Revoke tokens when code is reused #1152
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
|
Thanks for the PR @neochae1. I'd like to better understand the main use cases you require for custom validation.
The token is invalidated if another client attempted to use it. See this line.
The |
jgrandja
added
status: waiting-for-feedback
|
Not different client, If an authorization code is used multiple times with same client, the current implementation will reject the request with an "INVALID_GRANT" error because the code has already been invalidated. The specification recommends that all previously issued tokens based on that authorization code should be revoked when possible, as the code may have been used in an unusual or potentially exploitative manner. redirect_uri is is already validated as you mentiond. |
spring-projects-issues
added
status: feedback-provided
Yes, the specification recommends this (noted SHOULD) but it does not state MUST:
IMO, a client attempting to use the
However, I decided not to implement:
because it is a recommendation only and I felt it was too restrictive to invalidate the tokens for the same authenticated client. However, I could be convinced to enhance the existing implementation to align with the recommendation if you can provide a scenario (or test) that would support the recommendation?
I'm not sure I understand? What I'm looking for is a specific validation scenario that may be needed to enhance security. FYI, I'm not against exposing a custom validator hook, but we need to verify concrete use cases where this would be used, otherwise the API might not be used that often. Furthermore, we prefer issues being logged first to see if there is demand for a specific feature before we accept/merge a PR. Since you submitted the PR first, we will consider it, but we need to verify the concrete use cases where this may be used. |
|
We are currently preparing for OpenID Certification. In the Base OP Profile, "Should" items in the Spec are categorized as Fail or Warning items. We are working on modifying the Revoking-related item in the "oidcc-codereuse-30seconds" test item, which is currently categorized as a Warning. TC checks wether access token was revoked or not after duplicated using code. As you mentioned, this modification could be seen as a client-side error, but if we view it more aggressively, it could be seen as an error leading to token invalidation due to code leakage. Therefore, instead of directly including the code of the "SHOULD" item in the library code, we submitted a PR to add a customizable validator. |
|
@neochae1 Thanks for the explanation. I now have a better understanding for the motivation of this change. I certainly want to help to get your product certified. However, I'm still not convinced that exposing an
This would allow the conformance test to pass so you can move forward. Does this work for you? |
|
Thanks, @neochae1 , for explanation. |
|
This PR was written to enable a custom validator, Are you suggesting that the PR includes the necessary configuration?
Custom validator can work like below,
Fail logs(original) Success logs with custom validator Code Snippet |
|
@neochae1 Apologies, as I don't think I was clear with my proposal:
As mentioned, I'm not convinced exposing an
Steps 4 and 5 as you noted:
Makes sense? |
jgrandja
added
type: enhancement
Spec: If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all access tokens and refresh tokens previously issued based on that authorization code.
|
@jgrandja With this change conformance test pass without any warning. |
jgrandja
changed the title
| @@ -306,4 +312,23 @@ private SessionInformation getSessionInformation(Authentication principal) { | |||
| return sessionInformation; | |||
| } | |||
|
|
|||
| private void invalidateAuthorizationTokens(OAuth2Authorization authorization) { | |||
There was a problem hiding this comment.
Can you try to integrate this logic into OAuth2AuthenticationProviderUtils.invalidate() so we can isolate the logic in one spot?
There was a problem hiding this comment.
It is difficult to merge the added logic with the existing one, since the existing "invalidate()" method invalidates a single token, typically an authorization code or a refresh token, and sometimes invalidates access tokens or authorization codes in addition to the refresh token.
Our requirement is to invalidate both access tokens and refresh tokens. Therefore, integrating the added logic with the existing "invalidate()" method is not feasible. Instead, we created a new method called "invalidateAuthorizationTokens()" that invalidates two types of tokens.
There was a problem hiding this comment.
Our requirement is to invalidate both access tokens and refresh tokens. Therefore, integrating the added logic with the existing "invalidate()" method is not feasible.
The addition of the following should work?
static <T extends OAuth2Token> OAuth2Authorization invalidate(
OAuth2Authorization authorization, T token) {
OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization)
.token(token,
(metadata) ->
metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true));
if (OAuth2AuthorizationCode.class.isAssignableFrom(token.getClass())) {
// TODO Invalidate access token (if available)
// TODO Invalidate refresh token (if available)
}
return authorizationBuilder.build();
}There was a problem hiding this comment.
