Feature #14718
closed
[API] Option to issue salted token in login procedure
Added by Peter Amstutz over 6 years ago. Updated about 6 years ago.
100%
Description
When redirecting a user agent to the Arvados login endpoint (https://aaaaa.arvadosapi.com/login), an application may specify a remote cluster ID in the query string (.../login?remote=bbbbb).
In that case, assuming the login is successful and a new token is issued, the new token will be salted for the specified remote.
This story does not cover prompting the user differently depending on the requested scope, although we will want to do so in the future.
Updated by Peter Amstutz over 6 years ago
- Status changed from New to In Progress
Updated by Peter Amstutz over 6 years ago
- Subject changed from [API] untrusted client login receives salted token to [API] login flow for remote clusters that receives salted token
Updated by Peter Amstutz over 6 years ago
- Related to Feature #12958: [Federation] Workbench login chooser added
Updated by Tom Clegg over 6 years ago
- Subject changed from [API] login flow for remote clusters that receives salted token to [API] Option to issue salted token in login procedure
- Description updated (diff)
- Category set to API
- Status changed from In Progress to New
Updated by Tom Clegg over 6 years ago
- Related to deleted (Feature #12958: [Federation] Workbench login chooser)
Updated by Tom Clegg over 6 years ago
- Blocks Feature #12958: [Federation] Workbench login chooser added
Updated by Peter Amstutz over 6 years ago
- Target version changed from To Be Groomed to Arvados Future Sprints
Updated by Tom Morris about 6 years ago
- Target version changed from Arvados Future Sprints to 2019-01-30 Sprint
Updated by Lucas Di Pentima about 6 years ago
- Assigned To set to Lucas Di Pentima
Updated by Lucas Di Pentima about 6 years ago
- Status changed from New to In Progress
Updated by Lucas Di Pentima about 6 years ago
Updates at 4bb449eb5 - branch 14718-api-login-salted-token
Test run: https://ci.curoverse.com/job/developer-run-tests/1041/
Took advantage of return_to being passed around between API server and SSO to propagate the remote parameter.
Updated by Tom Clegg about 6 years ago
In user_sessions_controller.rb → login, it looks like params[:remote] is missing a CGI.escape() in case it's an unexpectedly non-alphanum/malicious string -- it gets appended to another string provided by the same client so I don't see how it would be exploitable, but I'm inclined to be defensive about it anyway.
remote_param += "remote=#{params[:remote]}"
- it's sneaky/non-obvious enough that it should be explained in comments
- it should be removed from return_to before create() redirects there. If I'm following correctly, when Workbench sends the user to
https://api/login?return_to=https://wb/home&remote=bbbbb, the user will eventually land on eitherhttps://wb/home?remote=bbbbborhttps://wb/homedepending on whether they needed to go through the joshid→sso→sessions#create flow or took the "already logged in" short cut. It would be better if we could ensure they always land onhttps://wb/homeas requested. (Am I following correctly?)
I wonder whether it might even be less confusing to use a format like return_to="bbbbb,https://wb/home" (or ",https://wb/home" for the unsalted case) to avoid all the corner cases involved in stashing the remote id in the client-provided URL. For example, I'd rather not even try to figure out whether we're doing the right thing here when the client-provided return_to is something like "https://wb/home?foo=bar#foo/bar?baz".
Updated by Lucas Di Pentima about 6 years ago
Updates at 0d1836a8d
Test run: https://ci.curoverse.com/job/developer-run-tests/1043/
Addressed above suggestions.
Updated by Tom Clegg about 6 years ago
- ignore the remote param if it contains a comma (or perhaps even if it doesn't match
/^[0-9a-z]{5}$/) - escape the whole combined param including the comma (I notice
CGI.escape(',') == '%2c'-- and we will unescape the whole thing before splitting, so we might as well escape the whole thing after joining)
the rest LGTM, thanks!
Updated by Tom Clegg about 6 years ago
Tom Clegg wrote:
- ignore the remote param if it contains a comma (or perhaps even if it doesn't match
/^[0-9a-z]{5}$/)
...only on the "login" handler, not the "callback" handler.
Updated by Tom Clegg about 6 years ago
On second thought, I think we should error out (rather than ignoring the remote param) in both callback and login handlers if the "remote" value doesn't look like a cluster ID.
Updated by Lucas Di Pentima about 6 years ago
Updates at 245e4cafd
Test run: https://ci.curoverse.com/job/developer-run-tests/1044/
- Validates the remote cluster id parameter both on
loginendpoint &omniauthcallback. - Added tests.
- Updated
lib/controllerhandler test to support the new format.
Updated by Lucas Di Pentima about 6 years ago
- Status changed from In Progress to Resolved
- % Done changed from 0 to 100
Applied in changeset arvados|d1e00d89dac87929d39c0689a593f0574980f2e8.