feat: [LILO-418] - Modify Cloud Manager to use OAuth PKCE instead of …

[mkaminsk-akamai]

Description 📝

This change in Cloud Manager is an implication of an enhancement we are introducing, PKCE, which is an OAuth authentication enhancement described in the RFC OAuth 2.1 Authorization Framework: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-01.

The existing OAuth flow (used by customers) between Login and Cloud Manager uses the OAuth 2.0 implicit flow, which is considered less secure since it exposes access tokens in the redirection URL generated by the authorization server (Login).

In the new PKCE (Proof Key for Code Exchange) flow, the access token is sent inside the response body. There is also an additional layer of security with the code verifier - code challenge contract, which ensures the initial exchange code requestor possessing the code challenge is the same one which requests the access token and has the code verifier. The code challenge is a hash of a random code verifier string generated by the OAuth client.

Current one-step implicit flow:

• Receiving access token from the redirection URL from Login

Is replaced with a two-step process using the S256 PKCE method:

• Request for exchange code using the redirection URL from Login
  • Generate code verifier and code challenge
  • Request for exchange code using the S256 code challenge method
• Request for access token using a POST request to Login
  • Request for access token using the code verifier

Changes 🔄

session.ts

• add code verifier and code challenge generation
• store code verifier in local storage
• change URL params from request for access token to request for exchange code
• store nonce in local storage

pkce.ts

• add code verifier and code challenge generation

OAuth.tsx

• replace obtaining access token with obtaining exchange code from redirect URL
• read exchange code from redirect URL
• read code verifier and nonce from local storage
• add POST request to obtain access code basing on exchange code and code verifier
• add cleaning local storage and redirect to Logout in case of errors
• add CircleProgress spinner for the event for the time when making POST request for access token

Minior changes: authentication.helpers.ts, authentication.reducer.ts, authentication.test.ts, storage.ts

Added unit tests

Target release date 🗓️

Target release date needs to be aligned with Login team, so Cloud Manager will be released AFTER Login component release date.

How to test 🧪

Verify the login process into Cloud Manager works as previously in various scenarios.

As an Author I have considered 🤔

Check all that apply

• 👀 Doing a self review
• ❔ Our contribution guidelines
• 🤏 Splitting feature into small PRs
• ➕ Adding a changeset
• 🧪 Providing/Improving test coverage
• 🔐 Removing all sensitive information from the code and PR description
• 🚩 Using a feature flag to protect the release
• 👣 Providing comprehensive reproduction steps
• 📑 Providing or updating our documentation
• 🕛 Scheduling a pair reviewing session
• 📱 Providing mobile support
• ♿ Providing accessibility support

---

Commit message and pull request title format standards

Note: Remove this section before opening the pull request
Make sure your PR title and commit message on squash and merge are as shown below

<commit type>: [JIRA-ticket-number] - <description>

Commit Types:

• feat: New feature for the user (not a part of the code, or ci, ...).
• fix: Bugfix for the user (not a fix to build something, ...).
• change: Modifying an existing visual UI instance. Such as a component or a feature.
• refactor: Restructuring existing code without changing its external behavior or visual UI. Typically to improve readability, maintainability, and performance.
• test: New tests or changes to existing tests. Does not change the production code.
• upcoming: A new feature that is in progress, not visible to users yet, and usually behind a feature flag.

Example: feat: [M3-1234] - Allow user to view their login history

---

[AzureLatte]

Test passed

[bnussman-akamai]

I'm noticing some weird behavior. I'm trying to go to localhost:3000 with the dev environment selected, but it ends up redirecting me to production login.linode.com

Screen.Recording.2024-07-10.at.1.53.30.PM.mov

[jaalah-akamai]

I'll test this against Parent/Child proj

[github-actions]

Coverage Report: ✅
Base Coverage: 87.44%
Current Coverage: 87.56%

[mkaminsk-akamai]

I'm noticing some weird behavior. I'm trying to go to localhost:3000 with the dev environment selected, but it ends up redirecting me to production login.linode.com

Screen.Recording.2024-07-10.at.1.53.30.PM.mov

Thanks for checking this. I made ammedment to from where we take the login URL so it should work when we override environments settings using localStorageOverrides.

[mkaminsk-akamai]

Author

@bnussman-akamai I did additional merge and resolved conflicts with changes from develop branch.

[mkaminsk-akamai]

It would be also worth to test this against accounts using TPA like Google or Github in dev.

[bnussman-akamai]

Currently getting a redirect loop when trying to login

[mkaminsk-akamai]

Currently getting a redirect loop when trying to login

Just tried on my local dev environment and I don't observe redirect loop. Are you able to attach HAR file from that loop? and possibly your logs from login-backend? Any errors?

