Support auth in multiple tabs

By default the UserManager uses session storage for its authentication credentials. That is restricted to a single tab. In order to support using the same auth token in multiple tabs, we could switch that to localStorage which is shared by all tabs of the same domain. But then if a user exited the browser, they might be surprised to find that they were still logged in when restarting. The typically short lifetime of OIDC tokens mitigates that somewhat, but it's probably best not to subvert that expectation anyway. Instead, we can continue to use session storage by using a BroadcastChannel to notify other tabs of login/out events and transfer the token info as well. This is a standard feature of modern browsers, but we're using a library that wraps it for two reasons: it supports older browsers with compatability workarounds if required, and it implements a leader election protocol. More on that in a minute. We would also like to automatically renew tokens shortly before they expire. The UserManager has an automatic facility for that, but it isn't multi-tab aware, so every tab would try to renew at the same time if we used it. Instead, we hook into the UserManager timer that fires about one minute before token expiration and use the leader election to decide which tab will renew the token. We renew the token silently in the background with a hidden iframe. In this case, instead of using our normal auth callback page, we use a much simpler "silent callback" which does not render the rest of our application. This avoids confusion and reduces resource usage. This also moves any remaining token lifecycle handling out of the Auth component and into ZuulAuthProvider, so the division of responsibilities is much simpler. Change-Id: I17af1a98bf8d704dd7650109aa4979b34086e2fa
author: James E. Blair <jim@acmegating.com> 2021-11-13 17:05:28 -0800
committer: Matthieu Huin <mhuin@redhat.com> 2021-11-18 17:40:04 +0100
commit: 560fa563db4503e592c945f97bb7cbdec4d71c66 (patch)
tree: bc21f8265e63f0fea30a9a042e62eedca175c8e4 /web/src/ZuulAuthProvider.jsx
parent: b13ff51ddaccbdf3cf496d52094226edba8195a6 (diff)
download: zuul-560fa563db4503e592c945f97bb7cbdec4d71c66.tar.gz
1 files changed, 116 insertions, 3 deletions
diff --git a/web/src/ZuulAuthProvider.jsx b/web/src/ZuulAuthProvider.jsx
index a31460517..94deff961 100644
--- a/web/src/ZuulAuthProvider.jsx
+++ b/web/src/ZuulAuthProvider.jsx
@@ -19,6 +19,9 @@ import { connect } from 'react-redux'
 
 import { AuthProvider } from 'oidc-react'
 import { userLoggedIn, userLoggedOut } from './actions/user'
+import { UserManager, User } from 'oidc-client'
+import { getHomepageUrl } from './api'
+import _ from 'lodash'
 
 
 class ZuulAuthProvider extends React.Component {
@@ -41,26 +44,136 @@ class ZuulAuthProvider extends React.Component {
    */
   static propTypes = {
     auth_params: PropTypes.object,
+    channel: PropTypes.object,
+    election: PropTypes.object,
     dispatch: PropTypes.func,
     children: PropTypes.any,
   }
 
   render() {
-    const { auth_params } = this.props
+    const { auth_params, channel, election } = this.props
 
     console.debug('ZuulAuthProvider rendering with params', auth_params)
 