It might work, but modifying invalidate() could cause it to lose its original functionality of invalidating a single token
For example, there may be code where invalidate() should only invalidate one token without affecting any other tokens in the sequence.
There was a problem hiding this comment.
@jgrandja
What do you think about my opinion regarding the requested modification for invalidate()?
There was a problem hiding this comment.
modifying invalidate() could cause it to lose its original functionality of invalidating a single token
There are existing test cases that would fail if the current logic was changed incorrectly. I believe enhancing the logic will work for this additional use case. Please give it a try. My preference is to keep the logic in one spot.
There was a problem hiding this comment.
@jgrandja
Please review code.
I have merged the logic for invalidating tokens into the existing invalidate().
Also, I have relocated the logic for invalidating the code to the builder creation process for success scenario.
There was a problem hiding this comment.
@jgrandja
Please provide additional review feedback regarding the content you revised based on the method you proposed.
| @@ -149,6 +149,12 @@ public Authentication authenticate(Authentication authentication) throws Authent | |||
| } | |||
|
|
|||
| if (!authorizationCode.isActive()) { | |||
| if (authorizationCode.isInvalidated()) { | |||
| invalidateAuthorizationTokens(authorization); | |||
There was a problem hiding this comment.
Please add a test for this case.
There was a problem hiding this comment.
I added logic to an existing test case to verify whether the access and refresh tokens have been invalidated.
(authenticateWhenInvalidatedCodeThenThrowOAuth2AuthenticationException)
|
Thanks for the updates @neochae1. After reviewing the changes, I was able to simplify the logic so I went ahead and applied the changes. This is now merged. |
|
Thank you for your code review and advice. Thanks. |
* Update to io.spring.javaformat:spring-javaformat-checkstyle:0.0.35 Closes spring-projectsgh-1089 * Update to jackson-bom:2.14.2 Closes spring-projectsgh-1090 * Update to junit-jupiter:5.9.2 Closes spring-projectsgh-1091 * Release 1.0.1 * Next Development Version * Update to Spring Security 6.1.0-M1 Closes spring-projectsgh-1093 * Update to nimbus-jose-jwt:9.30.2 Closes spring-projectsgh-1094 * Update to assertj-core:3.24.2 Closes spring-projectsgh-1095 * Update to mockito-core:4.11.0 Closes spring-projectsgh-1096 * Release 1.1.0-M1 * Next Development Version * Add user property to deploy_docs workflow * Fix broken support link Closes spring-projectsgh-1092 * Fix client secret encoding when client dynamically registered Closes spring-projectsgh-1056 * Polish spring-projectsgh-1056 * Allow PasswordEncoder to be configured in OidcClientRegistrationAuthenticationProvider Issue spring-projectsgh-1056 * Upgrade client secret when available Closes spring-projectsgh-1099 * Polish spring-projectsgh-1105 * Add support for OAuth 2.0 Device Authorization Grant Closes spring-projectsgh-44 * Switch to spring-security SNAPSHOT dependencies Issue spring-projectsgh-44 * Use spring-security 6.1 in snapshot tests Issue spring-projectsgh-1106 * Update to actions/checkout@v3 Closes spring-projectsgh-1117 * Use spring-io/spring-gradle-build-action Closes spring-projectsgh-1120 * Use spring-io/spring-gradle-build-action Closes spring-projectsgh-1120 * Revert accidental change in versions Issue spring-projectsgh-1120 * Polish spring-projectsgh-1106 * Update to Spring Framework 6.0.7 Closes spring-projectsgh-1130 * Update to Spring Security 1.1.0-M2 Closes spring-projectsgh-1131 * Update to nimbus-jose-jwt:9.31 Closes spring-projectsgh-1132 * Update to Spring Framework 6.0.7 in buildSrc Issue spring-projectsgh-1130 * Release 1.1.0-M2 * Next Development Version * Polish spring-projectsgh-1106 Device Authorization Grant * Avoid persisting client principal in device authorization request Issue