|
 |
1c5238 |
From 55bfa944ad0197ae294d85ac42abf98297fa3a5d Mon Sep 17 00:00:00 2001
|
|
|
1c5238 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
1c5238 |
Date: Thu, 18 Aug 2022 14:19:59 +0200
|
|
|
1c5238 |
Subject: [PATCH 22/23] oidc_child: increase wait interval by 5s if 'slow_down'
|
|
|
1c5238 |
is returned
|
|
|
1c5238 |
MIME-Version: 1.0
|
|
|
1c5238 |
Content-Type: text/plain; charset=UTF-8
|
|
|
1c5238 |
Content-Transfer-Encoding: 8bit
|
|
|
1c5238 |
|
|
|
1c5238 |
While waiting for the user to authenticate with the IdP oidc_child
|
|
|
1c5238 |
currently only handles the error code 'authorization_pending' and waits
|
|
|
1c5238 |
for the given interval until a new request is send. But there is also
|
|
|
1c5238 |
'slow_down' which should not be treated as fatal error but should just
|
|
|
1c5238 |
increase the waiting time permanently for 5s.
|
|
|
1c5238 |
|
|
|
1c5238 |
Resolves: https://github.com/SSSD/sssd/issues/6146
|
|
|
1c5238 |
|
|
|
1c5238 |
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
|
|
1c5238 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
1c5238 |
(cherry picked from commit 5ed7670766483040211713f8182510775c76b962)
|
|
|
1c5238 |
|
|
|
1c5238 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
1c5238 |
---
|
|
|
1c5238 |
src/oidc_child/oidc_child_curl.c | 8 +++++++-
|
|
|
1c5238 |
src/oidc_child/oidc_child_json.c | 6 ++++++
|
|
|
1c5238 |
2 files changed, 13 insertions(+), 1 deletion(-)
|
|
|
1c5238 |
|
|
|
1c5238 |
diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c
|
|
|
1c5238 |
index 6e80c3abf..cf0976021 100644
|
|
|
1c5238 |
--- a/src/oidc_child/oidc_child_curl.c
|
|
|
1c5238 |
+++ b/src/oidc_child/oidc_child_curl.c
|
|
|
1c5238 |
@@ -378,8 +378,14 @@ errno_t get_token(TALLOC_CTX *mem_ctx,
|
|
|
1c5238 |
break;
|
|
|
1c5238 |
}
|
|
|
1c5238 |
|
|
|
1c5238 |
- sleep(dc_ctx->interval);
|
|
|
1c5238 |
waiting_time += dc_ctx->interval;
|
|
|
1c5238 |
+ if (waiting_time >= dc_ctx->expires_in) {
|
|
|
1c5238 |
+ /* Next sleep will end after the request is expired on the
|
|
|
1c5238 |
+ * server side, so we can just error out now. */
|
|
|
1c5238 |
+ ret = ETIMEDOUT;
|
|
|
1c5238 |
+ break;
|
|
|
1c5238 |
+ }
|
|
|
1c5238 |
+ sleep(dc_ctx->interval);
|
|
|
1c5238 |
} while (waiting_time < dc_ctx->expires_in);
|
|
|
1c5238 |
|
|
|
1c5238 |
if (ret != EOK) {
|
|
|
1c5238 |
diff --git a/src/oidc_child/oidc_child_json.c b/src/oidc_child/oidc_child_json.c
|
|
|
1c5238 |
index efc1997aa..a89794c4c 100644
|
|
|
1c5238 |
--- a/src/oidc_child/oidc_child_json.c
|
|
|
1c5238 |
+++ b/src/oidc_child/oidc_child_json.c
|
|
|
1c5238 |
@@ -413,6 +413,12 @@ errno_t parse_token_result(struct devicecode_ctx *dc_ctx,
|
|
|
1c5238 |
if (strcmp(json_string_value(tmp), "authorization_pending") == 0) {
|
|
|
1c5238 |
json_decref(result);
|
|
|
1c5238 |
return EAGAIN;
|
|
|
1c5238 |
+ } else if (strcmp(json_string_value(tmp), "slow_down") == 0) {
|
|
|
1c5238 |
+ /* RFC 8628: "... the interval MUST be increased by 5 seconds for"
|
|
|
1c5238 |
+ * "this and all subsequent requests." */
|
|
|
1c5238 |
+ dc_ctx->interval += 5;
|
|
|
1c5238 |
+ json_decref(result);
|
|
|
1c5238 |
+ return EAGAIN;
|
|
|
1c5238 |
} else {
|
|
|
1c5238 |
*error_description = get_json_string(dc_ctx, result,
|
|
|
1c5238 |
"error_description");
|
|
|
1c5238 |
--
|
|
|
1c5238 |
2.37.3
|
|
|
1c5238 |
|