NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit0baaed6

committed

feat(oauth2): add configurable refresh token lifetime

Change-Id: I988093e8fc7328a09d2a0b2c5d476bad75e064c8Signed-off-by: Thomas Kosiewski <tk@coder.com>

1 parente53bc24 commit0baaed6Copy full SHA for 0baaed6

File tree

15 files changed

+219

-17

lines changed

cli
coderd
- apidoc
  - docs.go
  - swagger.json
- oauth2_test.go
- oauth2provider
  - tokens.go
codersdk
- deployment.go
- deployment_test.go
docs/reference
- api
  - general.md
  - schemas.md
- cli
  - server.md
enterprise/cli/testdata
- coder_server_--help.golden
site/src/api
- typesGenerated.ts

15 files changed

+219

-17

lines changed

`‎cli/server.go‎`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -350,6 +350,11 @@ func (r RootCmd) Server(newAPI func(context.Context, coderd.Options) (*coderd.`
`350`	`350`	`returnxerrors.Errorf("access-url must include a scheme (e.g. 'http://' or 'https://)")`
`351`	`351`	`}`
`352`	`352`
	`353`	`+// Cross-field configuration validation after initial parsing.`
	`354`	`+iferr:=vals.Validate();err!=nil {`
	`355`	`+returnerr`
	`356`	`+}`
	`357`	`+`
`353`	`358`	// Disable rate limits if the `--dangerous-disable-rate-limits` flag
`354`	`359`	`// was specified.`
`355`	`360`	`loginRateLimit:=60`

`‎cli/testdata/coder_server_--help.golden‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,10 @@ OPTIONS:`
`25`	`25`	`systemd. This directory is NOT safe to be configured as a shared`
`26`	`26`	`directory across coderd/provisionerd replicas.`
`27`	`27`
	`28`	`+ --default-oauth-refresh-lifetime duration, $CODER_DEFAULT_OAUTH_REFRESH_LIFETIME (default: 720h0m0s)`
	`29`	`+ The default lifetime duration for OAuth2 refresh tokens. This controls`
	`30`	`+ how long refresh tokens remain valid after issuance or rotation.`
	`31`	`+`
`28`	`32`	`--default-token-lifetime duration, $CODER_DEFAULT_TOKEN_LIFETIME (default: 168h0m0s)`
`29`	`33`	`The default lifetime duration for API tokens. This value is used when`
`30`	`34`	`creating a token without specifying a duration, such as when`

`‎cli/testdata/server-config.yaml.golden‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -454,6 +454,10 @@ updateCheck: false`
`454`	`454`	`# IDE plugin.`
`455`	`455`	`# (default: 168h0m0s, type: duration)`
`456`	`456`	`defaultTokenLifetime: 168h0m0s`
	`457`	`+# The default lifetime duration for OAuth2 refresh tokens. This controls how long`
	`458`	`+# refresh tokens remain valid after issuance or rotation.`
	`459`	`+# (default: 720h0m0s, type: duration)`
	`460`	`+defaultOAuthRefreshLifetime: 720h0m0s`
`457`	`461`	`# Expose the swagger endpoint via /swagger.`
`458`	`462`	`# (default: <unset>, type: bool)`
`459`	`463`	`enableSwagger: false`

`‎cli/vpndaemon_darwin.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ import (`
`10`	`10`	`"github.com/coder/serpent"`
`11`	`11`	`)`
`12`	`12`
`13`		`-func (rRootCmd)vpnDaemonRun()serpent.Command {`
	`13`	`+func (RootCmd)vpnDaemonRun()serpent.Command {`
`14`	`14`	`var (`
`15`	`15`	`rpcReadFDint64`
`16`	`16`	`rpcWriteFDint64`

`‎coderd/apidoc/docs.go‎`

Lines changed: 4 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json‎`

Lines changed: 4 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/oauth2_test.go‎`

