OAuth migration | Remove SC_GU_LA cookie check | Migrate MDAPI calls to use OAuth tokens #1294
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this change?
This changes two things, one resulting from the other.
Remove the
SC_GU_LA
cookie checkAfter we enabled Okta on PROD MMA, we noticed a few browsers were experiencing redirect loops. We worked out that this was happening in the following situation:
max_age
parameter being sent by MMA.SC_GU_LA
cookie was missing from the browser context in the affected browsers. I suspect this was a race condition: theSC_GU_LA
cookie had expired and been deleted before the OAuth session became invalid, despite the fact that both are set to 30 minutes.SC_GU_LA
cookie, MMA sent the browser back to Okta.The error may have been limited to developer machines with funky cookie setups, but we reverted the config change on PROD just in case.
Luckily, the solution is simple - we do not actually need to check for the
SC_GU_LA
cookie, as our downstream APIs don't use it and we're going to deprecate it as part of our migration to Okta anyway. Thank you to @coldlink for solving this!The first commit removes the check for
SC_GU_LA
during login.Migrating MDAPI calls to use OAuth tokens
MDAPI supports authentication via IDAPI cookies and OAuth tokens. When making calls to MDAPI without the
SC_GU_LA
cookie set, these naturally fail. The second two commits in this PR update MMA to make calls to MDAPI only with the new OAuth access token, sent in anAuthorization
header, rather than the IDAPI cookies. This allows MMA to work without theSC_GU_LA
cookie.Currently, all other APIs still send the legacy IDAPI cookies. MDAPI needs to be updated because it is the only Guardian API which calls the IDAPI
auth/redirect
endpoint to validate IDAPI cookies - and that endpoint expects a validSC_GU_LA
value.Tests