search

personium / personium-core

Core module of Personium
https://personium.io
Apache License 2.0
88 stars 16 forks source link

Refreshed visitor access token does not have Roles directly assigned from ExtCell. #516

Closed dixonsiu closed 4 years ago

dixonsiu commented 4 years ago

Problem

When visitor access token is refreshed, the role information directly assigned from ExtCell entries.

This problem has long been there for years but somehow not found so far since it can only be observed after the token is refreshed (usually after 1 hr expiration time.)

Original Incident (from dixon)

It seems that refreshed vis token seems not working

Below are the introspected results of the tokens.

ME

Both access token and refreshed access token can access own Cell's box.

  1. Access token ("AR~vsF") to access my box:
    { "sub": "https://dixonsiu.appdev.personium.io/#me", "iss": "https://dixonsiu.appdev.personium.io/", "active": true, "exp": 1574153285, "iat": 1574066885, "client_id": "https://app-personium-calendar.appdev.personium.io/", "p_roles": [ ] }

  2. Refresh token ("RR~2XfU") of the above: { "sub": "https://dixonsiu.appdev.personium.io/#me", "iss": "https://dixonsiu.appdev.personium.io/", "active": true, "exp": 1574153287, "iat": 1574066887, "client_id": "https://app-personium-calendar.appdev.personium.io/", "p_roles": [ ] }

  3. Refreshed access token ("AR~_s0icPE") of 1: { "sub": "https://dixonsiu.appdev.personium.io/#me", "iss": "https://dixonsiu.appdev.personium.io/", "active": true, "exp": 1574070487, "iat": 1574066887, "client_id": "https://app-personium-calendar.appdev.personium.io/", "p_roles": [ ] }

Friend

Only the access token can access a friend's box. After it is refreshed, it no longer accesses a friend's box anymore.

  1. Access token ("AV~cqp4...") to access a friend's box: p_roles not empty. 

    {
    "sub": "https://dixonsiu.appdev.personium.io/#me",
    "aud": null,
    "iss": "https://shimono.appdev.personium.io/",
    "active": true,
    "exp": 1574068163,
    "iat": 1574064563,
    "client_id": "https://app-personium-calendar.appdev.personium.io/",
    "p_roles": [
        "https://appdev.personium.io/shimono/__role/calendar/CalendarViewer",
        "https://appdev.personium.io/shimono/__role/app-myboard/MyBoardViewer"
    ]
}

  2. Refresh token ("RV~DrEWrl...") of the above:
    { "active": false }

  3. Refreshed access token ("AV~bhYm2-...") of 1:
    p_roles are empty.
    { "sub": "https://dixonsiu.appdev.personium.io/#me", "aud": null, "iss": "https://shimono.appdev.personium.io/", "active": true, "exp": 1574068286, "iat": 1574064686, "client_id": "https://app-personium-calendar.appdev.personium.io/", "p_roles": [ ] }

shimono commented 4 years ago

Now after writing some tests trying to reproduce the problem, I still cannot reproduce it yet but have noticed that the role URL is in path-based format whereas the unit is obviously run in sub-domain mode. Probably the problem should lie somewhere around here.

shimono commented 4 years ago

Problem analyzed and fixed. (Issue Title and description also changed accordingly)