Skip to content

Always return 401 for not valid tokens #49736

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Dec 6, 2019
Merged

Always return 401 for not valid tokens #49736

merged 4 commits into from
Dec 6, 2019

Conversation

@jkakavas
Copy link
Contributor

@jkakavas jkakavas commented Nov 30, 2019

Return a 401 in all cases when a request is submitted with an
access token that we can't consume. Before this change, we would
throw a 500 when a request came in with an access token that we
had generated but was then invalidated/expired and deleted from
the tokens index.

Resolves: #38866

@jkakavas
Always return 401 for not valid tokens
331f041 
Return a 401 in all cases when a request is submitted with an
access token that we can't consume. Before this change, we would
throw a 500 when a request came in with an access token that we
had generated but was then invalidated/expired and deleted from
the tokens index.

Resolves: elastic#38866
@jkakavas
unused import
73fc137
@jkakavas jkakavas added >bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v8.0.0 v7.6.0 labels Nov 30, 2019
@elasticmachine
Copy link
Collaborator

elasticmachine commented Nov 30, 2019

Pinging @elastic/es-security (:Security/Authentication)

albertzaharovits
albertzaharovits approved these changes Dec 6, 2019
View reviewed changes
Copy link
Contributor

@albertzaharovits albertzaharovits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM , a missing token document is more likely a sign of an invalid token (401 Unauthorized) than of a bug which might have deleted or otherwise erroneously stored the token document, in both the encrypted and the hashed token cases.

@jkakavas jkakavas merged commit 0b9a9b4 into elastic:master Dec 6, 2019
jkakavas added a commit to jkakavas/elasticsearch that referenced this pull request Dec 10, 2019
@jkakavas
Always return 401 for not valid tokens (elastic#49736)
9d44177 
Return a 401 in all cases when a request is submitted with an
access token that we can't consume. Before this change, we would
throw a 500 when a request came in with an access token that we
had generated but was then invalidated/expired and deleted from
the tokens index.

Resolves: elastic#38866
@jkakavas jkakavas mentioned this pull request Dec 10, 2019
Merged
jkakavas added a commit that referenced this pull request Dec 11, 2019
@jkakavas
Always return 401 for not valid tokens (#49736) (#50042)
3b613c3 
Return a 401 in all cases when a request is submitted with an
access token that we can't consume. Before this change, we would
throw a 500 when a request came in with an access token that we
had generated but was then invalidated/expired and deleted from
the tokens index.

Resolves: #38866
Backport of #49736
jkakavas added a commit to jkakavas/elasticsearch that referenced this pull request Dec 13, 2019
@jkakavas
Fix testMalformedToken
a78ba25 
This test was fixed as part of elastic#49736 so that it used a
TokenService mock instance that was enabled, so that token
verification fails because the token is invalid and not because
the token service is not enabled.
When the randomly generated token we send, decodes to being of
version > 7.2 , we need to have mocked a GetResponse for the call
that TokenService#getUserTokenFromId will make, otherwise this
hangs and times out.
@jkakavas jkakavas mentioned this pull request Dec 13, 2019
Merged
jkakavas added a commit that referenced this pull request Dec 13, 2019
@jkakavas
Fix testMalformedToken (#50164)
68c739f 
This test was fixed as part of #49736 so that it used a
TokenService mock instance that was enabled, so that token
verification fails because the token is invalid and not because
the token service is not enabled.
When the randomly generated token we send, decodes to being of
version > 7.2 , we need to have mocked a GetResponse for the call
that TokenService#getUserTokenFromId will make, otherwise this
hangs and times out.
jkakavas added a commit to jkakavas/elasticsearch that referenced this pull request Dec 13, 2019
@jkakavas
Fix testMalformedToken (elastic#50164)
4fba862 
This test was fixed as part of elastic#49736 so that it used a
TokenService mock instance that was enabled, so that token
verification fails because the token is invalid and not because
the token service is not enabled.
When the randomly generated token we send, decodes to being of
version > 7.2 , we need to have mocked a GetResponse for the call
that TokenService#getUserTokenFromId will make, otherwise this
hangs and times out.
jkakavas added a commit that referenced this pull request Dec 13, 2019
@jkakavas
Fix testMalformedToken (#50164) (#50170)
4637610 
This test was fixed as part of #49736 so that it used a
TokenService mock instance that was enabled, so that token
verification fails because the token is invalid and not because
the token service is not enabled.
When the randomly generated token we send, decodes to being of
version > 7.2 , we need to have mocked a GetResponse for the call
that TokenService#getUserTokenFromId will make, otherwise this
hangs and times out.
SivagurunathanV pushed a commit to SivagurunathanV/elasticsearch that referenced this pull request Jan 23, 2020
@jkakavas @SivagurunathanV
Always return 401 for not valid tokens (elastic#49736)
ab9baef 
Return a 401 in all cases when a request is submitted with an
access token that we can't consume. Before this change, we would
throw a 500 when a request came in with an access token that we
had generated but was then invalidated/expired and deleted from
the tokens index.

Resolves: elastic#38866
SivagurunathanV pushed a commit to SivagurunathanV/elasticsearch that referenced this pull request Jan 23, 2020
@jkakavas @SivagurunathanV
Fix testMalformedToken (elastic#50164)
b4efe1f 
This test was fixed as part of elastic#49736 so that it used a
TokenService mock instance that was enabled, so that token
verification fails because the token is invalid and not because
the token service is not enabled.
When the randomly generated token we send, decodes to being of
version > 7.2 , we need to have mocked a GetResponse for the call
that TokenService#getUserTokenFromId will make, otherwise this
hangs and times out.
This was referenced Feb 3, 2020
Closed
Closed
@jkakavas jkakavas mentioned this pull request Feb 5, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@albertzaharovits albertzaharovits albertzaharovits approved these changes

Assignees

No one assigned

Labels

>bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v7.6.0 v8.0.0-alpha1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Return 401 instead of 500 on use of invalid access tokens

4 participants

@jkakavas @elasticmachine @albertzaharovits @jakelandis