-
Notifications
You must be signed in to change notification settings - Fork 933
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encrypt OIDC cookies #12628
Encrypt OIDC cookies #12628
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of comments but it looks good
2abe14f
to
987e71b
Compare
987e71b
to
42b08fb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, looks very good overall. Just a few smaller suggestions.
994e007
to
76a2445
Compare
@nsklikas In the OIDC login handler I have re-added the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the clarifications, LGTM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks pretty good to me now. I think you addressed all of the changes we requested:
- You are using salt and context information for the keys
- sessionId (the salt) is regenerated for each token refresh
- salt size of 64 is also sufficient
I agree with @tomponline that a few places could benefit from some more documentation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I've left a couple of minor comments
…terval. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
180ce99
to
e692f99
Compare
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
These cookies do not need to be decrypted by other cluster members, so it is ok to use secure key generation that is built-in to the securecookie library. This also reduces the exposure of our private key. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
e692f99
to
8d4b2e4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
This PR encrypts the OIDC cookies that are set in the response after logging in to LXD. It finishes the implementation of changes to handling of OIDC authentication as discussed in #12531.
To ensure that the encryption key is the same on all cluster members, we are deriving the key from the cluster private key using HKDF.
Closes #12531