fix: User expiring membership for federated users (#425)

When the user logs in through the IdP python keystone uses expiring
group memberships.

Fixes: #363

Author: gtema

Cargo.toml

@@ -91,7 +91,7 @@ sea-orm = { version = "1.1", features = ["mock", "sqlx-sqlite" ]}
 serde_urlencoded = { version = "0.7" }
 tempfile = { version = "3.23" }
 thirtyfour = "0.36"
-tracing-test = { version = "0.2" }
+tracing-test = { version = "0.2", features = ["no-env-filter"] }
 url = { version = "2.5" }
 webauthn-rs = { version = "0.5", features = ["danger-credential-internals"] }
 

doc/src/SUMMARY.md

@@ -22,6 +22,7 @@
     - [PCI-DSS: Failed Auth Protection](adr/0010-pci-dss-failed-auth-protection.md)
     - [PCI-DSS: Inactive Account Deactivation](adr/0011-pci-dss-inactive-account-deactivation.md)
     - [PCI-DSS: Account Password Expiration](adr/0012-pci-dss-account-password-expiry.md)
+    - [Federation OIDC: Expiring Group Membership](adr/0013-federation-oidc-expiring-group-membership.md)
 - [Policy enforcement](policy.md)
 - [Fernet token]()
   - [Token payloads]()

doc/src/adr/0013-federation-oidc-expiring-group-membership.md

@@ -0,0 +1,52 @@
+# 13. OpenIDConnect federation: Expiring group membership
+
+Date: 2025-12-09
+
+## Status
+
+Accepted
+
+## Context
+
+Python Keystone uses expiring group membership for the federated users
+<https://specs.openstack.org/openstack/keystone-specs/specs/keystone/ussuri/expiring-group-memberships.html>.
+Every time the user authenticates using the federated login it's group
+membership are persisted in the `expiring_user_group_membership` table instead
+of the `user_group_membership`. The table has a non nullable column
+`last_verified` which is set to the time of the last user login. The user is
+considered to be included as a member of the group for the period of time
+specified in the `conf.federation.default_authorization_ttl`. Once the
+`user.last_verified + ttl < current_timestamp()` the user is not considered the
+member of the group anymore. The intention of this mechanism is to prevent stale
+group memberships granting the user privileges.
+
+## Decision
+
+For compatibility reasons rust implementation must implement the same
+functionality.
+
+Every time the user authenticates the user group memberships are persisted in
+the `expiring_user_group_membership` table.
+
+- Current group membership is being read from the database (ignoring the time
+  limitation).
+
+- The group membership that the user should not be having anymore are deleted.
+
+- For the new group memberships corresponding entries are added with the current
+  timestamp.
+
+- For all other groups that the user is still member of corresponding records
+  are updated to set `last_verified` to the current timestamp.
+
+- Effective role assignments of the user are taking into the consideration
+  expiring group memberships through the `list_user_groups` respecting the
+  expiring membershipts (independent of the `idp_id`) as
+  `expiring_user_group_membership.last_verified > current_timestamp - conf.federation.default_authorization_ttl`.
+
+## Consequences
+
+- The user must login periodically to keep application credentials working when
+  corresponding roles are granted through the expiring group membership.
+
+- With the SCIM support the expiring membership should not be necessary.

doc/src/federation/oidc.md

@@ -58,3 +58,25 @@ The ultimate flexibility of having a single IdP for multiple domains is by
 specifying the claim attribute that specifies domain the user should belong to.
 This is implemented by using the `domain-id-claim` attribute of the mapping.
 Authentication with the claim missing is going to be rejected.
+
+## User group membership
+
+When a user authenticates using the OIDC the group memberships are persisted in
+the database with the expiration in addition to the list of group ids being also
+saved in the token. This mechanism intends preventing continuous use of the
+roles granted through the group memberships (i.e. with application credentials).
+`conf.federation.default_authorization_ttl` configuration variable defines the
+expiration for such group memberships. Every time the user authenticates with
+the OIDC the group memberships are renewed (their `last_verified` property is
+reset to the login timestamp). Groups the user is not member of anymore would be
+unassigned.
+
+The major consequence of this when using the application credentials that rely
+on the roles assigned through the group memberships is that the user need to
+periodically login using the OIDC (no other authentication method is renewing
+the group memberships since Keystone has currently no mechanism of querying the
+IdP for the current groups.
+
+This is going to be changed soon since Keystone now has the means of
+communication with the IdP. Additionally the SCIM support is going to be added
+allowing the IdP to push updates to the Keystone.

