robrap
commented
1 year ago @feanil: Some ideas we had discussed:
Observability for user id mismatches
- Get session_user_id from request.user at start of JWT authentication (which I think comes from temporary middleware authentication before DRF authentication).
- Get jwt_user_id from successful JWT authentication, or
- Get unverified_jwt_user_id from unsuccessful JWT authentication (requires decode without verifications).
- Potential custom attributes:
- jwt_auth_and_session_user_mismatch; True or NULL (not triggered when False).
- jwt_auth_session_user_id; Only included when mismatch is True.
- invalid_jwt_cookie_user_id; Only included when mismatch is True (really?) AND there is a JWT cookie auth failure.
Error handing for mismatches
For auth failure that would have resulted in jwt_auth_result of 'forgiven-failure', we will instead fail if there is a mismatch and use jwt_auth_result of ‘user-mismatch-failure’ (or something like that).
For all other cases, we discussed not doing anything new or different regarding mismatches, and simply starting with observability.
Todos for @robrap:
- [x] Move the safe session related bugs to github, because these might affect the mismatches.
- [x] Once the observability improvements land, I can update 2U's safe session runbook with this additional help.
Using edx-platform Safe Session monitoring, we've seen cases where the user id related to the LMS session does not match the user id in the JWT cookie. Although this issue is ultimately related to the LMS, which creates both the LMS session and the JWT cookie, this issue is being documented in this repo because this is where the JwtAuthentication class lives, which is a good place for adding observability, and potentially for taking corrective action.
Here are some related tickets: