Add authorization request store #873
Conversation
There was a problem hiding this comment.
Pull request overview
This PR migrates OAuth2 authorization request context storage from an in-memory session-based approach to a persistent database-backed solution. The change improves scalability, reliability, and state management for OAuth2 authorization flows by introducing a dedicated AUTHORIZATION_REQUEST table and corresponding store interface.
Key Changes
- Added
AUTHORIZATION_REQUESTtable to both SQLite and PostgreSQL schemas with proper indexing for expiry-based queries - Implemented
authorizationRequestStorewith database persistence replacing the previous in-memorysessionDataStore - Refactored handlers to use
AuthRequestIDinstead ofSessionDataKeyfor better naming clarity
Reviewed changes
Copilot reviewed 17 out of 19 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
backend/dbscripts/runtimedb/sqlite.sql |
Added AUTHORIZATION_REQUEST table with TEXT storage for request data |
backend/dbscripts/runtimedb/postgres.sql |
Added AUTHORIZATION_REQUEST table with JSONB storage for request data |
tests/integration/resources/dbscripts/runtimedb/sqlite.sql |
Integration test schema with matching table structure |
tests/integration/resources/dbscripts/runtimedb/postgres.sql |
Integration test schema with matching table structure |
backend/internal/oauth/oauth2/authz/auth_req_store.go |
New database-backed store implementation with JSON serialization |
backend/internal/oauth/oauth2/authz/auth_req_store_test.go |
Comprehensive unit tests for the new store (837 lines) |
backend/internal/oauth/oauth2/authz/auth_code_store.go |
New authorization code store implementation |
backend/internal/oauth/oauth2/authz/auth_code_store_test.go |
Unit tests for authorization code store (681 lines) |
backend/internal/oauth/oauth2/authz/store_constants.go |
Added database queries for authorization request operations |
backend/internal/oauth/oauth2/authz/handler.go |
Refactored to use new store and renamed fields from SessionDataKey to AuthRequestID |
backend/internal/oauth/oauth2/authz/handler_test.go |
Updated tests to use new store and naming |
backend/internal/oauth/oauth2/authz/init.go |
Added authorization request store initialization |
backend/internal/oauth/oauth2/authz/model.go |
Updated model with AuthRequestID instead of SessionDataKey |
backend/internal/oauth/oauth2/constants/constants.go |
Renamed constant from SessionDataKey to AuthRequestID |
backend/internal/observability/event/datakeys.go |
Updated event data keys to use AuthRequestID |
backend/internal/oauth/oauth2/authz/session_store.go |
Removed old in-memory session store |
backend/internal/oauth/oauth2/authz/session_store_test.go |
Removed old session store tests |
backend/internal/oauth/oauth2/authz/sessionDataStoreInterface_mock_test.go |
Removed old mock |
backend/tests/mocks/oauth/oauth2/authzmock/sessionDataStoreInterface_mock.go |
Removed old mock |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 18 out of 19 changed files in this pull request and generated 5 comments.
Comments suppressed due to low confidence (1)
backend/internal/oauth/oauth2/authz/handler.go:152
- Unencoded user-controlled
stateappended to redirect URL using string concatenation. This enables query-parameter injection (e.g., adding&foo=bar) into the client application's redirect URI. Encodestateor build the URL via a safe utility (e.g.,GetURIWithQueryParams).
Severity: MEDIUM. Confidence: 9
redirectURI += "&" + oauth2const.RequestParamState + "=" + state
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #873 +/- ##
==========================================
- Coverage 87.69% 87.63% -0.06%
==========================================
Files 318 319 +1
Lines 26152 26261 +109
Branches 606 606
==========================================
+ Hits 22934 23014 +80
- Misses 2002 2023 +21
- Partials 1216 1224 +8
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
thiva-k
force-pushed
the
auth-store-impl
branch
from
92ff8c8 to
0df851f
Compare
thiva-k
force-pushed
the
auth-store-impl
branch
2 times, most recently
from
8f8ad6b to
75c215f
Compare
thiva-k
force-pushed
the
auth-store-impl
branch
from
75c215f to
15d5cf4
Compare
thiva-k
force-pushed
the
auth-store-impl
branch
from
15d5cf4 to
e48eea9
Compare
thiva-k
force-pushed
the
auth-store-impl
branch
from
da6c664 to
6c5f728
Compare
thiva-k
force-pushed
the
auth-store-impl
branch
from
6c5f728 to
8963f14
Compare
thiva-k
force-pushed
the
auth-store-impl
branch
2 times, most recently
from
f226c1c to
146a919
Compare
thiva-k
force-pushed
the
auth-store-impl
branch
from
146a919 to
decd3ad
Compare
thiva-k
force-pushed
the
auth-store-impl
branch
from
decd3ad to
11bcb79
Compare
thiva-k
force-pushed
the
auth-store-impl
branch
from
11bcb79 to
9c0d2eb
Compare
| func newAuthorizationRequestStore() authorizationRequestStoreInterface { | ||
| return &authorizationRequestStore{ | ||
| dbProvider: provider.GetDBProvider(), | ||
| validityPeriod: 10 * time.Minute, |
There was a problem hiding this comment.
shouldn't this be read from the configuration?
If the spec mandates 10 mins as the expiry time, then hardcoding it here is fine. If not, we need let it configurable
There was a problem hiding this comment.
Since this is a existing implementation, shall we introduce a config in a separate PR?
|
|
||
| // Generate the authorization code. | ||
| authzCode, err := createAuthorizationCode(sessionData, &assertionClaims) | ||
| authzCode, err := createAuthorizationCode(authRequestCtx, &assertionClaims, authTime) |
There was a problem hiding this comment.
why we are taking the assertion authTime as the created time for the auth code?
Is it a spec recommendation
There was a problem hiding this comment.
This created time becomes the auth_time in the ID token, which should ideally be the time the assertion was created right?
Should we have both TimeCreated and AuthTime fields in Authorization code context ?
There was a problem hiding this comment.
oh. I thought we are using it for access token. If it's been used only for the auth_time in the ID token, then it should be fine
thiva-k
force-pushed
the
auth-store-impl
branch
from
9c0d2eb to
1746623
Compare
thiva-k
force-pushed
the
auth-store-impl
branch
from
1746623 to
18bafac
Compare
thiva-k
force-pushed
the
auth-store-impl
branch
from
18bafac to
2ca1373
Compare
3 participants
Purpose
This pull request introduces a new mechanism for storing OAuth2 authorization request context in the backend, replacing the previous session-based approach. The changes ensure that authorization request state is managed securely and efficiently using a dedicated database table and store interface. The update affects both the database schema and the handler logic, providing better scalability and maintainability for the OAuth2 authorization flow.
Approach
Database schema changes:
AUTHORIZATION_REQUESTtable and corresponding expiry index to bothpostgres.sqlandsqlite.sqlfor storing OAuth2 authorization request context, including request parameters and timestamps. [1] [2]Backend logic and handler refactoring:
authorizationRequestStoreimplementation (auth_req_store.go) with methods for adding, retrieving, and clearing authorization request contexts, using the new database table.authorizeHandlerto use the newauthorizationRequestStoreInterfaceinstead of the previous session store, updating constructor, field names, and method calls throughout. [1] [2]AuthRequestIDinstead ofSessionDataKeyin relevant handler methods and request parsing. [1] [2]These changes collectively improve the reliability and clarity of the OAuth2 authorization flow by decoupling request state from session management and persisting it in a dedicated, queryable store.
Related issue