firewall-orchestrator icon indicating copy to clipboard operation
firewall-orchestrator copied to clipboard

Published 20 hours ago verified publisher icon CactuseSecurity

Auth - implement JWT auto-refresh

Open tpurschke opened this issue 3 years ago • 5 comments

  • [x] start with making JWT expiry value customizable via config setting (next feature)

  • [ ] Access Token Lifetime: Configurable

  • [ ] Refresh Token Lifetime: Configurable (make sure be higher lifetime than access token or it will cause problems when access token is expired and needs to be refreshes via refresh token)

  • [ ] later: auto-refresh JWT while user is using the UI; see

    • https://jasonwatmore.com/post/2021/06/15/net-5-api-jwt-authentication-with-refresh-tokens
    • https://hasura.io/docs/latest/graphql/core/auth/authentication/jwt/
    • https://datatracker.ietf.org/doc/html/rfc7517

  • [x] in addition to the JWT, the login process should also return a JWT refresh token:

R6VTlDwO-_h99Kxv8lJA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIU

use to refresh as follows:

curl -k \
  -d "client_id=admin-cli" \
  -d "grant_type=refresh_token" \
  -d "refresh_token=<refresh_token>" \
  https://<IP>/auth/realms/fwo-realm/protocol/openid-connect/token
  • [x] could not reproduce this exception (could not reproduce on freshly upgraded customer system - expiry was caught normally)
[2022-05-03T11:16:07.463Z] Error: There was an unhandled exception on the current circuit, so this circuit will be terminated. For more details turn on detailed exceptions by setting 'DetailedErrors: true' in 'appSettings.Development.json' or set 'CircuitOptions.DetailedErrors'. 
log @ blazor.server.js:1

