Create a real Okta session & store it in the cache, refresh it on each invocation #102
Conversation
mipearson
commented
Apr 26, 2021
•
mipearson
commented
- Uses https://developer.okta.com/docs/reference/api/sessions/#create-session-with-a-session-token to create a session that can be re-used, reducing the number of times we need to log in
- Refreshes the session to extend its expiry each time it's used
- Misc cleanups to cache logic
- Add verbose/debug flags for inspecting what's going on during the login process
rbvigilante
force-pushed
the
mp-use-okta-sessions
branch
3 times, most recently
from
f96f6d4
to
5cd3bc6
Compare
Make cache package responsible for checking if the cache is enabled, simplify cache usage in caller locations
- Maybe we should also clean up the increasingly-repetitice gob.Registers in cache.go?
mipearson
force-pushed
the
mp-use-okta-sessions
branch
from
0859638
to
280f630
Compare
mipearson
changed the title
mipearson
force-pushed
the
mp-use-okta-sessions
branch
from
280f630
to
3afb1d5
Compare
mipearson
force-pushed
the
mp-use-okta-sessions
branch
from
3afb1d5
to
6180520
Compare
cli/login.go
Outdated
|
|
||
| if err == nil { | ||
| session.ExpiresAt = response.ExpiresAt | ||
| cache.Write(oktaSessionCacheKey(), *session, session.ExpiresAt.Sub(time.Now())) |
There was a problem hiding this comment.
Do we want to cache this for the maximum allowable time? This means it will sit around for something like a week before asking for reauthentication. If we do, perhaps it would be good to be able to configure the session duration separately?
There was a problem hiding this comment.
Interestingly, I've been getting single day sessions, not entire week ones.
There was a problem hiding this comment.
Interesting. When I dumped sessions, the expiry date was always in something like a week's time. That's actually why I used WriteDefault initially. I guess there's probably not a lot we can do to control this with Okta, so maybe something in config for, like, a maximum allowable session cache time might be nice? I don't know.
There was a problem hiding this comment.
Added a flag to limit how long we're willing to keep an Okta session in the cache for without refresh, default to 1 day
| @@ -293,7 +331,7 @@ func promptLogin() (okta.OktaAuthResponse, error) { | |||
|
|
|||
| for unauthorised && (retries < maxLoginRetries) { | |||
| retries++ | |||
| username := viper.GetString("okta.username") | |||
| username := oktaUsername() | |||
There was a problem hiding this comment.
I'm totally fine with this approach, but it is different to what we're doing everywhere else in the codebase; I'd generally err on the side of consistency, but I'm also very happy if we think this is a better way to handle viper to just slowly convert stuff over as we go.
There was a problem hiding this comment.
oo, probably didn't need this explicit assignment here - was search-replacing.
But yeah - I'm 50/50 on it - I don't like repeated get("string") things because there's nothing there to stop a misspelled word.
There was a problem hiding this comment.
Yeah, I get it. Like I think I've said before, I think there are probably some things we can do to handle the vipers a bit better; we were quite naïve about this whole thing when we first wrote this code.
There was a problem hiding this comment.
Alright, let's leave it like this for now; we can come back and fix the snakes another time.
| return &session, nil | ||
| } | ||
|
|
||
| // TODO: DRY |
There was a problem hiding this comment.
Has this been left here intentionally, or should we do it as part of this PR?
There was a problem hiding this comment.
Intentionally - the way that this code does its HTTP handling needs some thought.
cmd/root.go
Outdated
|
|
||
| rootCmd.PersistentFlags().StringP("okta-username", "u", "", "Your Okta username") | ||
| rootCmd.PersistentFlags().String("okta-domain", "", "The domain to use for requests to Okta") | ||
| rootCmd.PersistentFlags().String("okta-aws-saml-endpoint", "", "The app embed path for the AWS app within Okta") | ||
| rootCmd.PersistentFlags().String("okta-mfa-type", "", "The Okta MFA type for login") | ||
| rootCmd.PersistentFlags().String("okta-mfa-provider", "", "The Okta MFA provider name for login") | ||
| rootCmd.PersistentFlags().Int64("okta-session-cache-limit", 86400, "The maximum amount of time we'll cache a session from Okta (in seconds)") |
There was a problem hiding this comment.
I think this would be better as a config file only option; it doesn't really make sense to pass it as a command-line argument?
There was a problem hiding this comment.
Eh, no strong opinion either way. I like the pragma of being able to specify things on the CLI when it's easy to do so, especially for testing.
There was a problem hiding this comment.
I don't actually mind much either way, but again I'd prefer consistency - if we want to allow this to be passed as a flag, we should also allow passing the other cache timeouts this way. Perhaps we could consider this another piece of work?
| @@ -293,7 +331,7 @@ func promptLogin() (okta.OktaAuthResponse, error) { | |||
|
|
|||
| for unauthorised && (retries < maxLoginRetries) { | |||
| retries++ | |||
| username := viper.GetString("okta.username") | |||
| username := oktaUsername() | |||
There was a problem hiding this comment.
Alright, let's leave it like this for now; we can come back and fix the snakes another time.
