Fix: OIDC (#699)

* fix: use sub for OIDC RBAC * fix: stop policies fetch loop after logout
percona · Sep 19, 2024 · bdf985f · bdf985f
1 parent c9abd86
commit bdf985f
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 5 deletions.
diff --git a/ui/apps/everest/src/contexts/auth/auth.provider.tsx b/ui/apps/everest/src/contexts/auth/auth.provider.tsx
@@ -23,7 +23,10 @@ import {
   UserAuthStatus,
 } from './auth.context.types';
 import { isAfter } from 'date-fns';
-import { initializeAuthorizerFetchLoop } from 'utils/rbac';
+import {
+  initializeAuthorizerFetchLoop,
+  stopAuthorizerFetchLoop,
+} from 'utils/rbac';
 
 const Provider = ({
   oidcConfig,
@@ -124,6 +127,7 @@ const AuthProvider = ({ children, isSsoEnabled }: AuthProviderProps) => {
       await userManager.clearStaleState();
       await userManager.removeUser();
     }
+    stopAuthorizerFetchLoop();
   }, [userManager]);
 
   const silentlyRenewToken = useCallback(async () => {
@@ -140,7 +144,8 @@ const AuthProvider = ({ children, isSsoEnabled }: AuthProviderProps) => {
     if (isSsoEnabled) {
       userManager.events.addUserLoaded((user) => {
         localStorage.setItem('everestToken', user.id_token || '');
-        setLoggedInStatus(user.profile.name || '');
+        const decoded = jwtDecode(user.id_token || '');
+        setLoggedInStatus(decoded.sub || '');
       });
 
       userManager.events.addAccessTokenExpiring(() => {
@@ -165,10 +170,10 @@ const AuthProvider = ({ children, isSsoEnabled }: AuthProviderProps) => {
       const decoded = jwtDecode(token);
       const iss = decoded.iss;
       const exp = decoded.exp;
-      const username =
-        decoded.sub?.substring(0, decoded.sub.indexOf(':')) || '';
       if (iss === EVEREST_JWT_ISSUER) {
         const isTokenValid = await checkAuth(token);
+        const username =
+          decoded.sub?.substring(0, decoded.sub.indexOf(':')) || '';
         if (isTokenValid) {
           setLoggedInStatus(username);
         } else {
@@ -185,7 +190,7 @@ const AuthProvider = ({ children, isSsoEnabled }: AuthProviderProps) => {
         if (!user) {
           setLogoutStatus();
         } else {
-          setLoggedInStatus(username);
+          setLoggedInStatus(decoded.sub || '');
           return;
         }
       }

diff --git a/ui/apps/everest/src/utils/rbac.ts b/ui/apps/everest/src/utils/rbac.ts
@@ -81,6 +81,10 @@ export const initializeAuthorizerFetchLoop = async (user: string) => {
   }, 5000);
 };
 
+export const stopAuthorizerFetchLoop = () => {
+  clearInterval(timeoutId);
+};
+
 export const can = async (
   action: RBACAction,
   resource: RBACResource,