spring-projectsgh-1106 * Polish spring-projectsgh-1068 Issue spring-projectsgh-1077 * Add OidcLogoutAuthenticationToken.isPrincipalAuthenticated() Issue spring-projectsgh-1077 * Ensure ID Token is active before processing logout request Issue spring-projectsgh-1077 * Allow localhost in redirect_uri Closes spring-projectsgh-651 * Fix refresh token error code INVALID_CLIENT to INVALID_GRANT Closes spring-projectsgh-1139 * Do not require authorizationRequest for device grant Issue spring-projectsgh-1127 * Add tests for OAuth 2.0 Device Authorization Grant This commit adds tests for the following components: * AuthenticationConverters * AuthenticationProviders * Endpoint Filters Issue spring-projectsgh-44 Closes spring-projectsgh-1127 * JDBC device_code authorization Issue spring-projectsgh-1156 * Polish spring-projectsgh-1143 * Add tests and update examples in docs Closes spring-projectsgh-1156 * Polish ref-doc Issue spring-projectsgh-1156 * Add customization to support public clients for device grant Issue spring-projectsgh-1157 * Polish samples Closes spring-projectsgh-1157 * Add documentation for OAuth 2.0 Device Authorization Grant Closes spring-projectsgh-1158 * Polish spring-projectsgh-1127 * Polish spring-projectsgh-1158 * Add documentation for OpenID Connect 1.0 Logout Endpoint Closes spring-projectsgh-1069 * Update Stack Overflow tag to spring-authorization-server * Update to Spring Framework 5.3.27 Closes spring-projectsgh-1162 * Update to Spring Security 5.8.3 Closes spring-projectsgh-1163 * Update to io.spring.javaformat:spring-javaformat-checkstyle:0.0.38 Closes spring-projectsgh-1164 * Update to Spring Framework 6.0.8 Closes spring-projectsgh-1165 * Update to Spring Security 6.0.3 Closes spring-projectsgh-1166 * Update to io.spring.javaformat:spring-javaformat-checkstyle:0.0.38 Closes spring-projectsgh-1167 * Update to Spring Framework 6.0.8 Closes spring-projectsgh-1168 * Update to Spring Security 6.1.0-RC1 Closes spring-projectsgh-1169 * Update to io.spring.javaformat:spring-javaformat-checkstyle:0.0.38 Closes spring-projectsgh-1170 * Update to json-path:2.8.0 Closes spring-projectsgh-1171 * Release 0.4.2 * Next Development Version * Release 1.0.2 * Next Development Version * Release 1.1.0-RC1 * Next Development Version * Update to org.jfrog.buildinfo:build-info-extractor-gradle:4.29.0 Closes spring-projectsgh-1175 * Apply ArtifactoryPlugin to SpringRootProjectPlugin Closes spring-projectsgh-1177 * Fix artifact build properties for Artifactory - Apply SpringArtifactoryPlugin in SpringRootProjectPlugin (which applies ArtifactoryPlugin) - In SpringArtifactoryPlugin don't set publication if MavenPublishPlugin is not applied Closes spring-projectsgh-1179 * Add test for dynamic client registration with custom metadata Issue spring-projectsgh-1172 * Add logout success page to default client sample Sample client (located in 'samples/messages-client' directory) is configured with a custom logout success page where the end-user is redirected to upon successful logout action. Fixes spring-projectsgh-1142 * Add sample featured-authorizationserver Issue spring-projectsgh-1189 * Merge custom-consent-authorizationserver into featured-authorizationserver Issue spring-projectsgh-1189 * Merge federated-identity-authorizationserver into featured-authorizationserver Issue spring-projectsgh-1189 * Update io.spring.ge.conventions plugin to 0.0.13 Closes spring-projectsgh-1190 * Update spring-asciidoctor-backends to 0.0.5 Closes spring-projectsgh-1192 * Merge device-grant-authorizationserver into featured-authorizationserver Issue spring-projectsgh-1189 * Merge device-client into messages-client Issue spring-projectsgh-1189 * Use custom consent page for device code flow Issue spring-projectsgh-1189 * Use current authentication for device authorization Issue spring-projectsgh-1189 * Reuse error handling Issue spring-projectsgh-1189 * Handle web client response error Issue spring-projectsgh-1189 * Update @SInCE * Rename featured-authorizationserver to