Merge pull request #15631 from TheRealJon/OCPBUGS-62142

OCPBUGS-62142: Fix cookie size limit error with large OIDC refresh tokens

Author: openshift-merge-bot[bot]

pkg/auth/oauth2/auth_oidc_test.go

@@ -360,7 +360,10 @@ func Test_oidcAuth_refreshSession(t *testing.T) {
 			name: "session exists with different refresh token - session tokens match short-circuit to prevent multiple refreshes",
 			initSessions: func(s *sessions.CombinedSessionStore) (initSessionToken string) {
 				testCookieFactory := &testCookieFactory{
-					cookieCodecs: securecookie.CodecsFromPairs(authnKey, encryptionKey),
+					cookieCodecs:  securecookie.CodecsFromPairs(authnKey, encryptionKey),
+					serverStore:   s.ServerStore(),
+					tokenVerifier: oidcProvider.verifyIDToken,
+					signPayload:   oidcProvider.signPayload,
 				}
 				// inject the refresh token into the refresh token cache
 				testCookieFactory.WithRefreshToken("test-original-refresh-token")
@@ -406,7 +409,10 @@ func Test_oidcAuth_refreshSession(t *testing.T) {
 			require.NoError(t, err)
 
 			testCookieFactory := &testCookieFactory{
-				cookieCodecs: securecookie.CodecsFromPairs(authnKey, encryptionKey),
+				cookieCodecs:  securecookie.CodecsFromPairs(authnKey, encryptionKey),
+				serverStore:   o.sessions.ServerStore(),
+				tokenVerifier: oidcProvider.verifyIDToken,
+				signPayload:   oidcProvider.signPayload,
 			}
 			if len(tt.cookieRefreshToken) > 0 {
 				testCookieFactory.WithRefreshToken(tt.cookieRefreshToken)
@@ -530,7 +536,10 @@ func Test_oidcAuth_getLoginState(t *testing.T) {
 			require.NoError(t, err)
 
 			testCookieFactory := &testCookieFactory{
-				cookieCodecs: securecookie.CodecsFromPairs(authnKey, encryptionKey),
+				cookieCodecs:  securecookie.CodecsFromPairs(authnKey, encryptionKey),
+				serverStore:   o.sessions.ServerStore(),
+				tokenVerifier: oidcProvider.verifyIDToken,
+				signPayload:   oidcProvider.signPayload,
 			}
 			if len(tt.cookieRefreshToken) > 0 {
 				testCookieFactory.WithRefreshToken(tt.cookieRefreshToken)
@@ -609,8 +618,11 @@ func BenchmarkRefreshSession(b *testing.B) {
 						<-startChan
 						refreshToken := testValidRefreshToken + strconv.Itoa(tokenSuffix)
 						testCookieFactory := &testCookieFactory{
-							cookieCodecs: securecookie.CodecsFromPairs(authnKey, encryptionKey),
-							refreshToken: &refreshToken,
+							cookieCodecs:  securecookie.CodecsFromPairs(authnKey, encryptionKey),
+							refreshToken:  &refreshToken,
+							serverStore:   o.sessions.ServerStore(),
+							tokenVerifier: oidcProvider.verifyIDToken,
+							signPayload:   oidcProvider.signPayload,
 						}
 						req := httptest.NewRequest("GET", "/", nil)
 						testCookieFactory.Complete(b, req)
@@ -687,10 +699,14 @@ func testOAuth2ConfigConstructor(endpointConfig oauth2.Endpoint) *oauth2.Config
 }
 
 type testCookieFactory struct {
-	cookieCodecs  []securecookie.Codec
-	sessionToken  *string
-	refreshToken  *string
-	customCookies map[string]map[interface{}]interface{}
+	cookieCodecs   []securecookie.Codec
+	sessionToken   *string
+	refreshToken   *string
+	refreshTokenID *string
+	customCookies  map[string]map[interface{}]interface{}
+	serverStore    *sessions.SessionStore // needed to set up refresh token ID mapping
+	tokenVerifier  sessions.IDTokenVerifier
+	signPayload    func(string) string // function to sign an ID token payload
 }
 
