ok

Ok so I will leave it as it is. accessAndRefreshTokens suits me better with allowing null on the refreshToken parameter. It just simplifies usage in the authenticator and I don't want to repackage Optionals just to use this method here.

Will it be Nullable ?

Obviously not. I will remove it and make it so the caller of this factory method needs to make sure that there is an actual refreshToken to be passed. My mistake, thanks for noticing.

Ok I take it back, based on the 11xor6 comments it actually makes sense to have it Nullable and allow such TokenPair to exists, even with refresh_tokens enabled.

revert

my bad, a leftover from the testing

TestingClock

advanceBy()

There is no guarantee that we have a nonce hence why the parameter is Optional. There are existing code paths which do not provide the OAuth flow with a nonce, by requiring it here those code paths can only result in an error.

So this is a small refactoring of the existing code (required to share code for the refresh token, that doesn't have a nonce). All the paths that are not requiring nonce cookies are already going through some other paths (or are not working). I think that some time ago we've decided to have this initialization url, that sets up the nonce cookie etc. so it should be covered everywhere.

If this function can never be called without a nonce, then please change the signature. However I'm pretty sure not all paths generate a nonce.

Right so it's always required for OIDC flows, but never present in Oauth2.0 flows. Still, since the flow is an interface, we have this Optional in a parameter list. Maybe it could be refactored , but I think it would take much time to hide this one parameter and I wouldn't like to do it in this pr, as it would include too many changes.

I see what I was missing here. This is specifically the OIDC AuthorizationCodeFlow implementation. I am still worried that there is a way for us to end up here without a nonce (perhaps through the UI?), but if it exists I can't find it. This check now makes sense.

I will leave it as it is then.

👍

Why are we supporting asymmetric encryption for signing tokens we issue? Is there some need to have a second or third party decode our tokens? It seems to me we issue these tokens to the client and we are the only ones that need to verify the signature.

It was just easy to be done. The whole purpose of this is to not allow someone to tamper with our Tokens, so being the only one that can sign this token is exactly what we need. We can allow users to setup their own symetric or asymetric keys, but then it's a user option and I feel ok with letting people do this. I don't know, maybe I'm too paranoid with this - would like to know your thoughts.

Asymmetric keys buy us nothing in this case. The only reason to even consider them is to allow a third party or another service to introspect and/or trust the tokens. Given that's the case I see no reason to support them. Additionally this combined with the need to encrypt values within the tokens is problematic as it's computationally expensive and easy to misunderstand how to do the encryption properly.

Ok, I've removed all the assymetric keys setup, leaving with just symetric one to encrypt the token. It's much easier this way and I guess you are right that it doesn't give us anything that we would actually need.

👍

Signing and compressing a token containing plain text access and refresh tokens is incredibly insecure. Both access tokens and refresh tokens are secrets that have been entrusted to us (Trino) and as such if we're returning them to the client in any form they MUST be encrypted.

The options available are to either encrypt the specific values included in the token or encrypt the token as a whole (which JJWT supports).

I agree, I think using asymetric encryption here pose a security risk without any benefits as Trino is the only recipient of the token. JWE should be a better fit here: https://datatracker.ietf.org/doc/html/rfc7516

Ok, I'm not sure however how this differs from keeping these tokens in the WebBrowser Cookies, as in order to use the RefreshToken you need to have valid client credentials, so it's not that you can just steal it. Our initial idea was that we should secure our token from any kind of tampering with it and that sharing these tokens is "OKish", as it already happens in the WebBrowser. Still - I'm fine with encrypting these claims and then signing and compressing the whole thing.

This is a matter of trust, access and refresh tokens are entrusted to Trino, they are not entrusted to the client. Thus giving the user access to the tokens (even if they're their own) breaks our contract with the token issuer (IdP). We don't control the client environment and there's no way for us to ensure or validate that no third-party has access to any storage mechanism the client supports and/or uses, and that is in addition to the possible malicious action of the client/credential holder themselves. Access tokens (and by extension refresh tokens) can grant access to resources which are not directly entrusted to the credential holder. In a way the ability to act on behalf of another user can be more dangerous than what that user could do themselves.

Ok I agree, I've not been thinking about the other end of the equation when wanted to protect ourselves from token tampering, so that preventing someone to steal the tokens is as valid as preventing someone to swap these tokens when in communication with us. I'm about to add the WebUI part as well, do you think that we should encrypt these tokens in Cookies there?

In addition, we are not encrypting any token for the accessTokens in WebUI, so maybe we should do this as a followup pr? What's more, maybe it actually make sense to issue these encrypted tokens, even if refreshTokens are not available? - again as a follow up.

If we're sending access tokens unencrypted to the UI then we definitely need to fix that ASAP. If a token (access or refresh) ever leaves our control then it should be encrypted. Also if it's possible we shouldn't even hold on to tokens unless we need them.

We need proper controls around the expiration of these JWT tokens. The expiration of the contained access token is not good enough as when it expires our token would expire and that invalidates the viability of the refresh token. I propose a configurable maximum token lifetime (as the token expiration) coupled with a secondary expiration related to the access token (stored in a separate field and validated as part of authentication).

Ok so this scenario won't happen, as right now we are keeping our token with the expiration of an accessToken and I'm providing long expirationTimeExtensionSeconds (it's in seconds because the api accepts only seconds).
This means that the expiration time of token issued by us is accessToken.expiration + expirationTimeExtension.
Right now refresh will happen only after the accessToken has expired, so the expirationTimeExtension is actually only here to allow refresh to happen.

