Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨feat: Support database session & token refresh for sso providers #6209

Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

✨feat: Support database session & token refresh for sso providers #6209

wants to merge 8 commits into from
+321 −12

Conversation

cy948
Copy link
Contributor

@cy948 cy948 commented Feb 16, 2025
edited
Loading

💻 变更类型 | Change Type

  • ✨ feat
  • 🐛 fix
  • ♻️ refactor
  • 💄 style
  • 👷 build
  • ⚡️ perf
  • 📝 docs
  • 🔨 chore

🔀 变更说明 | Description of Change

📝 补充信息 | Additional Information

背景

在之前的NextAuth接入中,仅使用Auth服务进行单次授权。即当Auth服务“允许”用户访问Lobe应用后,剩下的时间用户是否有效均由Lobe控制。这种做法:

  • 👍优点:不受Auth服务控制,Lobe可以实现更灵活的访问控制。
  • 👎缺点:Auth服务无法进行用户管理,如禁用用户等。
    而现状是,Lobe社区版尚未支持对用户的控制等管理功能,无法对用户进行管理。针对以上问题,提出一种能满足Lobe及Auth服务对用户进行管理的方案:
  • Lobe 主动向 Auth 读取用户授权状态(需开启 Token Rotation):在Lobe中,在Auth服务授权的访问令牌(access_token)进行刷新,以获取当前用户在 Auth 服务的授权状态:正常、禁用:
    • 正常:进行 token 刷新,保持用户的登录状态。
    • 禁用:无法进行 token 时,强制用户重新登录。
  • Auth 服务主动向 Lobe 推送用户可用状态(需开启 Webhook, database session ):Auth服务会在“禁用”用户时,通过webhook向lobe发送事件,Lobe可在收到事件后,清除目标用户的会话,强制用户重新登录。

Token Rotation | 访问令牌刷新

RFC6749 中允许已授权流程的应用([A]->[F])使用refresh_token向授权中心刷新access_token [G] -> [H]

  +--------+                                           +---------------+
  |        |--(A)------- Authorization Grant --------->|               |
  |        |                                           |               |
  |        |<-(B)----------- Access Token -------------|               |
  |        |               & Refresh Token             |               |
  |        |                                           |               |
  |        |                            +----------+   |               |
  |        |--(C)---- Access Token ---->|          |   |               |
  |        |                            |          |   |               |
  |        |<-(D)- Protected Resource --| Resource |   | Authorization |
  | Client |                            |  Server  |   |     Server    |
  |        |--(E)---- Access Token ---->|          |   |               |
  |        |                            |          |   |               |
  |        |<-(F)- Invalid Token Error -|          |   |               |
  |        |                            +----------+   |               |
  |        |                                           |               |
  |        |--(G)----------- Refresh Token ----------->|               |
  |        |                                           |               |
  |        |<-(H)----------- Access Token -------------|               |
  +--------+           & Optional Refresh Token        +---------------+

               Figure 2: Refreshing an Expired Access Token

依据 AuthJS 文档建议的实现,在用户请求 session 时,前往 Auth 服务刷新令牌,使 Lobe 用户的登录状态受到 Auth 服务约束,实现以下功能:

  • 当 Auth 服务 suspend 用户时, Lobe 会主动注销 session 并登出

已知问题:因为 next-auth 会多次并发调用 auth,导致该实现需要并发刷新 token (并发调用[G]->[H])。而 Casdoor 是RFC6749中推荐的 refresh token 只能使用1次的实现,因而暂时无法接入。待 AuthJS 的全局锁实现后可以接入。

  • 启用该功能
NEXT_AUTH_SSO_ENABLE_REFRESH_TOKEN=1 #是否启用OIDC令牌刷新
NEXT_AUTH_SSO_REFRESH_TOKEN_INTERVAL=60 #刷新的时间间隔,默认为SSO指定时间-30秒,单位是秒

Database Session | 数据库会话管理支持

NEXT_AUTH_SSO_SESSION_STRATEGIE=database #指定会话管理的策略,默认为jwt

将会话管理设为由数据库集中管理,以便在 Auth 服务禁用用户时,用户将立即被禁止使用 Lobe。

Webhook

处理 Auth 服务对用户进行禁用、强制登出的事件。

功能支持列表

SSO Token Rotation Webhook Database Session
Logto 🚧
Auth0 🚫
Casdoor 🚫 🚧

#6094

@vercel Vercel
Copy link

vercel bot commented Feb 16, 2025

@cy948 is attempting to deploy a commit to the LobeHub Team on Vercel.

A member of the Team first needs to authorize it.

@lobehubbot
Copy link
Member

👍 @cy948

Thank you for raising your pull request and contributing to our Community
Please make sure you have followed our contributing guidelines. We will review it as soon as possible.
If you encounter any problems, please feel free to connect with us.
非常感谢您提出拉取请求并为我们的社区做出贡献,请确保您已经遵循了我们的贡献指南,我们会尽快审查它。
如果您遇到任何问题,请随时与我们联系。

@codecov Codecov
Copy link

codecov bot commented Feb 16, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 97.57%. Comparing base (89b7da0) to head (4f31365).
Report is 23 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #6209      +/-   ##
==========================================
+ Coverage   91.53%   97.57%   +6.04%     
==========================================
  Files         689       14     -675     
  Lines       63110     3670   -59440     
  Branches     2951      203    -2748     
==========================================
- Hits        57767     3581   -54186     
+ Misses       5343       89    -5254
Flag Coverage Δ
app ?
server 97.57% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cy948 cy948 force-pushed the feat/sso-refresh-token branch from 02179a0 to 50896f0 Compare February 16, 2025 10:15
@cy948 cy948 force-pushed the feat/sso-refresh-token branch from f1646dd to 689c22e Compare February 21, 2025 09:50
@cy948 cy948 changed the title ✨feat: Support token refresh for sso providers ✨feat: Support database session & token refresh for sso providers Feb 21, 2025
@cy948 cy948 force-pushed the feat/sso-refresh-token branch 2 times, most recently from bb202f7 to fe8bbb1 Compare February 21, 2025 12:59
@cy948 cy948 force-pushed the feat/sso-refresh-token branch from fe8bbb1 to 4cf2829 Compare February 21, 2025 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cy948 @lobehubbot