2022-05-03T03:03:09.398385+02:00 debian10 fworch-ui:  Message:
2022-05-03T03:03:09.398494+02:00 debian10 fworch-ui:   Could not verify JWT: JWTExpired
2022-05-03T03:03:09.398583+02:00 debian10 fworch-ui:   
2022-05-03T03:03:09.398668+02:00 debian10 fworch-ui:  Stack Trace:
2022-05-03T03:03:09.398764+02:00 debian10 fworch-ui:   at FWO.Api.Client.GraphQlApiConnection.SendQueryAsync[QueryResponseType](String query, Object variables, String operationName) in /usr/local/fworch/lib/files/FWO.Api.Client/GraphQlApiConnection.cs:line 92
2022-05-03T03:03:09.398853+02:00 debian10 fworch-ui:     at FWO.Ui.Shared.AutoDiscovery.OnInitializedAsync() in /usr/local/fworch/ui/files/FWO.UI/Shared/AutoDiscovery.razor:line 234
2022-05-03T03:03:09.401998+02:00 debian10 fworch-ui:  2022-05-03T03:03:09+02:00 Error - API Connection (GraphQlApiConnection.cs in line 88), Error while sending query to GraphQL API. Caught by GraphQL client library.
2022-05-03T03:03:09.402166+02:00 debian10 fworch-ui:  Message: Could not verify JWT: JWTExpired
2022-05-03T03:03:09.402262+02:00 debian10 fworch-ui:  2022-05-03T03:03:09+02:00 Error - API Connection (GraphQlApiConnection.cs in line 123), Error while sending query to GraphQL API. Query: mutation addUiLog(
2022-05-03T03:03:09.402378+02:00 debian10 fworch-ui:    $user: Int!
2022-05-03T03:03:09.402481+02:00 debian10 fworch-ui:    $severity: Int!
2022-05-03T03:03:09.402569+02:00 debian10 fworch-ui:    $suspectedCause: String
2022-05-03T03:03:09.402656+02:00 debian10 fworch-ui:    $description: String
2022-05-03T03:03:09.402743+02:00 debian10 fworch-ui:  ) {
2022-05-03T03:03:09.402829+02:00 debian10 fworch-ui:    insert_log_data_issue(
2022-05-03T03:03:09.402915+02:00 debian10 fworch-ui:      objects: {
2022-05-03T03:03:09.403033+02:00 debian10 fworch-ui:        source: "ui"
2022-05-03T03:03:09.403333+02:00 debian10 fworch-ui:        user_id: $user
2022-05-03T03:03:09.403443+02:00 debian10 fworch-ui:        severity: $severity
2022-05-03T03:03:09.403536+02:00 debian10 fworch-ui:        suspected_cause: $suspectedCause
2022-05-03T03:03:09.403624+02:00 debian10 fworch-ui:        description: $description
2022-05-03T03:03:09.403727+02:00 debian10 fworch-ui:      }
2022-05-03T03:03:09.403813+02:00 debian10 fworch-ui:    ) {
2022-05-03T03:03:09.403899+02:00 debian10 fworch-ui:      returning {
2022-05-03T03:03:09.403985+02:00 debian10 fworch-ui:         newId: data_issue_id
2022-05-03T03:03:09.404070+02:00 debian10 fworch-ui:      }
2022-05-03T03:03:09.404159+02:00 debian10 fworch-ui:    }
2022-05-03T03:03:09.404254+02:00 debian10 fworch-ui:  }
2022-05-03T03:03:09.404352+02:00 debian10 fworch-ui:  , variables: {"user":3,"severity":1,"suspectedCause":"JWT abgelaufen","description":"Sitzung abgelaufen - bitte erneut anmelden"}
2022-05-03T03:03:09.404440+02:00 debian10 fworch-ui:   ---
2022-05-03T03:03:09.404526+02:00 debian10 fworch-ui:  Exception thrown:
2022-05-03T03:03:09.404613+02:00 debian10 fworch-ui:   Exception
2022-05-03T03:03:09.404699+02:00 debian10 fworch-ui:  Message:
2022-05-03T03:03:09.404784+02:00 debian10 fworch-ui:   Could not verify JWT: JWTExpired
2022-05-03T03:03:09.404870+02:00 debian10 fworch-ui:   
2022-05-03T03:03:09.404960+02:00 debian10 fworch-ui:  Stack Trace:
2022-05-03T03:03:09.405047+02:00 debian10 fworch-ui:   at FWO.Api.Client.GraphQlApiConnection.SendQueryAsync[QueryResponseType](String query, Object variables, String operationName) in /usr/local/fworch/lib/files/FWO.Api.Client/GraphQlApiConnection.cs:line 92
2022-05-03T03:03:09.405134+02:00 debian10 fworch-ui:  2022-05-03T03:03:09+02:00 Error - Write Log (MainLayout.razor in line 204), Could not write log for user 3:
2022-05-03T03:03:09.405232+02:00 debian10 fworch-ui:   ---
2022-05-03T03:03:09.405319+02:00 debian10 fworch-ui:  Exception thrown:
2022-05-03T03:03:09.405405+02:00 debian10 fworch-ui:   Exception
2022-05-03T03:03:09.405490+02:00 debian10 fworch-ui:  Message:
2022-05-03T03:03:09.405575+02:00 debian10 fworch-ui:   Could not verify JWT: JWTExpired
2022-05-03T03:03:09.405661+02:00 debian10 fworch-ui:   
2022-05-03T03:03:09.405746+02:00 debian10 fworch-ui:  Stack Trace:
2022-05-03T03:03:09.405835+02:00 debian10 fworch-ui:   at FWO.Api.Client.GraphQlApiConnection.SendQueryAsync[QueryResponseType](String query, Object variables, String operationName) in /usr/local/fworch/lib/files/FWO.Api.Client/GraphQlApiConnection.cs:line 92
2022-05-03T03:03:09.405923+02:00 debian10 fworch-ui:     at FWO.Ui.Shared.MainLayout.AddUiLogEntry(Int32 severity, String cause, String description) in /usr/local/fworch/ui/files/FWO.UI/Shared/MainLayout.razor:line 196

tpurschke avatar Apr 28 '22 10:04 tpurschke

@abarz722 would the first part be a relatively small issue to implement and could you deal with this sometime?

tpurschke avatar May 03 '22 07:05 tpurschke

For now increasing jwt lifetime to a business day (12h) Dealing with auto refresh later.

tpurschke avatar May 23 '22 14:05 tpurschke