OAuth migration | Remove SC_GU_LA cookie check | Migrate MDAPI calls to use OAuth tokens #1298
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
raphaelkabo
force-pushed
the
rk/fix-oauth-cookie-bug
branch
from
ffa6438
to
faf26e0
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this change?
This changes two things, one resulting from the other.
Remove the
SC_GU_LAcookie checkAfter we enabled Okta on PROD MMA, we noticed a few browsers were experiencing redirect loops. We worked out that this was happening in the following situation:
max_ageparameter being sent by MMA.SC_GU_LAcookie was missing from the browser context in the affected browsers. I suspect this was a race condition: theSC_GU_LAcookie had expired and been deleted before the OAuth session became invalid, despite the fact that both are set to 30 minutes.SC_GU_LAcookie, MMA sent the browser back to Okta.The error may have been limited to developer machines with funky cookie setups, but we reverted the config change on PROD just in case.
Luckily, the solution is simple - we do not actually need to check for the
SC_GU_LAcookie, as our downstream APIs don't use it and we're going to deprecate it as part of our migration to Okta anyway. Thank you to @coldlink for solving this!The first commit removes the check for
SC_GU_LAduring login when Okta is enabled.Migrating MDAPI calls to use OAuth tokens
MDAPI supports authentication via IDAPI cookies and OAuth tokens. When making calls to MDAPI without the
SC_GU_LAcookie set, these naturally fail. The second two commits in this PR update MMA to make calls to MDAPI only with the new OAuth access token, sent in anAuthorizationheader, rather than the IDAPI cookies. This allows MMA to work without theSC_GU_LAcookie. We only do this when Okta is enabled - otherwise we always send IDAPI cookies.Currently, all other APIs still send the legacy IDAPI cookies. MDAPI needs to be updated because it is the only Guardian API which calls the IDAPI
auth/redirectendpoint to validate IDAPI cookies - and that endpoint expects a validSC_GU_LAvalue.Tests