Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token exchange to get refresh token #123

Merged
merged 13 commits into from
Jul 18, 2024
Merged

Token exchange to get refresh token #123

merged 13 commits into from
Jul 18, 2024

Conversation

enolfc
Copy link
Contributor

@enolfc enolfc commented Jul 15, 2024

Summary

Performs a token exchange request to get a refresh token whenever this is not yet available for the user.

Related issue :

@enolfc enolfc marked this pull request as ready for review July 15, 2024 11:47
@andrea-manzi
Copy link
Contributor

andrea-manzi commented Jul 16, 2024
edited
Loading

@valtri would be good to test it against EOSC LOT1 AAI before merging

@valtri
Copy link
Contributor

valtri commented Jul 17, 2024

I'm not sure, how to test the token exchange. This is log when using JupyterHub API through JWT: (it looks like the token exchange is not performed right away?)

[D 2024-07-17 05:17:25.694 JupyterHub egiauthenticator:207] Refresh token was empty, will try to pull refresh_token from previous auth_state
[D 2024-07-17 05:17:25.696 JupyterHub oauth2:789] Encrypted_auth_state was found, will try to decrypt and pull refresh_token from it...
[I 2024-07-17 05:17:25.697 JupyterHub egiauthenticator:248] Primary group: urn:geant:eosc-federation.eu:testing:group:eosc#testing.eosc-federation.eu
[D 2024-07-17 05:17:25.698 JupyterHub roles:281] Assigning default role to User e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu
[D 2024-07-17 05:17:25.703 JupyterHub base:587] Setting cookie jupyterhub-session-id: {'httponly': True, 'path': '/'}
[D 2024-07-17 05:17:25.703 JupyterHub base:591] Setting cookie for e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu: jupyterhub-hub-login
[D 2024-07-17 05:17:25.703 JupyterHub base:587] Setting cookie jupyterhub-hub-login: {'httponly': True, 'path': '/hub/'}
[I 2024-07-17 05:17:25.703 JupyterHub base:837] User logged in: e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu
[I 2024-07-17 05:17:25.709 JupyterHub log:191] 200 GET /hub/jwt_login (@10.244.165.69) 250.12ms
[D 2024-07-17 05:17:25.723 JupyterHub base:299] Recording first activity for <APIToken('4efe...', user='e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu', client_id='jupyterhub')>
[I 2024-07-17 05:17:25.726 JupyterHub log:191] 200 GET /hub/api/user (e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu@78.128.247.56) 4.49ms

But everything seems working OK.

Token is refreshed when it is connected interactively to the server launched using JWT:

[D 2024-07-17 05:27:07.877 JupyterHub base:344] Refreshing auth for e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu
[D 2024-07-17 05:27:07.879 JupyterHub base:344] Refreshing auth for e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu
[D 2024-07-17 05:27:07.879 JupyterHub egiauthenticator:283] Perform refresh call to Check-in
[D 2024-07-17 05:27:07.880 JupyterHub egiauthenticator:283] Perform refresh call to Check-in
[D 2024-07-17 05:27:07.884 JupyterHub base:344] Refreshing auth for e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu
[D 2024-07-17 05:27:07.884 JupyterHub egiauthenticator:283] Perform refresh call to Check-in
[D 2024-07-17 05:27:08.114 JupyterHub egiauthenticator:319] Refreshed token for user!
[D 2024-07-17 05:27:08.142 JupyterHub roles:281] Assigning default role to User e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu

@enolfc
Copy link
Contributor Author

enolfc commented Jul 17, 2024

I'm not sure, how to test the token exchange. This is log when using JupyterHub API through JWT: (it looks like the token exchange is not performed right away?)

[D 2024-07-17 05:17:25.694 JupyterHub egiauthenticator:207] Refresh token was empty, will try to pull refresh_token from previous auth_state
[D 2024-07-17 05:17:25.696 JupyterHub oauth2:789] Encrypted_auth_state was found, will try to decrypt and pull refresh_token from it...
[I 2024-07-17 05:17:25.697 JupyterHub egiauthenticator:248] Primary group: urn:geant:eosc-federation.eu:testing:group:eosc#testing.eosc-federation.eu
[D 2024-07-17 05:17:25.698 JupyterHub roles:281] Assigning default role to User e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu
[D 2024-07-17 05:17:25.703 JupyterHub base:587] Setting cookie jupyterhub-session-id: {'httponly': True, 'path': '/'}
[D 2024-07-17 05:17:25.703 JupyterHub base:591] Setting cookie for e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu: jupyterhub-hub-login
[D 2024-07-17 05:17:25.703 JupyterHub base:587] Setting cookie jupyterhub-hub-login: {'httponly': True, 'path': '/hub/'}
[I 2024-07-17 05:17:25.703 JupyterHub base:837] User logged in: e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu
[I 2024-07-17 05:17:25.709 JupyterHub log:191] 200 GET /hub/jwt_login (@10.244.165.69) 250.12ms
[D 2024-07-17 05:17:25.723 JupyterHub base:299] Recording first activity for <APIToken('4efe...', user='e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu', client_id='jupyterhub')>
[I 2024-07-17 05:17:25.726 JupyterHub log:191] 200 GET /hub/api/user (e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu@78.128.247.56) 4.49ms

But everything seems working OK.