src/api/v4/federation/oidc.rs

@@ -278,10 +278,12 @@ pub async fn callback(
             state
                 .provider
                 .get_identity_provider()
-                .set_user_groups(
+                .set_user_groups_expiring(
                     &state,
                     &user.id,
                     HashSet::from_iter(group_ids.iter().map(|i| i.as_str())),
+                    idp.id.as_ref(),
+                    Some(&Utc::now()),
                 )
                 .await?;
         }

src/config.rs

@@ -14,7 +14,7 @@
 //! # Keystone configuration
 //!
 //! Parsing of the Keystone configuration file implementation.
-use chrono::{NaiveDate, TimeDelta, Utc};
+use chrono::{DateTime, NaiveDate, TimeDelta, Utc};
 use config::{File, FileFormat};
 use eyre::{Report, WrapErr};
 use regex::Regex;
@@ -182,16 +182,30 @@ pub struct FederationProvider {
     /// Federation provider backend.
     #[serde(default = "default_sql_driver")]
     pub driver: String,
+    /// Default time in minutes for the validity of group memberships carried over from a mapping. Default is 0, which means disabled.
+    #[serde(default)]
+    pub default_authorization_ttl: u32,
 }
 
 impl Default for FederationProvider {
     fn default() -> Self {
         Self {
             driver: default_sql_driver(),
+            default_authorization_ttl: 0,
         }
     }
 }
-
+impl FederationProvider {
+    /// Return oldest `last_verified` date for the expiring user group membership.
+    ///
+    /// Calculate the oldest time for the expiring user group membership to not be considered as
+    /// valid.
+    pub(crate) fn get_expiring_user_group_membership_cutof_datetime(&self) -> DateTime<Utc> {
+        Utc::now()
+            .checked_sub_signed(TimeDelta::seconds(self.default_authorization_ttl.into()))
+            .unwrap_or(Utc::now())
+    }
+}
 /// Identity provider.
 #[derive(Debug, Deserialize, Clone)]
 pub struct IdentityProvider {

src/db/entity/expiring_user_group_membership.rs

@@ -25,6 +25,7 @@ pub struct Model {
     pub group_id: String,
     #[sea_orm(primary_key, auto_increment = false)]
     pub idp_id: String,
+    #[sea_orm(default_expr = "Expr::current_timestamp()")]
     pub last_verified: DateTime,
 }
 

src/federation/types/mapping.rs

@@ -103,6 +103,7 @@ pub struct MappingUpdate {
     pub r#type: Option<MappingType>,
 
     /// Enabled attribute.
+    #[builder(default)]
     pub enabled: Option<bool>,
 
     /// List of allowed redirect_uri for the oidc mapping.

src/identity/backends.rs

@@ -13,6 +13,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use async_trait::async_trait;
+use chrono::{DateTime, Utc};
 use dyn_clone::DynClone;
 use std::collections::HashSet;
 use webauthn_rs::prelude::{Passkey, PasskeyAuthentication, PasskeyRegistration};
@@ -117,13 +118,30 @@ pub trait IdentityBackend: DynClone + Send + Sync + std::fmt::Debug {
         group_id: &'a str,
     ) -> Result<(), IdentityProviderError>;
 
