* core/authenticate: refactor identity authenticators to initiate redirect, use cookie for redirect url for cognito
* set secure and http only, update test
Update the AccessTracker, WebAuthn handlers, and identity manager
refresh loop to perform their session record updates using the
databroker Patch() method.
This should prevent any of these updates from conflicting.
Currently, if a temporary error occurs while attempting to refresh an
OAuth2 token, the identity manager won't schedule another attempt.
Instead, update the session refresh logic so that it will retry after
temporary errors. Extract the bulk of this logic into a separate method
that returns a boolean indicating whether to schedule another refresh.
Update the unit test to simulate a temporary error during OAuth2 token
refresh.
The databroker identity manager is responsible for refreshing session
records, to account for overall session expiration as well as OAuth2
access token expiration.
Refresh events are scheduled subject to a coolOffDuration (10 seconds,
by default) relative to a lastRefresh timestamp. Currently, any update
to a session record will reset the associated lastRefresh value and
reschedule any pending refresh event for that session. If an update
occurs close before a scheduled refresh event, this will push back the
scheduled refresh event to 10 seconds from that time.
This means that if a session is updated frequently enough (e.g. if there
is a steady stream of requests that cause constant updates via the
AccessTracker), the access token may expire before a refresh ever runs.
To avoid this problem, do not update the lastRefresh time upon every
session record update, but only if it hasn't yet been set. Instead,
update the lastRefresh during the refresh attempt itself.
Add unit tests to exercise these changes. There is a now() function as
part of the manager configuration (to allow unit tests to set a fake
time); update the Manager to use this function throughout.
The current session refresh loop attempts to refresh access tokens when
they are due to expire in less than one minute. However, the code to
perform the refresh relies on a TokenSource from the x/oauth2 package,
which has its own internal 'expiryDelta' threshold, with a default of
10 seconds. As a result, the first four or five attempts to refresh a
particular access token will not actually refresh the token. The refresh
will happen only when the access token is within 10 seconds of expiring.
Instead, before we obtain a new TokenSource, first clear any existing
access token. This causes the TokenSource to consider the token invalid,
triggering a refresh. This should give the refresh loop more control
over when refreshes happen.
Consolidate this logic in a new Refresh() method in the oidc package.
Add unit tests for this new method.
Allow users to clear the default IdP auth code options, by explicitly
setting an empty idp_request_params map.
To do this in a YAML config file, set:
idp_request_params: {}
* wip
* storage: add filtering to SyncLatest
* don't increment the record version, so intermediate changes are requested
* databroker: add support for query filtering
* fill server and record version
* postgres: databroker storage backend
* wip
* serialize puts
* add test
* skip tests for macos
* add test
* return error from protojson
* set data
* exclude postgres from cover tests
* databroker: add support for putting multiple records
* add OptimumPutRequestsFromRecords function
* replace GetAll with SyncLatest
* fix stream when there are no records
* identity: only assign `access_type` uri params to google.
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
* bump upgrading
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
