Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix caching access tokens for delegated permissions #98

Merged
merged 1 commit into from
Nov 14, 2024
Merged

Fix caching access tokens for delegated permissions #98

merged 1 commit into from
Nov 14, 2024

Conversation

Ndiritu
Copy link
Contributor

@Ndiritu Ndiritu commented Nov 8, 2024
edited
Loading

Context

When caching tokens, we need to ensure that during retrieval, we only retrieve the access token for the intended user (if delegated auth had been used) or for the intended application (if app permissions were used)

We previously used unique cache keys to uniquely identify a user/app from the cache:
app permissions: {tenantId}-{clientId}
delegated permissions: {tenantId}-{clientId}-{userId}

This PR

Changes from exploding the access token to retrieve the subject claim value to using a hash of the access token string as the cache key for delegated permissions.

It is not recommended to inspect access tokens since they may not always be JWTs. It's recommended to request & use ID tokens instead.

We opted to generate a hash of the access token instead of the ID token since ID tokens are not activated out of the box for all apps.

closes microsoftgraph/msgraph-sdk-php#1407
closes #92

@Ndiritu Ndiritu self-assigned this Nov 8, 2024
@Ndiritu Ndiritu changed the title Use UUID in cache key for delegated access tokens that are not JWTs Use hash of access token string as cache key for delegated access tokens that are not JWTs Nov 8, 2024
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Nov 13, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Ndiritu Ndiritu marked this pull request as ready for review November 13, 2024 10:19
@Ndiritu Ndiritu requested a review from a team as a code owner November 13, 2024 10:19
@Ndiritu Ndiritu changed the title Use hash of access token string as cache key for delegated access tokens that are not JWTs Fix caching access tokens for delegated permissions Nov 13, 2024
@Ndiritu Ndiritu merged commit 9902a1e into main Nov 14, 2024
11 checks passed
@Ndiritu Ndiritu deleted the fix/delegated-token-caching branch November 14, 2024 08:51
@Ndiritu Ndiritu mentioned this pull request Nov 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@baywet baywet baywet approved these changes

Assignees

@Ndiritu Ndiritu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AuthorizationCodeContext: some access tokens not supported Reuse access_token from OAuth login
2 participants
@Ndiritu @baywet