 func (f *testCookieFactory) WithSessionToken(sessionToken string) *testCookieFactory {
@@ -720,9 +736,26 @@ func (f *testCookieFactory) Complete(t testing.TB, req *http.Request) *http.Requ
 			f.cookieCodecs)
 	}
 	if f.refreshToken != nil {
+		var id string
+		if f.serverStore != nil && f.tokenVerifier != nil && f.signPayload != nil {
+			// Use AddSession to properly set up the state
+			token := addIDToken(
+				&oauth2.Token{RefreshToken: *f.refreshToken},
+				f.signPayload(`{"sub":"testuser","exp":`+strconv.FormatInt(time.Now().Add(5*time.Minute).Unix(), 10)+`}`),
+			)
+			loginState, err := f.serverStore.AddSession(f.tokenVerifier, token)
+			require.NoError(t, err)
+			id = loginState.RefreshTokenID()
+		} else {
+			// Fallback to generating a random ID
+			id = randomString(32)
+		}
+		f.refreshTokenID = &id
+
+		// Store only the ID in the cookie
 		attachCookieOrDie(t, req, "openshift-refresh-token",
 			map[interface{}]interface{}{
-				"refresh-token": f.refreshToken,
+				"refresh-token-id": id,
 			},
 			f.cookieCodecs)
 	}

pkg/auth/sessions/combined_sessions.go

@@ -54,7 +54,8 @@ func (cs *CombinedSessionStore) AddSession(w http.ResponseWriter, r *http.Reques
 
 	clientSession := cs.getCookieSession(r)
 	clientSession.sessionToken.Values["session-token"] = ls.sessionToken
-	clientSession.refreshToken.Values["refresh-token"] = ls.refreshToken
+	// Store only the small reference ID in the cookie, not the full refresh token
+	clientSession.refreshToken.Values["refresh-token-id"] = ls.refreshTokenID
 
 	return ls, clientSession.save(r, w)
 }
@@ -89,12 +90,19 @@ func (cs *CombinedSessionStore) GetSession(w http.ResponseWriter, r *http.Reques
 	// Get always returns a session, even if empty.
 	clientSession := cs.getCookieSession(r)
 
-	var sessionToken, refreshToken string
+	var (
+		sessionToken string
+		refreshToken string
+	)
+
 	if sessionTokenIface, ok := clientSession.sessionToken.Values["session-token"]; ok {
 		sessionToken = sessionTokenIface.(string)
 	}
-	if refreshTokenIface, ok := clientSession.refreshToken.Values["refresh-token"]; ok {
-		refreshToken = refreshTokenIface.(string)
+	if refreshTokenID, ok := clientSession.refreshToken.Values["refresh-token-id"]; ok {
+		// Look up the actual refresh token from the ID
+		if actualToken, exists := cs.serverStore.byRefreshTokenID[refreshTokenID.(string)]; exists {
+			refreshToken = actualToken
+		}
 	}
 
 	loginState := cs.serverStore.GetSession(sessionToken, refreshToken)
@@ -104,16 +112,23 @@ func (cs *CombinedSessionStore) GetSession(w http.ResponseWriter, r *http.Reques
 func (cs *CombinedSessionStore) GetCookieRefreshToken(r *http.Request) string {
 	// Get always returns a session, even if empty.
 	clientSession, _ := cs.clientStore.Get(r, openshiftRefreshTokenCookieName)
-	if refreshToken, ok := clientSession.Values["refresh-token"].(string); ok {
-		return refreshToken
+	if refreshTokenID, ok := clientSession.Values["refresh-token-id"].(string); ok {
+		// Look up the actual refresh token using the ID
+		if actualToken, exists := cs.serverStore.byRefreshTokenID[refreshTokenID]; exists {
+			return actualToken
+		}
 	}
 	return ""
 }
 
 func (cs *CombinedSessionStore) UpdateCookieRefreshToken(w http.ResponseWriter, r *http.Request, refreshToken string) error {
-	// no need to lock here since there shouldn't be any races around the client session
+	// Generate a new ID for the refresh token
+	newID := RandomString(32)
+	cs.serverStore.byRefreshTokenID[newID] = refreshToken
+
+	// Store the ID in the cookie, not the full token
 	clientSession, _ := cs.clientStore.Get(r, openshiftRefreshTokenCookieName)
-	clientSession.Values["refresh-token"] = refreshToken
+	clientSession.Values["refresh-token-id"] = newID
 	return clientSession.Save(r, w)
 }
 