+    /// Add the user to the group with expiration.
+    async fn add_user_to_group_expiring<'a>(
+        &self,
+        state: &ServiceState,
+        user_id: &'a str,
+        group_id: &'a str,
+        idp_id: &'a str,
+    ) -> Result<(), IdentityProviderError>;
+
     /// Add user group membership relations.
     async fn add_users_to_groups<'a>(
         &self,
         state: &ServiceState,
         memberships: Vec<(&'a str, &'a str)>,
     ) -> Result<(), IdentityProviderError>;
 
+    /// Add expiring user group membership relations.
+    async fn add_users_to_groups_expiring<'a>(
+        &self,
+        state: &ServiceState,
+        memberships: Vec<(&'a str, &'a str)>,
+        idp_id: &'a str,
+    ) -> Result<(), IdentityProviderError>;
+
     /// Remove the user from the group.
     async fn remove_user_from_group<'a>(
         &self,
@@ -132,6 +150,15 @@ pub trait IdentityBackend: DynClone + Send + Sync + std::fmt::Debug {
         group_id: &'a str,
     ) -> Result<(), IdentityProviderError>;
 
+    /// Remove the user from the group with expiration.
+    async fn remove_user_from_group_expiring<'a>(
+        &self,
+        state: &ServiceState,
+        user_id: &'a str,
+        group_id: &'a str,
+        idp_id: &'a str,
+    ) -> Result<(), IdentityProviderError>;
+
     /// Remove the user from multiple groups.
     async fn remove_user_from_groups<'a>(
         &self,
@@ -140,6 +167,15 @@ pub trait IdentityBackend: DynClone + Send + Sync + std::fmt::Debug {
         group_ids: HashSet<&'a str>,
     ) -> Result<(), IdentityProviderError>;
 
+    /// Remove the user from multiple expiring groups.
+    async fn remove_user_from_groups_expiring<'a>(
+        &self,
+        state: &ServiceState,
+        user_id: &'a str,
+        group_ids: HashSet<&'a str>,
+        idp_id: &'a str,
+    ) -> Result<(), IdentityProviderError>;
+
     /// Set group memberships for the user.
     async fn set_user_groups<'a>(
         &self,
@@ -148,6 +184,16 @@ pub trait IdentityBackend: DynClone + Send + Sync + std::fmt::Debug {
         group_ids: HashSet<&'a str>,
     ) -> Result<(), IdentityProviderError>;
 
+    /// Set expiring group memberships for the user.
+    async fn set_user_groups_expiring<'a>(
+        &self,
+        state: &ServiceState,
+        user_id: &'a str,
+        group_ids: HashSet<&'a str>,
+        idp_id: &'a str,
+        last_verified: Option<&DateTime<Utc>>,
+    ) -> Result<(), IdentityProviderError>;
+
     /// List user passkeys.
     async fn list_user_webauthn_credentials<'a>(
         &self,

src/identity/backends/sql.rs

@@ -13,6 +13,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use async_trait::async_trait;
+use chrono::{DateTime, Utc};
 use std::collections::HashSet;
 use webauthn_rs::prelude::{Passkey, PasskeyAuthentication, PasskeyRegistration};
 
@@ -162,7 +163,15 @@ impl IdentityBackend for SqlBackend {
         state: &ServiceState,
         user_id: &'a str,
     ) -> Result<Vec<Group>, IdentityProviderError> {
-        Ok(user_group::list_user_groups(&state.db, user_id).await?)
+        Ok(user_group::list_user_groups(
+            &state.db,
+            user_id,
+            &self
+                .config
+                .federation
+                .get_expiring_user_group_membership_cutof_datetime(),
+        )
+        .await?)
     }
 
     /// Add the user into the group.
@@ -176,6 +185,21 @@ impl IdentityBackend for SqlBackend {
         Ok(user_group::add_user_to_group(&state.db, user_id, group_id).await?)
     }
 