Lines changed: 67 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -20,13 +20,15 @@ import (`
`20`	`20`	`"github.com/coder/coder/v2/coderd/coderdtest"`
`21`	`21`	`"github.com/coder/coder/v2/coderd/coderdtest/oidctest"`
`22`	`22`	`"github.com/coder/coder/v2/coderd/database"`
	`23`	`+"github.com/coder/coder/v2/coderd/database/dbauthz"`
`23`	`24`	`"github.com/coder/coder/v2/coderd/database/dbtestutil"`
`24`	`25`	`"github.com/coder/coder/v2/coderd/database/dbtime"`
`25`	`26`	`"github.com/coder/coder/v2/coderd/oauth2provider"`
`26`	`27`	`"github.com/coder/coder/v2/coderd/userpassword"`
`27`	`28`	`"github.com/coder/coder/v2/coderd/util/ptr"`
`28`	`29`	`"github.com/coder/coder/v2/codersdk"`
`29`	`30`	`"github.com/coder/coder/v2/testutil"`
	`31`	`+"github.com/coder/serpent"`
`30`	`32`	`)`
`31`	`33`
`32`	`34`	`funcTestOAuth2ProviderApps(t*testing.T) {`
`@@ -1184,6 +1186,71 @@ func TestOAuth2ProviderCrossResourceAudienceValidation(t *testing.T) {`
`1184`	`1186`	`// For now, this verifies the basic token flow works correctly`
`1185`	`1187`	`}`
`1186`	`1188`
	`1189`	`+// TestOAuth2RefreshExpiryOutlivesAccess verifies that refresh token expiry is`
	`1190`	`+// greater than the provisioned access token (API key) expiry per configuration.`
	`1191`	`+funcTestOAuth2RefreshExpiryOutlivesAccess(t*testing.T) {`
	`1192`	`+t.Parallel()`
	`1193`	`+`
	`1194`	`+// Set explicit lifetimes to make comparison deterministic.`
	`1195`	`+db,pubsub:=dbtestutil.NewDB(t)`
	`1196`	`+dv:=coderdtest.DeploymentValues(t,func(d*codersdk.DeploymentValues) {`
	`1197`	`+d.Sessions.DefaultDuration=serpent.Duration(1*time.Hour)`
	`1198`	`+d.Sessions.RefreshDefaultDuration=serpent.Duration(48*time.Hour)`
	`1199`	`+})`
	`1200`	`+ownerClient:=coderdtest.New(t,&coderdtest.Options{`
	`1201`	`+Database:db,`
	`1202`	`+Pubsub:pubsub,`
	`1203`	`+DeploymentValues:dv,`
	`1204`	`+})`
	`1205`	`+_=coderdtest.CreateFirstUser(t,ownerClient)`
	`1206`	`+ctx:=testutil.Context(t,testutil.WaitLong)`
	`1207`	`+`
	`1208`	`+// Create app and secret`
	`1209`	`+// Keep suffix short to satisfy name validation (<=32 chars, alnum + hyphens).`
	`1210`	`+apps:=generateApps(ctx,t,ownerClient,"ref-exp")`
	`1211`	`+//nolint:gocritic // Owner permission required for app secret creation`
	`1212`	`+secret,err:=ownerClient.PostOAuth2ProviderAppSecret(ctx,apps.Default.ID)`
	`1213`	`+require.NoError(t,err)`
	`1214`	`+`
	`1215`	`+cfg:=&oauth2.Config{`
	`1216`	`+ClientID:apps.Default.ID.String(),`
	`1217`	`+ClientSecret:secret.ClientSecretFull,`
	`1218`	`+Endpoint: oauth2.Endpoint{`
	`1219`	`+AuthURL:apps.Default.Endpoints.Authorization,`
	`1220`	`+DeviceAuthURL:apps.Default.Endpoints.DeviceAuth,`
	`1221`	`+TokenURL:apps.Default.Endpoints.Token,`
	`1222`	`+AuthStyle:oauth2.AuthStyleInParams,`
	`1223`	`+},`
	`1224`	`+RedirectURL:apps.Default.CallbackURL,`
	`1225`	`+Scopes: []string{},`
	`1226`	`+}`
	`1227`	`+`
	`1228`	`+// Authorization and token exchange`
	`1229`	`+code,err:=authorizationFlow(ctx,ownerClient,cfg)`
	`1230`	`+require.NoError(t,err)`
	`1231`	`+tok,err:=cfg.Exchange(ctx,code)`
	`1232`	`+require.NoError(t,err)`
	`1233`	`+require.NotEmpty(t,tok.AccessToken)`
	`1234`	`+require.NotEmpty(t,tok.RefreshToken)`
	`1235`	`+`
	`1236`	`+// Parse refresh token prefix (coder_<prefix>_<secret>)`
	`1237`	`+parts:=strings.Split(tok.RefreshToken,"_")`
	`1238`	`+require.Len(t,parts,3)`
	`1239`	`+prefix:=parts[1]`
	`1240`	`+`
	`1241`	`+// Look up refresh token row and associated API key`
	`1242`	`+dbToken,err:=db.GetOAuth2ProviderAppTokenByPrefix(dbauthz.AsSystemRestricted(ctx), []byte(prefix))`
	`1243`	`+require.NoError(t,err)`
	`1244`	`+apiKey,err:=db.GetAPIKeyByID(dbauthz.AsSystemRestricted(ctx),dbToken.APIKeyID)`
	`1245`	`+require.NoError(t,err)`
	`1246`	`+`
	`1247`	`+// Assert refresh token expiry is strictly after access token expiry`
	`1248`	`+require.Truef(t,dbToken.ExpiresAt.After(apiKey.ExpiresAt),`
	`1249`	`+"expected refresh expiry %s to be after access expiry %s",`
	`1250`	`+dbToken.ExpiresAt,apiKey.ExpiresAt,`
	`1251`	`+)`
	`1252`	`+}`
	`1253`	`+`
`1187`	`1254`	`// customTokenExchange performs a custom OAuth2 token exchange with support for resource parameter`
`1188`	`1255`	`// This is needed because golang.org/x/oauth2 doesn't support custom parameters in token requests`
`1189`	`1256`	`funccustomTokenExchange(ctx context.Context,baseURL,clientID,clientSecret,code,redirectURI,resourcestring) (*oauth2.Token,error) {`

