-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix caching and checking of introspect responses
- Ensure introspect is cached even if 'active=False' - Don't check claims pointlessly: exp and nbf can fail if your clock is drifted, so it's not safe to be checking them unless users can configure a leeway. Also, 'active' tells you everything you need in OAuth2. - Capture scope validation failures with an exception, not None. - Cache by token hash, not full token string.
- Loading branch information
Showing
3 changed files
with
90 additions
and
42 deletions.
There are no files selected for viewing
19 changes: 19 additions & 0 deletions
19
changelog.d/20241008_171503_sirosen_fix_introspect_check.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
Features | ||
-------- | ||
|
||
- The token introspect checking and caching performed in ``AuthState`` has | ||
been improved. | ||
|
||
- The cache is keyed off of token hashes, rather than raw token strings. | ||
|
||
- The ``exp`` and ``nbf`` values are no longer verified, removing the | ||
possibility of incorrect treatment of valid tokens as invalid due to clock | ||
drift. | ||
|
||
- Introspect response caching caches the raw response even for invalid | ||
tokens, meaning that Action Providers will no longer repeatedly introspect | ||
a token once it is known to be invalid. | ||
|
||
- Scope validation raises a new, dedicated error class, | ||
``globus_action_provider_tools.authentication.InvalidTokenScopesError``, on | ||
failure. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters