Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions AUTHORS
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,4 @@ pySilver
Rodney Richardson
Silvano Cerza
Stéphane Raimbault
Michael Helvey
2 changes: 1 addition & 1 deletion oauth2_provider/migrations/0004_idtoken.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ class Migration(migrations.Migration):
name='IDToken',
fields=[
('id', models.BigAutoField(primary_key=True, serialize=False)),
('token', models.TextField(unique=True)),
('token', models.TextField()),
('expires', models.DateTimeField()),
('scope', models.TextField(blank=True)),
('created', models.DateTimeField(auto_now_add=True)),
Expand Down
2 changes: 1 addition & 1 deletion oauth2_provider/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -449,7 +449,7 @@ class AbstractIDToken(models.Model):
settings.AUTH_USER_MODEL, on_delete=models.CASCADE, blank=True, null=True,
related_name="%(app_label)s_%(class)s"
)
token = models.TextField(unique=True)
token = models.TextField()
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or should we move to uuid?

Copy link
Author

@michaelhelvey michaelhelvey Jun 25, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but isn't this value not actually a uuid, but a raw JWT (see the get_claims method on this class?), in which case a TextField is the appropriate type? Maybe I'm not understanding what this value does.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this field needs to be a text field because that will be persisted a long string (the jwt token) on this, but, I think that independently of the database backend, it seems there is no reason for this field to be a unique field.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but, in terms of security, I think that this token really needs to be unique. so every request will receive a valid response with a different valid token. in the token generation process, more information can be put to guarantee that uniqueness won't be invalid. I don't know, but I think that need another approach to resolve this problem for mysql backends

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An idea would be to add an additional unique CharField that contains a hash of the token. So we can make sure it is really unique on an mysql backend.

application = models.ForeignKey(
oauth2_settings.APPLICATION_MODEL, on_delete=models.CASCADE, blank=True, null=True,
)
Expand Down