`‎coderd/oauth2provider/tokens.go‎`

Lines changed: 20 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -92,9 +92,8 @@ func extractTokenParams(r http.Request, callbackURL url.URL) (tokenParams, []c`
`92`	`92`	`}`
`93`	`93`
`94`	`94`	`// Tokens`
`95`		`-// TODO: the sessions lifetime config passed is for coder api tokens.`
`96`		`-// Should there be a separate config for oauth2 tokens? They are related,`
`97`		`-// but they are not the same.`
	`95`	`+// Uses Sessions.DefaultDuration for access token (API key) TTL and`
	`96`	`+// Sessions.RefreshDefaultDuration for refresh token TTL.`
`98`	`97`	`funcTokens(db database.Store,lifetimes codersdk.SessionLifetime) http.HandlerFunc {`
`99`	`98`	`returnfunc(rw http.ResponseWriter,r*http.Request) {`
`100`	`99`	`ctx:=r.Context()`
`@@ -280,6 +279,14 @@ func authorizationCodeGrant(ctx context.Context, db database.Store, app database`
`280`	`279`	`}`
`281`	`280`
`282`	`281`	`// Do the actual token exchange in the database.`
	`282`	`+// Determine refresh token expiry independently from the access token.`
	`283`	`+refreshLifetime:=lifetimes.RefreshDefaultDuration.Value()`
	`284`	`+ifrefreshLifetime==0 {`
	`285`	`+// Fallback to session default duration if not configured.`
	`286`	`+refreshLifetime=lifetimes.DefaultDuration.Value()`
	`287`	`+}`
	`288`	`+refreshExpiresAt:=dbtime.Now().Add(refreshLifetime)`
	`289`	`+`
`283`	`290`	`err=db.InTx(func(tx database.Store)error {`
`284`	`291`	`ctx:=dbauthz.As(ctx,actor)`
`285`	`292`	`err=tx.DeleteOAuth2ProviderAppCodeByID(ctx,dbCode.ID)`
`@@ -307,7 +314,7 @@ func authorizationCodeGrant(ctx context.Context, db database.Store, app database`
`307`	`314`	`_,err=tx.InsertOAuth2ProviderAppToken(ctx, database.InsertOAuth2ProviderAppTokenParams{`
`308`	`315`	`ID:uuid.New(),`
`309`	`316`	`CreatedAt:dbtime.Now(),`
`310`		`-ExpiresAt:key.ExpiresAt,`
	`317`	`+ExpiresAt:refreshExpiresAt,`
`311`	`318`	`HashPrefix: []byte(refreshToken.Prefix),`
`312`	`319`	`RefreshHash: []byte(refreshToken.Hashed),`
`313`	`320`	`AppSecretID:dbSecret.ID,`
`@@ -401,6 +408,14 @@ func refreshTokenGrant(ctx context.Context, db database.Store, app database.OAut`
`401`	`408`	`}`
`402`	`409`
`403`	`410`	`// Replace the token.`
	`411`	`+// Determine refresh token expiry independently from the access token.`
	`412`	`+refreshLifetime:=lifetimes.RefreshDefaultDuration.Value()`
	`413`	`+ifrefreshLifetime==0 {`
	`414`	`+// Fallback to session default duration if not configured.`
	`415`	`+refreshLifetime=lifetimes.DefaultDuration.Value()`
	`416`	`+}`
	`417`	`+refreshExpiresAt:=dbtime.Now().Add(refreshLifetime)`
	`418`	`+`
`404`	`419`	`err=db.InTx(func(tx database.Store)error {`
`405`	`420`	`ctx:=dbauthz.As(ctx,actor)`
`406`	`421`	`err=tx.DeleteAPIKeyByID(ctx,prevKey.ID)// This cascades to the token.`
`@@ -416,7 +431,7 @@ func refreshTokenGrant(ctx context.Context, db database.Store, app database.OAut`
`416`	`431`	`_,err=tx.InsertOAuth2ProviderAppToken(ctx, database.InsertOAuth2ProviderAppTokenParams{`
`417`	`432`	`ID:uuid.New(),`
`418`	`433`	`CreatedAt:dbtime.Now(),`
`419`		`-ExpiresAt:key.ExpiresAt,`
	`434`	`+ExpiresAt:refreshExpiresAt,`
`420`	`435`	`HashPrefix: []byte(refreshToken.Prefix),`
`421`	`436`	`RefreshHash: []byte(refreshToken.Hashed),`
`422`	`437`	`AppSecretID:dbToken.AppSecretID,`