demo-authorizationserver Issue spring-projectsgh-1189 * Rename messages-client to demo-client Issue spring-projectsgh-1189 * Update sample README Issue spring-projectsgh-1189 * Add integration tests for device grant Issue spring-projectsgh-1116 * Update web ui design for demo-client Issue spring-projectsgh-1196 * Polish web ui design for demo-client Issue spring-projectsgh-1196 * Update web ui design for demo-authorizationserver Issue spring-projectsgh-1196 * Polish web ui design for demo-client Issue spring-projectsgh-1196 * Polish demo sample Issue spring-projectsgh-1189 * Update to Spring Boot 3.1.0-RC1 Closes spring-projectsgh-1198 * Refresh Getting Started example Closes spring-projectsgh-1186 * Use Spring Boot starter in samples Closes spring-projectsgh-1187 * Invalidate tokens previously issued when code is reused Closes spring-projectsgh-1152 * Polish spring-projectsgh-1152 * Add How-to: Authenticate using Social Login Closes spring-projectsgh-538 * Add How-to: Authenticate using a Single Page Application with PKCE Closes spring-projectsgh-539 * Hash the sid claim in the ID Token Closes spring-projectsgh-1207 * Simplified federated login in demo sample Closes spring-projectsgh-1208 * Polish spring-projectsgh-1186 * Polish spring-projectsgh-538 * Remove FederatedIdentityConfigurer from demo sample Issue spring-projectsgh-1208 * Update exception handling config in ref-doc Closes spring-projectsgh-1205 * Update exception handling config in samples Closes spring-projectsgh-1204 * Polish ref-doc Issue spring-projectsgh-1205 * Polish tests * Add How-to: Implement an Extension Authorization Grant Type Closes spring-projectsgh-686 * Update to Spring Framework 6.0.9 Closes spring-projectsgh-1213 * Update to Spring Security 6.1.0 Closes spring-projectsgh-1214 * Update to jackson-bom 2.15.0 Closes spring-projectsgh-1215 * Update to junit-jupiter 5.9.3 Closes spring-projectsgh-1216 * Release 1.1.0 * Next Development Version * Revert serialVersionUID to 0.4.0 Closes spring-projectsgh-1218 * Revert serialVersionUID to 1.0.0 Closes spring-projectsgh-1219 * Revert serialVersionUID to 1.1.0 Closes spring-projectsgh-1220 * Exclude project dependency from spring-boot-dependencies Closes spring-projectsgh-1228 * Update to Spring Boot 3.1.0 * Update com.gradle.enterprise plugin to 3.13.3 Closes spring-projectsgh-1234 Issue spring-projectsgh-1231 * Prepare for automated validation scripts See https://github.com/gradle/gradle-enterprise-build-validation-scripts/blob/main/Gradle.md Issue spring-projectsgh-1231 * ID Token contains sid claim after refresh_token grant Closes spring-projectsgh-1224 * Use substring instead of replaceFirst in OAuth2AuthorizationConsent Closes spring-projectsgh-1222 * Validate authorized principal instead of sub during logout Closes spring-projectsgh-1235 * Revert "Prepare for automated validation scripts" This reverts commit ece9f10. Issue spring-projectsgh-1231 * Add debug log entries Closes spring-projectsgh-1245 Closes spring-projectsgh-1246 Closes spring-projectsgh-1247 Closes spring-projectsgh-1248 * Polish additional logging Issue spring-projectsgh-1245, spring-projectsgh-1246, spring-projectsgh-1247, spring-projectsgh-1248 * Enable caching of :asciidoctor gradle task * Use direct code import Issue spring-projectsgh-1231 * Next Minor Version * Fix NPE on access token in OAuth2AuthorizationCodeAuthenticationProvider Closes spring-projectsgh-1233 * Polish spring-projectsgh-1233 * Fix to save all values for multi-valued request parameters Fixes spring-projectsgh-1250 * Polish spring-projectsgh-1252 * Fix to save all values for multi-valued device grant parameters Fixes spring-projectsgh-1269 * Polish spring-projectsgh-1252 * Update to Spring Framework 5.3.28 Closes spring-projectsgh-1272 * Update to Spring Security 5.8.4 Closes spring-projectsgh-1273 * Update to jackson-bom 2.14.3 Closes spring-projectsgh-1274 * Update to Spring Framework 6.0.10 Closes spring-projectsgh-1276 * Update to Spring Security 6.0.4 Closes