feat: [LILO-418] - Modify Cloud Manager to use OAuth PKCE instead of … #10600
Conversation
mkaminsk-akamai
requested review from
jdamore-linode and
AzureLatte
and removed request for
a team
|
I'm noticing some weird behavior. I'm trying to go to localhost:3000 with the Screen.Recording.2024-07-10.at.1.53.30.PM.mov |
|
I'll test this against Parent/Child proj |
|
Coverage Report: ✅ |
mkaminsk-akamai
force-pushed
the
feature/CloudManager-using-OAuth-PKCE
branch
from
cdb9764
to
5e517a7
Compare
Thanks for checking this. I made ammedment to from where we take the login URL so it should work when we override environments settings using localStorageOverrides. |
@bnussman-akamai I did additional merge and resolved conflicts with changes from develop branch. |
mkaminsk-akamai
requested review from
cliu-akamai
and removed request for
a team
mkaminsk-akamai
force-pushed
the
feature/CloudManager-using-OAuth-PKCE
branch
2 times, most recently
from
f7a7670
to
5554c9c
Compare
|
It would be also worth to test this against accounts using TPA like Google or Github in dev. |
|
Currently getting a redirect loop when trying to login |
Just tried on my local dev environment and I don't observe redirect loop. Are you able to attach HAR file from that loop? and possibly your logs from login-backend? Any errors? |
mkaminsk-akamai
force-pushed
the
feature/CloudManager-using-OAuth-PKCE
branch
3 times, most recently
from
4176793
to
a484bf6
Compare
|
This PR is stale because it has been open 15 days with no activity. Please attend to this PR or it will be closed in 5 days |
Have you got a chance to look into this PR ? |
|
Unfortunately, I'm still seeing some sort of redirect loop when I use our environment switcher tool. Screen.Recording.2024-08-19.at.10.03.30.AM.mov |
It seems this may be due configuration of the OAuth client used on Dev env. Could you please confirm? |
mkaminsk-akamai
force-pushed
the
feature/CloudManager-using-OAuth-PKCE
branch
from
a484bf6
to
71f7987
Compare
mkaminsk-akamai
force-pushed
the
feature/CloudManager-using-OAuth-PKCE
branch
from
71f7987
to
5981d23
Compare
There was a problem hiding this comment.
@jdamore-linode @bnussman-akamai This is now looking good to me. The issue I was seeing when switching environments has been resolved with latest commit. Would love to get your review/approval since this affects login before merging.
mkaminsk-akamai
force-pushed
the
feature/CloudManager-using-OAuth-PKCE
branch
2 times, most recently
from
056327a
to
dd20de2
Compare
|
@bnussman-akamai I recently made updates to the code and resolved conflicts. Could you please confirm how it looks now from your perepective? |
| return buffer; | ||
| } | ||
|
|
||
| async function sha256(plain: string): Promise<ArrayBuffer> { |
There was a problem hiding this comment.
@mjac0bs Once this is merged, can we share the same sha256 implementation with Pendo
There was a problem hiding this comment.
👀 Good call out! Yeah, I can make an update to the Pendo hashes so we're consistent, and those utils should probably be moved to somewhere more common. Tracking in M3-8727.
|
Quick heads up @mkaminsk-akamai (cc @jaalah-akamai) that there are Cypress test failures that seem to be related to this change in I'm not able to reproduce the failures locally, which seems strange, so if I have time later I'll try to check out the CI recordings and see if they give us any clues, and will follow up if so. |
mkaminsk-akamai
force-pushed
the
feature/CloudManager-using-OAuth-PKCE
branch
from
dd20de2
to
18a2ee2
Compare
|
@jdamore-linode this is most likely failing because the CI client ID needs |
Description 📝
This change in Cloud Manager is an implication of an enhancement we are introducing, PKCE, which is an OAuth authentication enhancement described in the RFC OAuth 2.1 Authorization Framework: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-01.
The existing OAuth flow (used by customers) between Login and Cloud Manager uses the OAuth 2.0 implicit flow, which is considered less secure since it exposes access tokens in the redirection URL generated by the authorization server (Login).
In the new PKCE (Proof Key for Code Exchange) flow, the access token is sent inside the response body. There is also an additional layer of security with the code verifier - code challenge contract, which ensures the initial exchange code requestor possessing the code challenge is the same one which requests the access token and has the code verifier. The code challenge is a hash of a random code verifier string generated by the OAuth client.
Current one-step implicit flow:
Is replaced with a two-step process using the S256 PKCE method:
Changes 🔄
session.ts
pkce.ts
OAuth.tsx
Minior changes: authentication.helpers.ts, authentication.reducer.ts, authentication.test.ts, storage.ts
Added unit tests
Target release date 🗓️
Target release date needs to be aligned with Login team, so Cloud Manager will be released AFTER Login component release date.
How to test 🧪
Verify the login process into Cloud Manager works as previously in various scenarios.
As an Author I have considered 🤔
Check all that apply
Commit message and pull request title format standards
<commit type>: [JIRA-ticket-number] - <description>Commit Types:
feat: New feature for the user (not a part of the code, or ci, ...).fix: Bugfix for the user (not a fix to build something, ...).change: Modifying an existing visual UI instance. Such as a component or a feature.refactor: Restructuring existing code without changing its external behavior or visual UI. Typically to improve readability, maintainability, and performance.test: New tests or changes to existing tests. Does not change the production code.upcoming: A new feature that is in progress, not visible to users yet, and usually behind a feature flag.Example:
feat: [M3-1234] - Allow user to view their login history