Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

implement refresh token support #1414

Merged
merged 2 commits into from
May 3, 2023
Merged

implement refresh token support #1414

merged 2 commits into from
May 3, 2023

Conversation

bacongobbler
Copy link
Member

@bacongobbler bacongobbler commented Apr 20, 2023
edited
Loading

The Fermyon Cloud provides refresh token support to API clients.

By implementing refresh token support in the Spin CLI, we prevent the user from needing to run spin login as long as their refresh token is valid (6 months after date of issue). This also allows us to aggressively reduce the authentication token expiration date that Cloud issues to clients to prevent man-in-the-middle attacks.

In the event that the token and refresh token are stolen, we can revoke all refresh tokens for the user, forcing them to log back in.

As a side benefit: as long as you continue to use spin deploy once every 6 months, you should only need to perform the device code login mechanism once.

itowlson
itowlson approved these changes Apr 28, 2023
View reviewed changes
Copy link
Contributor

@itowlson itowlson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - this will be so convenient!

@michelleN michelleN added this to the 1.2.0 milestone May 1, 2023
@itowlson
Copy link
Contributor

itowlson commented May 3, 2023

@bacongobbler Is this okay to merge? (I can resolve the Cargo.lock conflicts if you are heads down on other things.)

@bacongobbler
Copy link
Member Author

Oh yeah! I couldn’t remember if the LGTM policy was 1 or 2. If you have the time today, please feel free to do so :)

bacongobbler and others added 2 commits May 3, 2023 16:21
@bacongobbler @itowlson
implement refresh token support
4a94303 
Signed-off-by: Matthew Fisher <matt.fisher@fermyon.com>
Signed-off-by: itowlson <ivan.towlson@fermyon.com>
@itowlson
Clarify cloud-openapi version
768d46d 
Signed-off-by: itowlson <ivan.towlson@fermyon.com>
@itowlson
Copy link
Contributor

itowlson commented May 3, 2023

@bacongobbler My optimism was ill-founded - I ended up having to pin cloud-openapi to get it to pick up the new types in my local build - so I'm afraid I'm going to have to bat this back to you for you to approve the Cargo.toml changes or back them out - I am not sure what your preferred policy is with that library.

Plus the rebase seems to have borked GH's signing verification. I hope I haven't messed up your branch - you might want to stake a snapshot before you pull just in case.

Apologies for not having this cleanly sorted for you!

@itowlson itowlson merged commit f987d6b into fermyon:main May 3, 2023
@bacongobbler bacongobbler deleted the refresh-tokens branch May 3, 2023 21:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@itowlson itowlson itowlson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@bacongobbler @itowlson @michelleN