+    const userManager = new UserManager({
+      ...auth_params,
+      response_type: 'token id_token',
+      silent_redirect_uri: getHomepageUrl() + 'silent_callback',
+      redirect_uri: getHomepageUrl() + 'auth_callback',
+      includeIdTokenInSilentRenew: false,
+    })
+
     const oidcConfig = {
       onSignIn: async (user) => {
+        // Update redux with the logged in state and send the
+        // credentials to any other tabs.
         this.props.dispatch(userLoggedIn(user))
+        this.props.channel.postMessage({
+          type: 'signIn',
+          auth_params: auth_params,
+          user: user
+        })
       },
       onSignOut: async () => {
+        // Update redux with the logged out state and send the
+        // credentials to any other tabs.
         this.props.dispatch(userLoggedOut())
+        this.props.channel.postMessage({
+          type: 'signOut',
+          auth_params: auth_params
+        })
       },
-      responseType: 'token id_token',
       autoSignIn: false,
-      ...auth_params,
+      userManager: userManager,
+    }
+
+    // This is called whenever we receive a message from another tab
+    channel.onmessage = (msg) => {
+      console.debug('Received broadcast message', msg)
+
+      if (msg.type === 'signIn' && _.isEqual(msg.auth_params, auth_params)) {
+        const user = new User(msg.user)
+        userManager.getUser().then((olduser) => {
+          // In some cases, we can receive our own message, so make
+          // sure that the user info we received is different from
+          // what we already have.
+          let needToUpdate = true
+          if (olduser) {
+            if (user.toStorageString() === olduser.toStorageString()) {
+              needToUpdate = false
+            }
+          }
+          if (needToUpdate) {
+            console.debug('New token from other tab')
+            userManager.storeUser(user)
+            userManager.events.load(user)
+            this.props.dispatch(userLoggedIn(user))
+          }
+        })
+      }
+      else if (msg.type === 'signOut' && _.isEqual(msg.auth_params, auth_params)) {
+        userManager.removeUser()
+        this.props.dispatch(userLoggedOut())
+      }
+      else if (msg.type === 'init') {
+        // A new tab has been created; send our token in case it's helpful.
+        userManager.getUser().then((user) => {
+          if (user) {
+            console.debug('Sending token to new tab')
+            this.props.channel.postMessage({
+              type: 'signIn',
+              auth_params: auth_params,
+              user: user
+            })
+          }
+        })
+      }
     }
+
+    // If we already have user data saved in session storage, we need to
+    // tell redux about it.
+    userManager.getUser().then((user) => {
+      if (user) {
+        console.debug('Restoring initial login from userManager')
+        this.props.dispatch(userLoggedIn(user))
+      } else {
+        // Maybe another tab is logged in.  Ask them to send us tokens.
+        console.debug('Asking other tabs for auth tokens')
+        this.props.channel.postMessage({ type: 'init' })
+      }
+    })
+
+    // This is called when a token is expired
+    userManager.events.addAccessTokenExpired(() => {
+      console.log('Auth token expired')
+      userManager.removeUser()
+      this.props.dispatch(userLoggedOut())
+      this.props.channel.postMessage({ 'type': 'signOut' })
+    })
+
+    // This is called about 1 minute before a token is expired.  We will try
+    // to renew the token.  We use a leader election so that only one tab
+    // makes the attempt; the others will receive the token via a broadcast
+    // event.
+    userManager.events.addAccessTokenExpiring(() => {
+      if (election.isLeader) {
+        console.debug('Token is expiring; renewing')
+        userManager.signinSilent().then(user => {
+          console.debug('Token renewal successful')
+          this.props.dispatch(userLoggedIn(user))
+          channel.postMessage({
+            type: 'signIn',
+            auth_params: auth_params,
+            user: user
+          })
+        }, err => {
+          console.error('Error renewing token:', err.message)
+        })
+      } else {
+        console.debug('Token is expiring; expecting leader to renew')
+      }
+    })
+
     return (
       <React.Fragment>
         <AuthProvider {...oidcConfig} key={JSON.stringify(auth_params)}>
author	James E. Blair <jim@acmegating.com>	2021-11-13 17:05:28 -0800
committer	Matthieu Huin <mhuin@redhat.com>	2021-11-18 17:40:04 +0100
commit	560fa563db4503e592c945f97bb7cbdec4d71c66 (patch)
tree	bc21f8265e63f0fea30a9a042e62eedca175c8e4 /web/src/ZuulAuthProvider.jsx
parent	b13ff51ddaccbdf3cf496d52094226edba8195a6 (diff)
download	zuul-560fa563db4503e592c945f97bb7cbdec4d71c66.tar.gz