honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/x-pack
History
Ioannis Kakavas 7ed9d52824
Support concurrent refresh of refresh tokens (#39647) 
This is a backport of #39631

Co-authored-by: Jay Modi jaymode@users.noreply.github.com

This change adds support for the concurrent refresh of access
tokens as described in #36872
In short it allows subsequent client requests to refresh the same token that
come within a predefined window of 60 seconds to be handled as duplicates
of the original one and thus receive the same response with the same newly
issued access token and refresh token.
In order to support that, two new fields are added in the token document. One
contains the instant (in epoqueMillis) when a given refresh token is refreshed
and one that contains a pointer to the token document that stores the new
refresh token and access token that was created by the original refresh.
A side effect of this change, that was however also a intended enhancement
for the token service, is that we needed to stop encrypting the string
representation of the UserToken while serializing. ( It was necessary as we
correctly used a new IV for every time we encrypted a token in serialization, so
subsequent serializations of the same exact UserToken would produce
different access token strings)

This change also handles the serialization/deserialization BWC logic:

    In mixed clusters we keep creating tokens in the old format and
    consume only old format tokens
    In upgraded clusters, we start creating tokens in the new format but
    still remain able to consume old format tokens (that could have been
    created during the rolling upgrade and are still valid)
    When reading/writing TokensInvalidationResult objects, we take into
    consideration that pre 7.1.0 these contained an integer field that carried
    the attempt count

Resolves #36872
 		2019-03-05 14:55:59 +02:00
..
dev-tools
docs [DOCS] Sorts security APIs 2019-03-04 15:06:33 -08:00
license-tools Switch mapping/aggregations over to java time (#36363) 2019-01-23 10:40:05 +01:00
plugin Support concurrent refresh of refresh tokens (#39647) 2019-03-05 14:55:59 +02:00
qa mute test 2019-03-04 16:55:27 +01:00
test Ground work to start up the docker image in the build (#37754) 2019-01-24 17:26:42 +02:00
transport-client Testing conventions now checks for tests in main (#37321) 2019-01-24 17:30:50 +02:00
NOTICE.txt
README.md
build.gradle MINOR: Remove some Deadcode in Gradle (#37160) 2019-01-07 09:21:25 +01:00

README.md

Elastic License Functionality

This directory tree contains files subject to the Elastic License. The files subject to the Elastic License are grouped in this directory to clearly separate them from files licensed under the Apache License 2.0.