@@ -122,13 +137,25 @@ func (cs *CombinedSessionStore) UpdateTokens(w http.ResponseWriter, r *http.Requ
 	defer cs.sessionLock.Unlock()
 
 	clientSession := cs.getCookieSession(r)
+	var oldRefreshTokenID string
 	var oldRefreshToken string
-	if oldToken, ok := clientSession.refreshToken.Values["refresh-token"]; ok {
-		oldRefreshToken = oldToken.(string)
+	if oldID, ok := clientSession.refreshToken.Values["refresh-token-id"]; ok {
+		oldRefreshTokenID = oldID.(string)
+		// Look up the actual refresh token from the ID
+		if actualToken, exists := cs.serverStore.byRefreshTokenID[oldRefreshTokenID]; exists {
+			oldRefreshToken = actualToken
+		}
 	}
 
-	refreshToken := tokenResponse.RefreshToken
-	clientSession.refreshToken.Values["refresh-token"] = refreshToken
+	// Generate a new ID for the new refresh token
+	newRefreshTokenID := RandomString(32)
+	newRefreshToken := tokenResponse.RefreshToken
+	if newRefreshToken != "" {
+		cs.serverStore.byRefreshTokenID[newRefreshTokenID] = newRefreshToken
+	}
+
+	// Store the new ID in the cookie
+	clientSession.refreshToken.Values["refresh-token-id"] = newRefreshTokenID
 
 	var loginState *LoginState
 	sessionToken, ok := clientSession.sessionToken.Values["session-token"]
@@ -142,16 +169,22 @@ func (cs *CombinedSessionStore) UpdateTokens(w http.ResponseWriter, r *http.Requ
 			return nil, fmt.Errorf("failed to add session to server store: %w", err)
 		}
 		clientSession.sessionToken.Values["session-token"] = loginState.sessionToken
+		// AddSession already generated an ID, so update the cookie with it
+		clientSession.refreshToken.Values["refresh-token-id"] = loginState.refreshTokenID
 	} else {
 		// loginState is a pointer to the cache so this effectively mutates it for everyone
 		if err := loginState.UpdateTokens(tokenVerifier, tokenResponse); err != nil {
 			return nil, err
 		}
+		// Update the ID in the LoginState
+		loginState.refreshTokenID = newRefreshTokenID
 	}
 
 	// index by the old refresh token so that any follow-up requests that arrived
 	// before their cookie was updated with an actual session can still find the login state
-	cs.serverStore.byRefreshToken[oldRefreshToken] = loginState
+	if oldRefreshToken != "" {
+		cs.serverStore.byRefreshToken[oldRefreshToken] = loginState
+	}
 	return loginState, clientSession.save(r, w)
 }
 
@@ -168,8 +201,14 @@ func (cs *CombinedSessionStore) DeleteSession(w http.ResponseWriter, r *http.Req
 	}
 
 	cookieSession := cs.getCookieSession(r)
-	if refreshToken, ok := cookieSession.refreshToken.Values["refresh-token"]; ok {
-		cs.serverStore.DeleteByRefreshToken(refreshToken.(string))
+	if refreshTokenID, ok := cookieSession.refreshToken.Values["refresh-token-id"]; ok {
+		refreshTokenIDStr := refreshTokenID.(string)
+		// Look up the actual refresh token from the ID and delete
+		if actualToken, exists := cs.serverStore.byRefreshTokenID[refreshTokenIDStr]; exists {
+			cs.serverStore.DeleteByRefreshToken(actualToken)
+			// Clean up the ID mapping
+			delete(cs.serverStore.byRefreshTokenID, refreshTokenIDStr)
+		}
 	}
 
 	if sessionToken, ok := cookieSession.sessionToken.Values["session-token"]; ok {
@@ -185,3 +224,9 @@ func (cs *CombinedSessionStore) DeleteSession(w http.ResponseWriter, r *http.Req
 
 	return nil
 }
+
+// ServerStore returns the underlying server session store.
+// This is primarily used for testing purposes.
+func (cs *CombinedSessionStore) ServerStore() *SessionStore {
+	return cs.serverStore
+}

pkg/auth/sessions/combined_sessions_test.go

@@ -166,11 +166,13 @@ func TestCombinedSessionStore_AddSession(t *testing.T) {
 					refreshFound = true
 					gotRefresh := make(map[interface{}]interface{})
 					require.NoError(t, securecookie.DecodeMulti(openshiftRefreshTokenCookieName, c.Value, &gotRefresh, cookieCodecs...))
-					if gotRefresh["refresh-token"] != tt.wantRefreshToken {
-						t.Errorf("wanted refresh cookie to be %q, got %q", tt.wantRefreshToken, c.Value)
+					// The cookie now contains an ID, not the actual refresh token
+					refreshTokenID := gotRefresh["refresh-token-id"].(string)
+					actualRefreshToken := cs.serverStore.byRefreshTokenID[refreshTokenID]
+					if actualRefreshToken != tt.wantRefreshToken {
+						t.Errorf("wanted refresh token to be %q, got %q (via ID %q)", tt.wantRefreshToken, actualRefreshToken, refreshTokenID)
 					}
 				}
-
 			}
 