Token is refreshed when it is connected interactively to the server launched using JWT:

[D 2024-07-17 05:27:07.877 JupyterHub base:344] Refreshing auth for e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu
[D 2024-07-17 05:27:07.879 JupyterHub base:344] Refreshing auth for e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu
[D 2024-07-17 05:27:07.879 JupyterHub egiauthenticator:283] Perform refresh call to Check-in
[D 2024-07-17 05:27:07.880 JupyterHub egiauthenticator:283] Perform refresh call to Check-in
[D 2024-07-17 05:27:07.884 JupyterHub base:344] Refreshing auth for e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu
[D 2024-07-17 05:27:07.884 JupyterHub egiauthenticator:283] Perform refresh call to Check-in
[D 2024-07-17 05:27:08.114 JupyterHub egiauthenticator:319] Refreshed token for user!
[D 2024-07-17 05:27:08.142 JupyterHub roles:281] Assigning default role to User e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu

If the user has logged in previously via the UI, the refresh token will be already there, so the code will not be called. We would need either a user without the refresh token for this to work.

@valtri
Copy link
Contributor

valtri commented Jul 17, 2024

OK, I've tried something ugly like:

echo "UPDATE users SET state=NULL, encrypted_auth_state=NULL WHERE name='$username'" | sudo -u install -- sqlite3 /exports/fullhub-hub-db-dir-pvc-*/jupyterhub.sqlite

And the result:

[D 2024-07-17 08:00:35.948 JupyterHub egiauthenticator:207] Refresh token was empty, will try to pull refresh_token from previous auth_state
[I 2024-07-17 08:00:35.953 JupyterHub egiauthenticator:248] Primary group: urn:geant:eosc-federation.eu:testing:group:eosc#testing.eosc-federation.eu
[D 2024-07-17 08:00:35.955 JupyterHub roles:281] Assigning default role to User e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu
[D 2024-07-17 08:00:36.065 JupyterHub base:587] Setting cookie jupyterhub-session-id: {'httponly': True, 'path': '/'}
[D 2024-07-17 08:00:36.065 JupyterHub base:591] Setting cookie for e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu: jupyterhub-hub-login
[D 2024-07-17 08:00:36.065 JupyterHub base:587] Setting cookie jupyterhub-hub-login: {'httponly': True, 'path': '/hub/'}
[I 2024-07-17 08:00:36.066 JupyterHub base:837] User logged in: e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu
[D 2024-07-17 08:00:36.066 JupyterHub egiauthenticator:78] Refresh token is not available
[D 2024-07-17 08:00:36.066 JupyterHub egiauthenticator:22] Exchanging access token for refresh
[W 2024-07-17 08:00:36.251 JupyterHub egiauthenticator:50] Unable to get refresh token: HTTP 400: Bad Request
[I 2024-07-17 08:00:36.260 JupyterHub log:191] 200 GET /hub/jwt_login (@10.244.165.69) 554.05ms
[D 2024-07-17 08:00:36.279 JupyterHub base:299] Recording first activity for <APIToken('857f...', user='e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu', client_id='jupyterhub')>

@enolfc
Copy link
Contributor Author

enolfc commented Jul 17, 2024

Ok, let's add some debugging

valtri
valtri approved these changes Jul 18, 2024
View reviewed changes
Copy link
Contributor

@valtri valtri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything seems all right and working.

  1. initial JWT use (after deleting JupyterHub user)
[D 2024-07-18 11:07:52.196 JupyterHub egiauthenticator:112] Refresh token is not available
[D 2024-07-18 11:07:52.196 JupyterHub egiauthenticator:24] Exchanging access token for refresh
[D 2024-07-18 11:07:52.450 JupyterHub egiauthenticator:115] Got refresh token from exchange
...
  1. second JWT use
[D 2024-07-18 11:08:14.275 JupyterHub egiauthenticator:74] Reusing previously available API token for this JWT
[I 2024-07-18 11:08:14.275 JupyterHub log:191] 200 GET /hub/jwt_login (@10.244.165.69) 3.77ms
[I 2024-07-18 11:08:14.289 JupyterHub log:191] 200 GET /hub/api/user (e37e2773-c993-4cee-aa7e-1944089d9716@eosc-federation.eu@78.128.247.56) 1.89ms

  1. usage after all internal tokens cleaned up

  2. GUI sign-in

@enolfc enolfc merged commit 323c75e into EGI-Federation:main Jul 18, 2024
3 checks passed
@enolfc enolfc deleted the exchange branch July 18, 2024 12:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@valtri valtri valtri approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@enolfc @andrea-manzi @valtri