`‎codersdk/deployment.go‎`

Lines changed: 36 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -566,6 +566,11 @@ type SessionLifetime struct {`
`566`	`566`	`// DefaultDuration is only for browser, workspace app and oauth sessions.`
`567`	`567`	DefaultDuration serpent.Duration`json:"default_duration" typescript:",notnull"`
`568`	`568`
	`569`	`+// RefreshDefaultDuration is the default lifetime for OAuth2 refresh tokens.`
	`570`	`+// This should generally be longer than access token lifetimes to allow`
	`571`	`+// refreshing after access token expiry.`
	`572`	+RefreshDefaultDuration serpent.Duration`json:"refresh_default_duration,omitempty" typescript:",notnull"`
	`573`	`+`
`569`	`574`	DefaultTokenDuration serpent.Duration`json:"default_token_lifetime,omitempty" typescript:",notnull"`
`570`	`575`
`571`	`576`	MaximumTokenDuration serpent.Duration`json:"max_token_lifetime,omitempty" typescript:",notnull"`
`@@ -2464,6 +2469,16 @@ func (c *DeploymentValues) Options() serpent.OptionSet {`
`2464`	`2469`	`YAML:"defaultTokenLifetime",`
`2465`	`2470`	`Annotations: serpent.Annotations{}.Mark(annotationFormatDuration,"true"),`
`2466`	`2471`	`},`
	`2472`	`+{`
	`2473`	`+Name:"Default OAuth Refresh Lifetime",`
	`2474`	`+Description:"The default lifetime duration for OAuth2 refresh tokens. This controls how long refresh tokens remain valid after issuance or rotation.",`
	`2475`	`+Flag:"default-oauth-refresh-lifetime",`
	`2476`	`+Env:"CODER_DEFAULT_OAUTH_REFRESH_LIFETIME",`
	`2477`	`+Default: (3024time.Hour).String(),`
	`2478`	`+Value:&c.Sessions.RefreshDefaultDuration,`
	`2479`	`+YAML:"defaultOAuthRefreshLifetime",`
	`2480`	`+Annotations: serpent.Annotations{}.Mark(annotationFormatDuration,"true"),`
	`2481`	`+},`
`2467`	`2482`	`{`
`2468`	`2483`	`Name:"Enable swagger endpoint",`
`2469`	`2484`	`Description:"Expose the swagger endpoint via /swagger.",`
`@@ -3223,6 +3238,27 @@ type LinkConfig struct {`
`3223`	`3238`	Iconstring`json:"icon" yaml:"icon" enums:"bug,chat,docs"`
`3224`	`3239`	`}`
`3225`	`3240`
	`3241`	`+// Validate checks cross-field constraints for deployment values.`
	`3242`	`+// It should be called after all values are loaded from flags/env/YAML.`
	`3243`	`+func (c*DeploymentValues)Validate()error {`
	`3244`	`+// For OAuth2, access tokens (API keys) issued via the authorization code/refresh flows`
	`3245`	`+// use Sessions.DefaultDuration as their lifetime, while refresh tokens use`
	`3246`	`+// Sessions.RefreshDefaultDuration (falling back to DefaultDuration when set to 0).`
	`3247`	`+// Enforce that refresh token lifetime is strictly greater than the access token lifetime.`
	`3248`	`+access:=c.Sessions.DefaultDuration.Value()`
	`3249`	`+refresh:=c.Sessions.RefreshDefaultDuration.Value()`
	`3250`	`+`
	`3251`	`+// Treat zero as configured to fallback to access duration, which should be rejected`
	`3252`	`+// because it would defeat the purpose of refresh tokens.`
	`3253`	`+ifrefresh==0\|\|refresh<=access {`
	`3254`	`+returnxerrors.Errorf(`
	`3255`	`+"default OAuth refresh lifetime (%s) must be strictly greater than session duration (%s); set --default-oauth-refresh-lifetime to a value greater than --session-duration",`
	`3256`	`+refresh,access,`
	`3257`	`+)`
	`3258`	`+}`
	`3259`	`+returnnil`
	`3260`	`+}`
	`3261`	`+`
`3226`	`3262`	`// DeploymentOptionsWithoutSecrets returns a copy of the OptionSet with secret values omitted.`
`3227`	`3263`	`funcDeploymentOptionsWithoutSecrets(set serpent.OptionSet) serpent.OptionSet {`
`3228`	`3264`	`cpy:=make(serpent.OptionSet,0,len(set))`

