manager feat: [LILO-418] - Modify Cloud Manager to use OAuth PKCE instead of …

Description 📝

This change in Cloud Manager is an implication of an enhancement we are introducing, PKCE, which is an OAuth authentication enhancement described in the RFC OAuth 2.1 Authorization Framework: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-01.

The existing OAuth flow (used by customers) between Login and Cloud Manager uses the OAuth 2.0 implicit flow, which is considered less secure since it exposes access tokens in the redirection URL generated by the authorization server (Login).

In the new PKCE (Proof Key for Code Exchange) flow, the access token is sent inside the response body. There is also an additional layer of security with the code verifier - code challenge contract, which ensures the initial exchange code requestor possessing the code challenge is the same one which requests the access token and has the code verifier. The code challenge is a hash of a random code verifier string generated by the OAuth client.

Current one-step implicit flow:

Receiving access token from the redirection URL from Login

Is replaced with a two-step process using the S256 PKCE method:

Request for exchange code using the redirection URL from Login
- Generate code verifier and code challenge
- Request for exchange code using the S256 code challenge method
Request for access token using a POST request to Login
- Request for access token using the code verifier

Changes 🔄

session.ts

add code verifier and code challenge generation
store code verifier in local storage
change URL params from request for access token to request for exchange code
store nonce in local storage

pkce.ts

add code verifier and code challenge generation

OAuth.tsx

replace obtaining access token with obtaining exchange code from redirect URL
read exchange code from redirect URL
read code verifier and nonce from local storage
add POST request to obtain access code basing on exchange code and code verifier
add cleaning local storage and redirect to Logout in case of errors
add CircleProgress spinner for the event for the time when making POST request for access token

Minior changes: authentication.helpers.ts, authentication.reducer.ts, authentication.test.ts, storage.ts

Added unit tests

Target release date 🗓️

Target release date needs to be aligned with Login team, so Cloud Manager will be released AFTER Login component release date.

How to test 🧪

Verify the login process into Cloud Manager works as previously in various scenarios.

As an Author I have considered 🤔

Check all that apply

[ ] 👀 Doing a self review
[ ] ❔ Our contribution guidelines
[ ] 🤏 Splitting feature into small PRs
[ ] ➕ Adding a changeset
[ ] 🧪 Providing/Improving test coverage
[ ] 🔐 Removing all sensitive information from the code and PR description
[ ] 🚩 Using a feature flag to protect the release
[ ] 👣 Providing comprehensive reproduction steps
[ ] 📑 Providing or updating our documentation
[ ] 🕛 Scheduling a pair reviewing session
[ ] 📱 Providing mobile support
[ ] ♿ Providing accessibility support

Commit message and pull request title format standards

Note: Remove this section before opening the pull request Make sure your PR title and commit message on squash and merge are as shown below

<commit type>: [JIRA-ticket-number] - <description>

Commit Types:

feat: New feature for the user (not a part of the code, or ci, ...).
fix: Bugfix for the user (not a fix to build something, ...).
change: Modifying an existing visual UI instance. Such as a component or a feature.
refactor: Restructuring existing code without changing its external behavior or visual UI. Typically to improve readability, maintainability, and performance.
test: New tests or changes to existing tests. Does not change the production code.
upcoming: A new feature that is in progress, not visible to users yet, and usually behind a feature flag.

Example: feat: [M3-1234] - Allow user to view their login history

Jun 21 '24 07:06 mkaminsk-akamai

I'm noticing some weird behavior. I'm trying to go to localhost:3000 with the dev environment selected, but it ends up redirecting me to production login.linode.com

https://github.com/linode/manager/assets/115251059/e5ea9dc6-e21f-4345-ba13-bdea62c836e7

Jul 10 '24 17:07 bnussman-akamai

I'll test this against Parent/Child proj

Jul 10 '24 18:07 jaalah-akamai

Coverage Report: ✅
Base Coverage: 87.44%
Current Coverage: 87.56%

Jul 10 '24 18:07 github-actions[bot]

I'm noticing some weird behavior. I'm trying to go to localhost:3000 with the dev environment selected, but it ends up redirecting me to production login.linode.com

Screen.Recording.2024-07-10.at.1.53.30.PM.mov

Thanks for checking this. I made ammedment to from where we take the login URL so it should work when we override environments settings using localStorageOverrides.

Jul 26 '24 11:07 mkaminsk-akamai

Author

@bnussman-akamai I did additional merge and resolved conflicts with changes from develop branch.

Jul 30 '24 07:07 mkaminsk-akamai

It would be also worth to test this against accounts using TPA like Google or Github in dev.

Aug 01 '24 06:08 mkaminsk-akamai

Currently getting a redirect loop when trying to login

Aug 01 '24 16:08 bnussman-akamai

Currently getting a redirect loop when trying to login

Just tried on my local dev environment and I don't observe redirect loop. Are you able to attach HAR file from that loop? and possibly your logs from login-backend? Any errors?

Aug 01 '24 17:08 mkaminsk-akamai

This PR is stale because it has been open 15 days with no activity. Please attend to this PR or it will be closed in 5 days

Aug 18 '24 00:08 github-actions[bot]

Currently getting a redirect loop when trying to login

Just tried on my local dev environment and I don't observe redirect loop. Are you able to attach HAR file from that loop? and possibly your logs from login-backend? Any errors?

Have you got a chance to look into this PR ?

