linode
feat: [LILO-418] - Modify Cloud Manager to use PKCE instead of implic…
Description 📝
This change in Cloud Manager is an implication of an enhancement we are introducing, PKCE, which is an OAuth authentication enhancement described in the RFC OAuth 2.1 Authorization Framework: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-01.
The existing OAuth flow (used by customers) between Login and Cloud Manager uses the OAuth 2.0 implicit flow, which is considered less secure since it exposes access tokens in the redirection URL generated by the authorization server (Login).
In the new PKCE (Proof Key for Code Exchange) flow, the access token is sent inside the response body. There is also an additional layer of security with the code verifier - code challenge contract, which ensures the initial exchange code requestor possessing the code challenge is the same one which requests the access token and has the code verifier. The code challenge is a hash of a random code verifier string generated by the OAuth client.
Current one-step implicit flow:
- Receiving access token from the redirection URL from Login
Is replaced with a two-step process using the S256 PKCE method:
- Request for exchange code using the redirection URL from Login
- Generate code verifier and code challenge
- Request for exchange code using the S256 code challenge method
- Request for access token using a POST request to Login
- Request for access token using the code verifier
Changes 🔄
session.ts
- add code verifier and code challenge generation
- store code verifier in local storage
- change URL params from request for access token to request for exchange code
- store nonce in local storage
pkce.ts
- add code verifier and code challenge generation
OAuth.tsx
- replace obtaining access token with obtaining exchange code from redirect URL
- read exchange code from redirect URL
- read code verifier and nonce from local storage
- add POST request to obtain access code basing on exchange code and code verifier
- add cleaning local storage and redirect to Login in case of errors
- add CircleProgress spinner for the event for the time when making POST request for access token
Added unit tests
Target release date 🗓️
Target release date needs to be aligned with Login team, so Cloud Manager will be released AFTER Login component release date.
How to test 🧪
Verify the login process into Cloud Manager works as previously in various scenarios.
As an Author I have considered 🤔
Check all that apply
- [ ] 👀 Doing a self review
- [ ] ❔ Our contribution guidelines
- [ ] 🤏 Splitting feature into small PRs
- [ ] ➕ Adding a changeset
- [ ] 🧪 Providing/Improving test coverage
- [ ] 🔐 Removing all sensitive information from the code and PR description
- [ ] 🚩 Using a feature flag to protect the release
- [ ] 👣 Providing comprehensive reproduction steps
- [ ] 📑 Providing or updating our documentation
- [ ] 🕛 Scheduling a pair reviewing session
- [ ] 📱 Providing mobile support
- [ ] ♿ Providing accessibility support
Commit message and pull request title format standards
Note: Remove this section before opening the pull request Make sure your PR title and commit message on squash and merge are as shown below
<commit type>: [JIRA-ticket-number] - <description>
Commit Types:
-
feat: New feature for the user (not a part of the code, or ci, ...). -
fix: Bugfix for the user (not a fix to build something, ...). -
change: Modifying an existing visual UI instance. Such as a component or a feature. -
refactor: Restructuring existing code without changing its external behavior or visual UI. Typically to improve readability, maintainability, and performance. -
test: New tests or changes to existing tests. Does not change the production code. -
upcoming: A new feature that is in progress, not visible to users yet, and usually behind a feature flag.
Example: feat: [M3-1234] - Allow user to view their login history