 			require.True(t, sessionFound, "session cookie not found")
@@ -239,6 +241,7 @@ func TestCombinedSessionStore_GetSession(t *testing.T) {
 
 			testCookies := &testCookieFactory{
 				cookieCodecs: cookieCodecs,
+				serverStore:  cs.serverStore,
 			}
 
 			req, err := http.NewRequest(http.MethodGet, "/", nil)
@@ -367,7 +370,7 @@ func TestCombinedSessionStore_UpdateTokens(t *testing.T) {
 			req, err := http.NewRequest(http.MethodGet, "/", nil)
 			require.NoError(t, err)
 
-			testCookieFactory := &testCookieFactory{cookieCodecs: cookieCodecs}
+			testCookieFactory := &testCookieFactory{cookieCodecs: cookieCodecs, serverStore: cs.serverStore}
 			if len(tt.currentSessionToken) > 0 {
 				testCookieFactory.WithSessionToken(tt.currentSessionToken)
 			}
@@ -557,6 +560,7 @@ func TestCombinedSessionStore_DeleteSession(t *testing.T) {
 
 			if tt.cookieStore != nil {
 				tt.cookieStore.cookieCodecs = cookieCodecs
+				tt.cookieStore.serverStore = cs.serverStore
 				req = tt.cookieStore.Complete(t, req)
 			}
 
@@ -619,10 +623,12 @@ func TestCombinedSessionStore_DeleteSession(t *testing.T) {
 }
 
 type testCookieFactory struct {
-	cookieCodecs  []securecookie.Codec
-	sessionToken  *string
-	refreshToken  *string
-	customCookies map[string]map[interface{}]interface{}
+	cookieCodecs   []securecookie.Codec
+	sessionToken   *string
+	refreshToken   *string
+	refreshTokenID *string
+	customCookies  map[string]map[interface{}]interface{}
+	serverStore    *SessionStore // needed to set up refresh token ID mapping
 }
 
 func (f *testCookieFactory) WithSessionToken(sessionToken string) *testCookieFactory {
@@ -652,9 +658,17 @@ func (f *testCookieFactory) Complete(t *testing.T, req *http.Request) *http.Requ
 			f.cookieCodecs)
 	}
 	if f.refreshToken != nil {
+		// Generate an ID for the refresh token and store the mapping
+		id := randomString(32)
+		if f.serverStore != nil {
+			f.serverStore.byRefreshTokenID[id] = *f.refreshToken
+		}
+		f.refreshTokenID = &id
+
+		// Store only the ID in the cookie
 		attachCookieOrDie(t, req, openshiftRefreshTokenCookieName,
 			map[interface{}]interface{}{
-				"refresh-token": f.refreshToken,
+				"refresh-token-id": id,
 			},
 			f.cookieCodecs)
 	}

pkg/auth/sessions/loginstate.go

@@ -21,15 +21,16 @@ type IDTokenVerifier func(context.Context, string) (*oidc.IDToken, error)
 // and should be safe to send as a non-http-only cookie.
 type LoginState struct {
 	// IMPORTANT: if adding any ref type, change the DeepCopy() implementation
-	userID       string
-	name         string
-	email        string
-	exp          time.Time
-	rotateAt     time.Time // 80% of token's lifetime
-	now          nowFunc
-	sessionToken string
-	rawToken     string
-	refreshToken string
+	userID         string
+	name           string
+	email          string
+	exp            time.Time
+	rotateAt       time.Time // 80% of token's lifetime
+	now            nowFunc
+	sessionToken   string
+	rawToken       string
+	refreshToken   string
+	refreshTokenID string // Small reference ID for the refresh token (stored in cookie)
 }
 
 type LoginJSON struct {
@@ -164,6 +165,10 @@ func (ls *LoginState) RefreshToken() string {
 	return ls.refreshToken
 }
 
+func (ls *LoginState) RefreshTokenID() string {
+	return ls.refreshTokenID
+}
+
 func (ls *LoginState) IsExpired() bool {
 	return ls.now().After(ls.exp)
 }