[github-actions]

This PR is stale because it has been open 15 days with no activity. Please attend to this PR or it will be closed in 5 days

[mkaminsk-akamai]

Currently getting a redirect loop when trying to login

Just tried on my local dev environment and I don't observe redirect loop. Are you able to attach HAR file from that loop? and possibly your logs from login-backend? Any errors?

Have you got a chance to look into this PR ?

[bnussman-akamai]

Unfortunately, I'm still seeing some sort of redirect loop when I use our environment switcher tool.

Screen.Recording.2024-08-19.at.10.03.30.AM.mov

[mkaminsk-akamai]

I'm noticing some weird behavior. I'm trying to go to localhost:3000 with the dev environment selected, but it ends up redirecting me to production login.linode.com

Screen.Recording.2024-07-10.at.1.53.30.PM.mov

It seems this may be due configuration of the OAuth client used on Dev env. Could you please confirm?

[jaalah-akamai]

I'll keep reviewing, but I'm also experiencing the same redirect loop as mentioned above in Dev environment.

[jaalah-akamai]

@jdamore-linode @bnussman-akamai This is now looking good to me. The issue I was seeing when switching environments has been resolved with latest commit. Would love to get your review/approval since this affects login before merging.

[mkaminsk-akamai]

@bnussman-akamai I recently made updates to the code and resolved conflicts. Could you please confirm how it looks now from your perepective?

[bnussman-akamai]

I believe everything is working as expected now!

[jdamore-linode]

Quick heads up @mkaminsk-akamai (cc @jaalah-akamai) that there are Cypress test failures that seem to be related to this change in account-logout.spec.ts and account-login-redirect.spec.ts.

I'm not able to reproduce the failures locally, which seems strange, so if I have time later I'll try to check out the CI recordings and see if they give us any clues, and will follow up if so.

[jaalah-akamai]

@jdamore-linode this is most likely failing because the CI client ID needs public access, not private. That may be tricky to setup since our CI needs the private one for everything else until we make the switch.

[mkaminsk-akamai]

@jdamore-linode this is most likely failing because the CI client ID needs public access, not private. That may be tricky to setup since our CI needs the private one for everything else until we make the switch.

@jdamore-linode, @jaalah-akamai what could we to do plan merging this PR so we are not blocked with the current CI setup?

[jdamore-linode]

@jdamore-linode this is most likely failing because the CI client ID needs public access, not private. That may be tricky to setup since our CI needs the private one for everything else until we make the switch.

@jdamore-linode, @jaalah-akamai what could we to do plan merging this PR so we are not blocked with the current CI setup?

Hoping to work on this soon, but the failures are unrelated to the client ID not being public. The tests are failing because of the call to crypto.subtle.digest(), which requires a secure context. The instance of Cloud that gets built and served for our tests in CI doesn't meet that criteria right now.

Using another way to generate a SHA256 hash without needing crypto.subtle (or any other browser API which requires a "secure context") would probably get the test passing, but without that we'll need to make changes on the CI side. Because this test is relied on by our SRE team for their monitoring system, we cannot skip it or allow it to fail -- I think this is blocked until we have a solution in place.

[linode-gh-bot]

Cloud Manager UI test results

🎉 445 passing tests on test run #25 ↗︎

❌ Failing	✅ Passing	↪️ Skipped	🕐 Duration
0 Failing	445 Passing	2 Skipped	90m 36s

[jdamore-linode]

@jaalah-akamai @mkaminsk-akamai this is unblocked now 👍 sorry for the hold up

[mkaminsk-akamai]

@jaalah-akamai @mkaminsk-akamai this is unblocked now 👍 sorry for the hold up

@jdamore-linode Thank you for your help! @jdamore-linode , @jaalah-akamai , @bnussman-akamai can you help me merging this PR? I don't have write access to it.

[mkaminsk-akamai]

blocked now 👍 sorry for the hold up

@jaalah-akamai @mkaminsk-akamai this is unblocked now 👍 sorry for the hold up

@jdamore-linode Thank you for your help! @jdamore-linode , @jaalah-akamai , @bnussman-akamai can you help me merging this PR? I don't have write access to it.

@jdamore-linode , @jaalah-akamai , @bnussman-akamai Could you advise who should I ask to merge this PR?

[github-actions]

This PR is stale because it has been open 15 days with no activity. Please attend to this PR or it will be closed in 5 days

[mkaminsk-akamai]

This PR is stale because it has been open 15 days with no activity. Please attend to this PR or it will be closed in 5 days

I'm trying to schedule meeting to discuss the plan to merge this PR.