+    /// Add the user to the group with expiration.
+    #[tracing::instrument(level = "debug", skip(self, state))]
+    async fn add_user_to_group_expiring<'a>(
+        &self,
+        state: &ServiceState,
+        user_id: &'a str,
+        group_id: &'a str,
+        idp_id: &'a str,
+    ) -> Result<(), IdentityProviderError> {
+        Ok(
+            user_group::add_user_to_group_expiring(&state.db, user_id, group_id, idp_id, None)
+                .await?,
+        )
+    }
+
     /// Add user group membership relations.
     #[tracing::instrument(level = "debug", skip(self, state))]
     async fn add_users_to_groups<'a>(
@@ -186,6 +210,17 @@ impl IdentityBackend for SqlBackend {
         Ok(user_group::add_users_to_groups(&state.db, memberships).await?)
     }
 
+    /// Add expiring user group membership relations.
+    #[tracing::instrument(level = "debug", skip(self, state))]
+    async fn add_users_to_groups_expiring<'a>(
+        &self,
+        state: &ServiceState,
+        memberships: Vec<(&'a str, &'a str)>,
+        idp_id: &'a str,
+    ) -> Result<(), IdentityProviderError> {
+        Ok(user_group::add_users_to_groups_expiring(&state.db, memberships, idp_id, None).await?)
+    }
+
     /// Remove the user from the group.
     #[tracing::instrument(level = "debug", skip(self, state))]
     async fn remove_user_from_group<'a>(
@@ -197,6 +232,21 @@ impl IdentityBackend for SqlBackend {
         Ok(user_group::remove_user_from_group(&state.db, user_id, group_id).await?)
     }
 
+    /// Remove the user from the group with expiration.
+    #[tracing::instrument(level = "debug", skip(self, state))]
+    async fn remove_user_from_group_expiring<'a>(
+        &self,
+        state: &ServiceState,
+        user_id: &'a str,
+        group_id: &'a str,
+        idp_id: &'a str,
+    ) -> Result<(), IdentityProviderError> {
+        Ok(
+            user_group::remove_user_from_group_expiring(&state.db, user_id, group_id, idp_id)
+                .await?,
+        )
+    }
+
     /// Remove the user from multiple groups.
     #[tracing::instrument(level = "debug", skip(self, state))]
     async fn remove_user_from_groups<'a>(
@@ -208,6 +258,21 @@ impl IdentityBackend for SqlBackend {
         Ok(user_group::remove_user_from_groups(&state.db, user_id, group_ids).await?)
     }
 
+    /// Remove the user from multiple expiring groups.
+    #[tracing::instrument(level = "debug", skip(self, state))]
+    async fn remove_user_from_groups_expiring<'a>(
+        &self,
+        state: &ServiceState,
+        user_id: &'a str,
+        group_ids: HashSet<&'a str>,
+        idp_id: &'a str,
+    ) -> Result<(), IdentityProviderError> {
+        Ok(
+            user_group::remove_user_from_groups_expiring(&state.db, user_id, group_ids, idp_id)
+                .await?,
+        )
+    }
+
     /// Set group memberships of the user.
     #[tracing::instrument(level = "debug", skip(self, state))]
     async fn set_user_groups<'a>(
@@ -219,6 +284,26 @@ impl IdentityBackend for SqlBackend {
         Ok(user_group::set_user_groups(&state.db, user_id, group_ids).await?)
     }
 
+    /// Set expiring group memberships for the user.
+    #[tracing::instrument(level = "debug", skip(self, state))]
+    async fn set_user_groups_expiring<'a>(
+        &self,
+        state: &ServiceState,
+        user_id: &'a str,
+        group_ids: HashSet<&'a str>,
+        idp_id: &'a str,
+        last_verified: Option<&DateTime<Utc>>,
+    ) -> Result<(), IdentityProviderError> {
+        Ok(user_group::set_user_groups_expiring(
+            &state.db,
+            user_id,
+            group_ids,
+            idp_id,
+            last_verified,
+        )
+        .await?)
+    }
+
     /// Create webauthn credential for the user.
     #[tracing::instrument(level = "debug", skip(self, state))]
     async fn create_user_webauthn_credential<'a>(