fix: use forgiving jwt authentication #197
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
robrap
commented
Aug 13, 2021
|
Closing this draft PR with comments for ARCHBOM-1218 until the ticket is picked up again. |
|
Re-opening this because I think it's still relevant once we update it a bit. I'll take a stab at re-basing it off of the latest main branch. |
feanil
force-pushed
the
robrap/ARCHBOM-1218-drop-use-jwt-cookie-header
branch
from
1de9346
to
bcab347
Compare
robrap
commented
May 9, 2023
robrap
commented
May 10, 2023
robrap
commented
May 10, 2023
robrap
commented
May 10, 2023
feanil
reviewed
May 17, 2023
robrap
commented
May 17, 2023
feanil
force-pushed
the
robrap/ARCHBOM-1218-drop-use-jwt-cookie-header
branch
from
35f3baf
to
b567e94
Compare
|
@feanil: What's your plan for this? |
|
@robrap I had to backburner this a bit to get some other work around documentation moving. I think I'll be able to finish that up this week and then I can come back to this next week. |
The idea behind this work is to use "forgiving" jwt authentication when working with JWT cookies, which means that if jwt cookie authentication fails, we would try other authentication mechanisms, rather than failing and halting the authentication attempt. This solution would replace an earlier solution to issues around jwt cookies that introduced an HTTP_USE_JWT_COOKIE header. For more background and details, see the new ADR: 0002-remove-use-jwt-cookie-header.rst. Also contains: * add custom attributes `jwt_auth_has_jwt_cookie` for debugging. * ENABLE_FORGIVING_JWT_COOKIES toggle for rollout of what would be a future breaking change, when we have fully switched to forgiving jwt cookies. ARCHBOM-1218
By default it will be off so the release should be safe to push out and then we can enable as needed to test the new code paths.
We now set multiple attribuets as a part of authentication so change how we validate our mock calls.
feanil
force-pushed
the
robrap/ARCHBOM-1218-drop-use-jwt-cookie-header
branch
2 times, most recently
from
02a6bd9
to
88f7879
Compare
Run all the existing tests with both forgiving and original JWT Auth behaviors. Only one test needed to be modified. Previously we were raising an exception when CSRF checks failed within the authentication process but with forgiving auth, we no longer rais an exception so we update the one test to handle both cases for now. This will get cleaned when we hopefully move forward with only having the forgiving JWT auth flow in the future.
This test was missing an assert to ensure that authentication succeeded. However when we add the assert, I learned that the test was failing because the Authorization header was not being submitted correctly into the initial request. I updated the test so that it would pass as expected.
feanil
force-pushed
the
robrap/ARCHBOM-1218-drop-use-jwt-cookie-header
branch
from
88f7879
to
65919e4
Compare
robrap
commented
Jul 21, 2023
robrap
commented
Jul 25, 2023
There was a problem hiding this comment.
Thanks @feanil. I'm going to discuss monitoring with someone on my team late tomorrow, and will come back with a proposal around that. In the meantime, I've noted other things.
Also, when done, please check the Conversations tab to ensure you caught all the comments. Some of my comments are not new, but just pings on old comments. Thanks!
edx_rest_framework_extensions/auth/jwt/tests/test_middleware.py
Outdated
Show resolved
Hide resolved
Co-authored-by: Robert Raposa <[email protected]>
feanil
reviewed
Jul 26, 2023
Co-authored-by: Robert Raposa <[email protected]>
timmc-edx
reviewed
Jul 26, 2023
This initial refactor recombines the original and forgiving versions of process_view, and tries to keep as close to the original as possible. Changes to original include: - reconstitute cookie if is_forgiving_jwt_cookies_enabled - move setting request user to the bottom of the method - for forgiving cookies, user is set if jwt cookie is found
Monitoring shows that missing JWT cookies is already a common case, and will be even more common once this is enabled. Therefore, there is no reason to log this as a warning, nor even to log it at all.
- Add new custom attribute use_jwt_cookie_requested - Remove custom attribute request_jwt_cookie Notes: - request_jwt_cookie had a confusing name - the new temporary attribute use_jwt_cookie_requested provides more specific help for the overall removal of this header. - the new attribute jwt_auth_has_jwt_cookie (separate commit) can be used instead to determine if we reconstituted.
Simplify middleware code for reconstituting cookies by simply returning early if USE_JWT_COOKIE_HEADER is not supplied, and we haven't yet enabled ENABLE_FORGIVING_JWT_COOKIES. To accomplish this, one minor change was made that should be fine, but it does affect the USE_JWT_COOKIE_HEADER case. Rather than setting request user for all scenarios where USE_JWT_COOKIE_HEADER is supplied, including when there is no JWT cookie, we only set the request user if the JWT cookie has been reconstituted.
