AJ, are there any updates since the login RRA meeting? If I recall from our last discussion, members of secops were going to inspect the login flow in tc-web-server. Thanks!

Hey Hassan,

I did a quick run through and it looks okay to me, except I have one question at the moment: How is revocation of the JWT handled?

As an example, say I logged in via Github, so the expiration of my JWT is forever (https://github.com/taskcluster/taskcluster/blob/1c62ce556178356581715a9f98223a7098cf9b9d/services/web-server/src/login/strategies/github.js#L89-L95) and then my laptop gets stolen. How do I (or the taskcluster team, etc) revoke that JWT so that it can no longer be used on my stolen laptop?

Along side this, I don't think that the expiration for JWT's (or any session tokens) should exceed ~30 days.

If your laptop gets stolen, we can remove your scopes from https://taskcluster-ui.herokuapp.com/auth/clients. The next thing I think you should do is revoke the session from that device using https://github.com/settings/security. Dustin, can you confirm?

Along side this, I don't think that the expiration for JWT's (or any session tokens) should exceed ~30 days.

We can adjust this to be 30 days.

https://github.com/taskcluster/taskcluster/pull/960

Hmm, now that you mention it, revoking the session as you describe wouldn't change anything -- that token is only used immediately after login to identify the user. The JWT is generated from there, and the GitHub API token discarded.

As I mentioned in the PR (but should have written here):

[T]he JWT just indicates identity, so if a GitHub user is removed from a team for example their access to roles related to that team will go away in 15 minutes (not 30 days) when the TC credentials from getCredentials expire and must be renewed.

so we're not totally in trouble.

Since this bug is about Auth0, and the topic here is GitHub, let's pop this out to a new bug? We can discuss possible solutions there.

Since this bug is about Auth0, and the topic here is GitHub, let's pop this out to a new bug? We can discuss possible solutions there.

That sounds good.

Bug 1564113.

This bug is likely almost done, then, although I was unable to login via auth0 just now, I think because its JWT secret config is not up-to-date. That will likely get fixed as we transition to the new helm-based deployment approach.

I'm thinking of adding auth0 login at least for https://taskcluster-ui.herokuapp.com. I think I just need to ask the IAM team to add the new callbackUrl and it should work. Happy to wait if you think this is a bad idea.

Sounds good to me!

This isn't blocking tc-cloudops anymore (but still not done per comment 13)

(In reply to Dustin J. Mitchell [:dustin] (he/him) from comment #15)

This isn't blocking tc-cloudops anymore (but still not done per comment 13)

It turns out we can't send cookies from https://taskcluster-ui.herokuapp.com to https://taskcluster-web-server.herokuapp.com. From https://devcenter.heroku.com/articles/cookies-and-herokuapp-com:

herokuapp.com domain are prevented from setting cookies for *.herokuapp.com

Login works however on https://hassan.taskcluster-dev.net/ (try logging in with GitHub).