`‎codersdk/deployment_test.go‎`

Lines changed: 42 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -292,6 +292,48 @@ func must[T any](value T, err error) T {`
`292`	`292`	`returnvalue`
`293`	`293`	`}`
`294`	`294`
	`295`	`+funcTestDeploymentValues_Validate_RefreshLifetime(t*testing.T) {`
	`296`	`+t.Parallel()`
	`297`	`+`
	`298`	`+mk:=func(access,refresh time.Duration)*codersdk.DeploymentValues {`
	`299`	`+dv:=&codersdk.DeploymentValues{}`
	`300`	`+dv.Sessions.DefaultDuration=serpent.Duration(access)`
	`301`	`+dv.Sessions.RefreshDefaultDuration=serpent.Duration(refresh)`
	`302`	`+returndv`
	`303`	`+}`
	`304`	`+`
	`305`	`+t.Run("EqualDurations_Error",func(t*testing.T) {`
	`306`	`+t.Parallel()`
	`307`	`+dv:=mk(1time.Hour,1time.Hour)`
	`308`	`+err:=dv.Validate()`
	`309`	`+require.Error(t,err)`
	`310`	`+require.ErrorContains(t,err,"must be strictly greater")`
	`311`	`+})`
	`312`	`+`
	`313`	`+t.Run("RefreshShorter_Error",func(t*testing.T) {`
	`314`	`+t.Parallel()`
	`315`	`+dv:=mk(2time.Hour,1time.Hour)`
	`316`	`+err:=dv.Validate()`
	`317`	`+require.Error(t,err)`
	`318`	`+require.ErrorContains(t,err,"must be strictly greater")`
	`319`	`+})`
	`320`	`+`
	`321`	`+t.Run("RefreshZero_Error",func(t*testing.T) {`
	`322`	`+t.Parallel()`
	`323`	`+dv:=mk(1*time.Hour,0)`
	`324`	`+err:=dv.Validate()`
	`325`	`+require.Error(t,err)`
	`326`	`+require.ErrorContains(t,err,"must be strictly greater")`
	`327`	`+})`
	`328`	`+`
	`329`	`+t.Run("RefreshLonger_OK",func(t*testing.T) {`
	`330`	`+t.Parallel()`
	`331`	`+dv:=mk(1time.Hour,48time.Hour)`
	`332`	`+err:=dv.Validate()`
	`333`	`+require.NoError(t,err)`
	`334`	`+})`
	`335`	`+}`
	`336`	`+`
`295`	`337`	`funcTestDeploymentValues_DurationFormatNanoseconds(t*testing.T) {`
`296`	`338`	`t.Parallel()`
`297`	`339`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit0baaed6

File tree

15 files changed

15 files changed

`‎cli/server.go‎`

`‎cli/testdata/coder_server_--help.golden‎`

`‎cli/testdata/server-config.yaml.golden‎`

`‎cli/vpndaemon_darwin.go‎`

`‎coderd/apidoc/docs.go‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/oauth2_test.go‎`

`‎coderd/oauth2provider/tokens.go‎`

`‎codersdk/deployment.go‎`

`‎codersdk/deployment_test.go‎`

0 commit comments