Member

Akasch commented Dec 15, 2023

I haven't looked into it, but i quit often see that a logout on the central SSO platform or a password change there does not invalidate active sessions in the applications that have an ongoing session for the user. This leads to the problem if the User has the password stolen and the attacker was authenticated he can not invalidate existing sessions.

@timonegk
Copy link
Member Author

As Finn said, the caching here is only about bitpoll's token required to request the users in a group.

However, your point about SSO login is probably still valid. @ftsell do you know how we handle that or if we should change something in the simple_openid_connect library to make sure that a token is still valid?

@lilioid
Copy link
Member

lilioid commented Dec 15, 2023

However, your point about SSO login is probably still valid. @ftsell do you know how we handle that or if we should change something in the simple_openid_connect library to make sure that a token is still valid?

Hmm good question 🤔
I haven't verified this extensively but what I think is happening is that the mechanism here is two-fold:

  • The identity provider may send an application a logout notification whenever it chooses e.g. when a user changes their password. This is entirely up to the idp though and I don't know if keycloak sends those logout notifications when a user changes their password. The receival of these notifications is implemented in simple_openid_connect (technically only for frontchannel logout notifications) but also needs to be configured in keycloak.
  • The access tokens handed out from keycloak are intentionally short lived and if a session is invalid, the retrieval of a new access token from the long-lived refresh token does not succeed.
    This is currently not validated at all in simple_openid_connect and yes, I think we should implement it. I have created a corresponding issue: Validate session validity in django integration after login py_simple_openid_connect#10

@timonegk timonegk merged commit 81fe0d9 into master Jan 12, 2024
@timonegk timonegk deleted the openid_connect branch January 12, 2024 16:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lilioid lilioid lilioid approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@timonegk @Akasch @lilioid