Aug 19 '24 10:08 mkaminsk-akamai

Unfortunately, I'm still seeing some sort of redirect loop when I use our environment switcher tool.

https://github.com/user-attachments/assets/d4e3e6be-6cd7-40bc-8f48-769be720fbf7

Aug 19 '24 14:08 bnussman-akamai

I'm noticing some weird behavior. I'm trying to go to localhost:3000 with the dev environment selected, but it ends up redirecting me to production login.linode.com

Screen.Recording.2024-07-10.at.1.53.30.PM.mov

It seems this may be due configuration of the OAuth client used on Dev env. Could you please confirm?

Aug 21 '24 13:08 mkaminsk-akamai

@bnussman-akamai I recently made updates to the code and resolved conflicts. Could you please confirm how it looks now from your perepective?

Oct 09 '24 08:10 mkaminsk-akamai

Quick heads up @mkaminsk-akamai (cc @jaalah-akamai) that there are Cypress test failures that seem to be related to this change in account-logout.spec.ts and account-login-redirect.spec.ts.

I'm not able to reproduce the failures locally, which seems strange, so if I have time later I'll try to check out the CI recordings and see if they give us any clues, and will follow up if so.

Oct 09 '24 16:10 jdamore-linode

@jdamore-linode this is most likely failing because the CI client ID needs public access, not private. That may be tricky to setup since our CI needs the private one for everything else until we make the switch.

Oct 16 '24 00:10 jaalah-akamai

@jdamore-linode this is most likely failing because the CI client ID needs public access, not private. That may be tricky to setup since our CI needs the private one for everything else until we make the switch.

@jdamore-linode, @jaalah-akamai what could we to do plan merging this PR so we are not blocked with the current CI setup?

Oct 21 '24 06:10 mkaminsk-akamai

@jdamore-linode this is most likely failing because the CI client ID needs public access, not private. That may be tricky to setup since our CI needs the private one for everything else until we make the switch.

@jdamore-linode, @jaalah-akamai what could we to do plan merging this PR so we are not blocked with the current CI setup?

Hoping to work on this soon, but the failures are unrelated to the client ID not being public. The tests are failing because of the call to crypto.subtle.digest(), which requires a secure context. The instance of Cloud that gets built and served for our tests in CI doesn't meet that criteria right now.

Using another way to generate a SHA256 hash without needing crypto.subtle (or any other browser API which requires a "secure context") would probably get the test passing, but without that we'll need to make changes on the CI side. Because this test is relied on by our SRE team for their monitoring system, we cannot skip it or allow it to fail -- I think this is blocked until we have a solution in place.

Oct 23 '24 13:10 jdamore-linode

Cloud Manager UI test results

:tada: 445 passing tests on test run #25 ↗︎

:x: Failing	:white_check_mark: Passing	:arrow_right_hook: Skipped	:clock1: Duration
`0 Failing`	`445 Passing`	`2 Skipped`	`90m 36s`

Nov 13 '24 15:11 linode-gh-bot

@jaalah-akamai @mkaminsk-akamai this is unblocked now 👍 sorry for the hold up

Nov 13 '24 16:11 jdamore-linode

@jaalah-akamai @mkaminsk-akamai this is unblocked now 👍 sorry for the hold up

@jdamore-linode Thank you for your help! @jdamore-linode , @jaalah-akamai , @bnussman-akamai can you help me merging this PR? I don't have write access to it.

Nov 14 '24 06:11 mkaminsk-akamai

blocked now 👍 sorry for the hold up

@jaalah-akamai @mkaminsk-akamai this is unblocked now 👍 sorry for the hold up

@jdamore-linode Thank you for your help! @jdamore-linode , @jaalah-akamai , @bnussman-akamai can you help me merging this PR? I don't have write access to it.

@jdamore-linode , @jaalah-akamai , @bnussman-akamai Could you advise who should I ask to merge this PR?

Nov 19 '24 14:11 mkaminsk-akamai

This PR is stale because it has been open 15 days with no activity. Please attend to this PR or it will be closed in 5 days

Dec 05 '24 00:12 github-actions[bot]

This PR is stale because it has been open 15 days with no activity. Please attend to this PR or it will be closed in 5 days

I'm trying to schedule meeting to discuss the plan to merge this PR.

Dec 05 '24 08:12 mkaminsk-akamai

This PR is stale because it has been open 15 days with no activity. Please attend to this PR or it will be closed in 5 days

Dec 22 '24 00:12 github-actions[bot]

This PR is stale because it has been open 15 days with no activity. Please attend to this PR or it will be closed in 5 days

.

Dec 22 '24 14:12 mkaminsk-akamai

This PR is stale because it has been open 15 days with no activity. Please attend to this PR or it will be closed in 5 days

Jan 08 '25 00:01 github-actions[bot]

This PR is stale because it has been open 15 days with no activity. Please attend to this PR or it will be closed in 5 days

Jan 25 '25 00:01 github-actions[bot]

This PR is stale because it has been open 15 days with no activity. Please attend to this PR or it will be closed in 5 days

updated

Jan 27 '25 08:01 mkaminsk-akamai

Cloud Manager E2E Run #7147

Run Properties: Passed #7147 • b162db882a: feat: [LILO-418] - Modify Cloud Manager to use OAuth PKCE instead of Implicit Fl...

Project	`Cloud Manager E2E`
Branch Review	`develop`
Run status	`Passed #7147`
Run duration	`30m 28s`
Commit	`b162db882a: feat: [LILO-418] - Modify Cloud Manager to use OAuth PKCE instead of Implicit Fl...`
Committer	`mkaminsk-akamai`
View all properties for this run ↗︎

Test results
Failures	`0`
Flaky	`1`
Pending	`2`
Skipped	`0`
Passing	`490`
View all changes introduced in this branch ↗︎

Jan 29 '25 16:01 cypress[bot]