spring-projectsgh-1277 * Update to Spring Framework 6.0.10 Closes spring-projectsgh-1278 * Update to Spring Security 6.1.1 Closes spring-projectsgh-1279 * Update to junit-jupiter 5.9.3 Closes spring-projectsgh-1280 * Update to junit-jupiter 5.9.3 Closes spring-projectsgh-1281 * Update to jackson-bom 2.15.2 Closes spring-projectsgh-1282 * Update feature planning section to using GitHub Projects * Release 1.1.1 * Next Development Version * Fix generating ID token with null sid when refresh_token grant Closes spring-projectsgh-1283 * Polish spring-projectsgh-1289 * Fix NPE in DefaultErrorController Closes spring-projectsgh-1286 * Migrate docs to Antora Issue spring-projectsgh-1295 * Polish Antora migration Issue spring-projectsgh-1292 Closes spring-projectsgh-1295 * Remove unused antora-playbook.yml * Replaces 'install' with 'publishToMavenLocal' command in README * Adds how-to guide on adding authorities to access tokens Closes spring-projectsgh-542 * Polish spring-projectsgh-1264 * Update order of guides in nav.adoc * Fix userCode validation Issue spring-projectsgh-44 * Polish spring-projectsgh-1309 * Add Revved up by Gradle Enterprise badge * Move badges to header This is similar to Spring Boot: https://github.com/spring-projects/spring-boot/blob/main/README.adoc * Fix workflow status link * Fix samples test suite execution and failing tests Closes spring-projectsgh-1324 * Polish spring-projectsgh-1325 * Move deploy-docs.yml to correct folder Issue spring-projectsgh-1295 * Remove manual list of guides Issue spring-projectsgh-1295 * Remove reference to gh-pages Issue spring-projectsgh-1295 * Update to Spring Framework 6.0.11 Closes spring-projectsgh-1338 * Update to Spring Security 6.1.2 Closes spring-projectsgh-1339 * Update to org.hsqldb:hsqldb 2.7.2 Closes spring-projectsgh-1340 * Release 1.1.2 * Next Development Version * Adds ability to inject custom metadata at client registration Closes spring-projectsgh-1172 * Polish spring-projectsgh-1326 * Adds dynamic client registration how-to guide Closes spring-projectsgh-647 * Polish spring-projectsgh-1320 * Add code challenge methods for oidc provider configuration response Closes spring-projectsgh-1302 * Update to Spring Framework 6.1.0-M5 Closes spring-projectsgh-1364 * Update to Spring Security 6.2.0-M3 Closes spring-projectsgh-1365 * Update to nimbus-jose-jwt 9.35 Closes spring-projectsgh-1366 * Update to junit-jupiter 5.10.0 Closes spring-projectsgh-1367 * Update to okhttp 4.11.0 Closes spring-projectsgh-1368 * Release 1.2.0-M1 * Next Development Version --------- Co-authored-by: Joe Grandja <jgrandja@vmware.com> Co-authored-by: Siva Kumar Edupuganti <esivakumar18@gmail.com> Co-authored-by: Yuta Saito <uc4w6c@bma.biglobe.ne.jp> Co-authored-by: Shannon Pamperl <shanman190@gmail.com> Co-authored-by: Steve Riesenberg <sriesenberg@vmware.com> Co-authored-by: HuiYeong <huiyeong@lguplus.co.kr> Co-authored-by: Xu Xiaowei <xuxiaowei@xuxiaowei.com.cn> Co-authored-by: Janne Valkealahti <janne.valkealahti@gmail.com> Co-authored-by: Dmitriy Dubson <ddubson@vmware.com> Co-authored-by: neochae <neochae@lguplus.co.kr> Co-authored-by: heartape <heartape@163.com> Co-authored-by: Dejan Varmedja <114813331+fndejan@users.noreply.github.com> Co-authored-by: Jerome Prinet <jprinet@gradle.com> Co-authored-by: Pavel Efros <efros.pavel@gmail.com> Co-authored-by: Martin Lindström <martin.lindstrom@litsec.se> Co-authored-by: cbilodeau <cbilodeau@upgrade.com> Co-authored-by: Rob Winch <rwinch@users.noreply.github.com> Co-authored-by: Dmitriy Dubson <d.dubson@gmail.com> Co-authored-by: Martin Bogusz <m.bogusz@celonis.com> Co-authored-by: Eric Haag <ehaag@gradle.com> Co-authored-by: Tuxzx <tuxzx@outlook.com>
This PR adds an enhancement recommended per spec:
https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2
"If an authorization code is used more than once,
the authorization server MUST deny the request and
SHOULD revoke (when possible) all tokens previously
issued based on that authorization code."