Canonical SSO provider

Make auth tokens shorter so they can be entered manually

Bug #589335 reported by Stuart Metcalfe on 2010-06-03

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical SSO provider	Fix Released	High	David Owen	Canonical SSO provider 2.7.0

Bug Description

Auth tokens are currently long and only able to be claimed by following a link from an email in a web browser. We need to remove both of these things as hard requirements to enable more complete desktop integration. The first step is to use much shorter tokens (4 characters is an initial suggestion) which are easier to re-type or read from more limited devices and provide a field on the 'sent' notification page to enter the token. The same system should be used in all places where auth tokens are required. We also need to remove the dependency on the same browser session being used to claim the token.

Testcase added to ISD_143

See original description

Related branches

lp://staging/~canonical-isd-hackers/canonical-identity-provider/bug_589335_auth_tokens

Merged into lp://staging/canonical-identity-provider/release at revision 73

Canonical ISD hackers: Pending requested 2010-06-15

lp://staging/~canonical-isd-hackers/canonical-identity-provider/token_tweaks

Merged into lp://staging/canonical-identity-provider/release at revision 81

Anthony Lenton (community): Approve on 2010-07-13

lp://staging/~canonical-isd-hackers/canonical-identity-provider/hyphenation

Merged into lp://staging/~canonical-isd-hackers/canonical-identity-provider/stable at revision 42

Ricardo Kirkner (community): Approve on 2010-07-19

Stuart Metcalfe (stuartmetcalfe) on 2010-06-03

description:

updated

Łukasz Czyżykowski (lukasz-czyzykowski) on 2010-06-07

Changed in canonical-identity-provider:
assignee:	nobody → Łukasz Czyżykowski (lukasz-czyzykowski)

Revision history for this message

Julien Funk (jaboing) wrote on 2010-06-08:

Note to QA: will need a test case associated and pssible refactoring of old testcases

Changed in canonical-isd-qa:
assignee:	nobody → Dave Morley (davmor2)

Łukasz Czyżykowski (lukasz-czyzykowski) on 2010-06-08

Changed in canonical-identity-provider:
assignee:	Łukasz Czyżykowski (lukasz-czyzykowski) → David Owen (dsowen)

David Owen (dsowen) on 2010-06-08

Changed in canonical-identity-provider:
status:	Confirmed → In Progress

Revision history for this message

David Owen (dsowen) wrote on 2010-06-09:

When we upgrade production for this, there will be older, long tokens which are still active. What should be our strategy for dealing with those? Some ideas:

1. Keep two tables for the two types of tokens, and permanently retire the old ones after another upgrade cycle.

2. Invalidate & remove the old tokens, forcing users to re-register, re-validate, &c.

3. Keep old tokens, but put new tokens in the same table.

Revision history for this message

Łukasz Czyżykowski (lukasz-czyzykowski) wrote on 2010-06-10:

I would go with putting them in the same table. Just stopping creating long ones.

Łukasz Czyżykowski (lukasz-czyzykowski) on 2010-06-15

Changed in canonical-identity-provider:
milestone:	2.6.0 → 2.7.0

Revision history for this message

David Owen (dsowen) wrote on 2010-06-17:

Agreed with using the same table.

We currently select from 50 characters to generate tokens. A 4-character token would give ~6M possibilities. Even with a slightly longer token, we might want some additional security.

Łukasz and I discussed adjustments to the workflows to maintain good security with the shorter tokens. For new accounts and password resets, we settled on requiring the e-mail address that the token was sent to along with the token itself. This would significantly increase the amount of work required to guess or brute-force a token and capture an account. API-based clients could cache the e-mail submitted when requesting a new account or password reset, and re-submit it once the user has the token in hand.

For new e-mail addresses on existing accounts, we agree that the user must log in (or already be logged in) as the account owner to use the token. We are undecided whether the target e-mail address must also be entered.

David Owen (dsowen) on 2010-07-13

Changed in canonical-identity-provider:
status:	In Progress → Fix Committed

Revision history for this message

Stuart Metcalfe (stuartmetcalfe) wrote on 2010-07-15:

Small comment from ec2 testing: "6-digit" and "confirmation-code" shouldn't have hyphens. Would be good, but not critical to get this fixed before staging.

David Owen (dsowen) on 2010-07-15

Changed in canonical-identity-provider:
status:	Fix Committed → In Progress

Revision history for this message

Dave Morley (davmor2) wrote on 2010-07-16:

Now a 6 digit code that is plain text and therefore copy pasteable.

passes on ec2

Changed in canonical-isd-qa:
status:	New → Confirmed

David Owen (dsowen) on 2010-07-19

Changed in canonical-identity-provider:
status:	In Progress → Fix Committed

Dave Morley (davmor2) on 2010-07-21

description:

updated

Revision history for this message

Julien Funk (jaboing) wrote on 2010-07-26:

Passes on staging.

Changed in canonical-isd-qa:
status:	Confirmed → Fix Committed

Dave Morley (davmor2) on 2010-07-29

description:

updated

Revision history for this message

Dave Morley (davmor2) wrote on 2010-07-30:

Passes on Production

Changed in canonical-isd-qa:
status:	Fix Committed → Fix Released

Julien Funk (jaboing) on 2010-08-02

Changed in canonical-isd-qa:
milestone:	none → canonical-identity-provider+2.7.0

Danny Tamez (zematynnad) on 2010-08-02

Changed in canonical-isd-qa:
milestone:	canonical-identity-provider+2.7.0 → 2.7.0

Danny Tamez (zematynnad) on 2010-08-03

Changed in canonical-isd-qa:
milestone:	2.7.0 → canonical-identity-provider+2.7.0

Ricardo Kirkner (ricardokirkner) on 2010-08-03

Changed in canonical-identity-provider:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.