Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authn: Generalize support to ~any OIDC/OAuth2 IdP, not just AWS Cognito #731

Merged
merged 2 commits into from
Oct 18, 2023
Merged

authn: Generalize support to ~any OIDC/OAuth2 IdP, not just AWS Cognito #731

merged 2 commits into from
Oct 18, 2023

Commits on Oct 17, 2023

  1. authn: Generalize support to ~any OIDC/OAuth2 IdP, not just AWS Cognito 

    OIDC is OpenID Connect 1.0, which is an identity/authentication protocol
layered on top of OAuth 2.0's authorization protocol.  AWS Cognito
implements OIDC/OAuth2 but our authn code hardcoded some assumptions
about Cognito specifically.  Undo that and parameterize and generalize
the code to work (in theory) with other OIDC identity providers (IdPs).
In practice, some additional changes may be necessary for specific other
IdPs, but as-is I can get this generalized authn code to work against a
test Azure AD IdP.

Outside of authn, there are still some other bits of the codebase which
require Cognito.  Those will be addressed in subsequent work.

This work is motivated by CDC AMD's efforts to host a copy of
nextstrain.org internally in order to avail themselves of Groups
internally.

Related-to: <nextstrain/private#94>
    @tsibley
    tsibley committed Oct 17, 2023
    Configuration menu
    Copy the full SHA
    582856c View commit details
    Browse the repository at this point in the history

  2. authn: Support IdPs that backdate their "iat" claim in id tokens 

    The backdating must be a fixed duration, which is what I've observed
with Azure AD (300s) and other IdPs.  Backdating is sometimes applied to
be more lenient with clients that have a slow clock (i.e. who otherwise
might see a correct iat as in the future and reject the token).

Without accounting for backdating, our staleBefore marker can cause a
temporary deauthentication and repeated renewal attempts as token
renewal requests "work" but produce a token with an iat that's still
older than the staleBefore.
    @tsibley
    tsibley committed Oct 17, 2023
    Configuration menu
    Copy the full SHA
    e84c672 View commit details
    Browse the repository at this point in the history