Updates docs for request_auth_type_guess custom attribute using annotations.
Updates docs for jwt_auth_failed custom attribute using annotations.
Made the following custom attribute changes: * replace jwt_auth_has_jwt_cookie (was in JwtAuthentication) with new has_jwt_cookie in JwtAuthCookieMiddleware * refactor and rename jwt_auth_forgiving_jwt_cookies to is_forgiving_jwt_cookies_enabled * annotate is_forgiving_jwt_cookies_enabled * add and annotate jwt_auth_failure_forgiven
Combine _authenticate_original and _authenticate_forgiving_jwt_cookies into one method. Note: The refactor makes a change to the original, where we now use check to see if there is JWT cookie, rather than checking if the USE_JWT_COOKIE header exists, to determine whether to check for CSRF protection.
Configure test settings to enable more complete JwtAuthetication testing with JWT cookies. Note: A new test_authenticate_with_correct_jwt_cookie will be added in a separate commit because it relies on other changes.
* Add jwt_auth_result with various values for the different possible outcomes of JwtAuthentication. * Remove jwt_auth_failure_forgiven custom attribute, which was replaced by jwt_auth_result value 'forgiven-failure'. Configure test settings to enable more complete JwtAuthetication testing with JWT cookies. Note: A new test_authenticate_with_correct_jwt_cookie will be added in a separate commit because it relies on other changes.
robrap
commented
Aug 10, 2023
There was a problem hiding this comment.
@timmc-edx @feanil: You may want to review the Aug 8th and Aug 10th commits by commit.
Here is a summary of changes:
- docs: update annotations for request_auth_type_guess
- docs: add annotations for jwt_auth_failed
- fixup! forgiving jwt custom attribute updates
- replace jwt_auth_has_jwt_cookie (was in JwtAuthentication) with new has_jwt_cookie in JwtAuthCookieMiddleware
- refactor and rename jwt_auth_forgiving_jwt_cookies to is_forgiving_jwt_cookies_enabled
- annotate is_forgiving_jwt_cookies_enabled
- add and annotate jwt_auth_failure_forgiven
- Note: This is replaced by jwt_auth_result in a future commit.
- fixup! refactor JwtAuthentication authenticate (combined orginal and forgiving_jwt_cookies)
- Note: this was another refactor like the one from the separate PR
- feat: enable JWT cookie testing
- adds a test setting used in a follow-up commit
- fixup! switch to jwt_auth_result custom attribute
- replaces jwt_auth_failure_forgiven
UPDATE: Also added a changelog entry and bumped the version.
Comment on lines
83
to
86
| # Not using JWT cookies, CSRF validation not required | ||
| use_jwt_cookie_requested = request.META.get(USE_JWT_COOKIE_HEADER) | ||
| if not use_jwt_cookie_requested: | ||
| return user_and_auth |
There was a problem hiding this comment.
Note to reviewer: The refactor makes a change to this original code (not seen in the changed code) where
we now check to see if there is JWT cookie, rather than checking if the USE_JWT_COOKIE header exists, to determine whether to check for CSRF protection.
feanil
approved these changes
Aug 14, 2023
| @@ -142,9 +139,15 @@ def _authenticate_forgiving_jwt_cookies(self, request): | |||
| # .. custom_attribute_description: Includes a summary of the JWT failure exception | |||
| # for debugging. | |||
| set_custom_attribute('jwt_auth_failed', 'Exception:{}'.format(repr(exception))) | |||
| # .. custom_attribute_name: jwt_auth_failure_forgiven | |||
| # .. custom_attribute_description: This attribute will be True if the JWT failure | |||
| # is forgiven. Only JWT cookie failures will be forgiven. In the case of a | |||
There was a problem hiding this comment.
What's Only JWT cookie failures will be forgiven. meant to communicate? It suggests that maybe JWT auth where you use a JWT Authorization header is not forgiven? Is that right?
There was a problem hiding this comment.
@feanil: You are correct. Also, this comment went away when this attribute was removed in favor of jwt_auth_result, so there is no doc updates needed.
|
@feanil @timmc-edx: [inform] I just added a changelog entry as well. |
20 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
The idea behind this work is to use "forgiving" jwt authentication
when working with JWT cookies, which means that if jwt cookie
authentication fails, we would try other authentication mechanisms,
rather than failing and halting the authentication attempt.
This solution would replace an earlier solution to issues around
jwt cookies that introduced an HTTP_USE_JWT_COOKIE header.
For more background and details, see the new ADR:
0002-remove-use-jwt-cookie-header.rst.
Also contains:
be a future breaking change, when we have fully switched to
forgiving jwt cookies.
JIRA:
Author concerns:
Reviewers:
Merge checklist:
Post merge:
finished.