I understand that we implicitly capture when the access token expires, however I'm asking here that it be explicit instead. The current value for the token expiration is good, having it expire some time after the access token itself should expire is good. However I would also like to see the token expiration encoded into the token and used to force a refresh of the token rather than us having to find out the hard way by retrieving the claims associated with the token.

I see and I like that this gives us easy possibility to refresh tokens before they timeout.

The issuer should most certainly be required and should have a value that uniquely identifies this Trino instance. Otherwise if two Trino instances have the same signing/encryption keys it would be allowed to use a token issued to one on the other.

There is no need to, nor should we, include the claims from the access token. These could contain sensitive values which should not be present in our token. Additionally we will validate the access token on authentication and retrieve these claims then. Thus there's no need to do the extra work here; it makes the token smaller and prevents the possible leakage of sensitive data.

Ok the reason behind it was to make it available for some network proxies or load balancers that could potentially tap into claims of the accessToken. I would gladly remove it if we think that this is not necessary.

No network proxy or load balancer would even be able to access these tokens as it's all behind TLS/SSL.

So for example in AWS you can have a Gateway, that modifies the requests through some AWS Lambdas. It can also redirect these calls, based on the requests etc.. It's all happening in the DMZ, so no TLS/SSL is involved (at least during the processing itself). It's a little bit farfetched, but just so you know, that this is possible in principle (I've actually seen systems that were doing first layer of authorization in such places). Still - I'm happy to remove these claims.

Yeah, I don't think we'll need any introspection, if it does come down to that we can reexamine at that time, but I don't think it'll be an issue.

👍

Given the new signature of this method is the other needAuthentication implementation necessary? It seems we would always use this version.

This seems unnecessary, we already have the refresh token and no user interaction is required in order acquire a new access (and possible refresh) token. We could easily perform the refresh token flow and return a new JWT token instead of going through all the work of returning this response and making the client do more work.

Perhaps we need to add an additional step to the AbstractBearerAuthenticator to support this behavior?

Ok so we can't do that I think. I don't believe that any of our client (jdbc/cli/python etc.) is taking the auth response headers and replacing it for the next request call. We do however allowed this Bearer x_token_server header to contain only x_token_server, so that client would only start polling for a new token to replace the old one, but would not try to open web-browser etc. This should be supported by every client that claims to support OAuth2/ExternalAuthentication protocol and it's the only way we can replace the existing token in these clients. In a way, this is exactly what you are talking about, but executed in the norms of the already existing flow.

My bad, I thought this worked differently and after digging into the code I realize that this is the right thing to do. It would be better if the client protocol was cleaner, but this is what we have right now.

There is no guarantee that we will ever be issued a refresh token, it is always at the discretion of the IdP if they issue one, making the assumption that we will always receive one is a bug waiting to happen. It is even such that different users or different circumstances completely out of our control could cause the IdP to not issue a refresh token.

Additionally a successful response will always contain an access token and that should be verified to be non-null.

Sure, I would just rather want that to be verified by the caller, so that the caller would use another method like TokenPair.accessToken(). I've added however method to handle Response from OAuth2Client, so this what you are saying should be handled there - I will double check that this is the case.

If the calling code is choosing a method based on an optional field then there should be a single method to handle both cases, there's no real need for the calling code to care if the refresh token is present or not.

Ok you are right, It is a bug waiting to happen.

nit: We could throw some configuration error - if it is sent to empty ?

Any issues on using File instead of String ?

We might also need to add assertion if the file exists.

Ok, we can distinguish null from empty. File should work as well.

Will it be Nullable ?

Since it is an enum , airlift would handle the conversion right ?

Yes, but one of the value of the SignatureAlgorithm is NONE. I think that I would like to prevent that from beeing used. (I've forget to add that here) WIll airlift print out all possible values if we use enum here? If not then I can use enum and make sure that it's never NONE.

Can we use Duration here - it would be more configurable ?

I was thinking about the Duration, but the thing is that I couldn't think of a good way of validating it. This value is later on used as a seconds, so anything lower that that shouldn't be allowed in the config as well. On the other hand, having an option to disable it might be handy as well. Right now, it would require us to proactively refreshing tokens, before they expire, in order for such an option to have sense, which is not yet implemented, but seems to be a natural evolution of such mechanisms.
On the other hand, we could have Duration here with @Min("1s") and say that it's not possible to disable it completely - even with the proactive refreshing.

Ok, we can distinguish null from empty. File should work as well.

Ok so I guess, we should have version + something elese. The question is what should it be, as I think tokens should survive coordinator restart (assuming that the signing keys are provided and not generated)

Yes you are right, I will add proper error handling here.

Ok so this scenario won't happen, as right now we are keeping our token with the expiration of an accessToken and I'm providing long expirationTimeExtensionSeconds (it's in seconds because the api accepts only seconds).
This means that the expiration time of token issued by us is accessToken.expiration + expirationTimeExtension.
Right now refresh will happen only after the accessToken has expired, so the expirationTimeExtension is actually only here to allow refresh to happen.

ok

Obviously not. I will remove it and make it so the caller of this factory method needs to make sure that there is an actual refreshToken to be passed. My mistake, thanks for noticing.

Sure, I would just rather want that to be verified by the caller, so that the caller would use another method like TokenPair.accessToken(). I've added however method to handle Response from OAuth2Client, so this what you are saying should be handled there - I will double check that this is the case.

my bad, a leftover from the testing

Woudn't storing both keys in the same file be easier? IIRC it's already the case for SSL in Trino, you can use a file with both.