Skip to content

Setup OIDC conformant Auth0 config#5395

Merged
pawelperek-da merged 2 commits into
mainfrom
pawel/auth0-security-improvements
May 7, 2026
Merged

Setup OIDC conformant Auth0 config#5395
pawelperek-da merged 2 commits into
mainfrom
pawel/auth0-security-improvements

Conversation

@pawelperek-da
Copy link
Copy Markdown
Contributor

@pawelperek-da pawelperek-da commented May 5, 2026
edited
Loading

Fixes https://github.com/DACH-NY/canton-network-internal/issues/4513

This PR configures Auth0 refresh tokens in accordance with the best practices outlined in RFC 9700 (OAuth 2.0 Security Best Current Practice) §4.14:

  1. Rotation: refresh tokens now change after each refresh
  2. Reuse detection: if an old, already rotated out, token is ever presented again Auth0 invalidates the entire token family for that client.
  3. Finite lifetimes: both absolute and idle lifetimes of a token are now configured to 7 days and 3 days respectively.

Presentations of points 1 and 2:

rotation.mp4

Pull Request Checklist

Cluster Testing

  • If a cluster test is required, comment /cluster_test on this PR to request it, and ping someone with access to the DA-internal system to approve it.
  • If a hard-migration test is required (from the latest release), comment /hdm_test on this PR to request it, and ping someone with access to the DA-internal system to approve it.
  • If a logical synchronizer upgrade test is required (from canton-3.5), comment /lsu_test on this PR to request it, and ping someone with access to the DA-internal system to approve it.

PR Guidelines

  • Include any change that might be observable by our partners or affect their deployment in the release notes.
  • Specify fixed issues with Fixes #n, and mention issues worked on using #n
  • Include a screenshot for frontend-related PRs - see README or use your favorite screenshot tool

Merge Guidelines

  • Make the git commit message look sensible when squash-merging on GitHub (most likely: just copy your PR description).

@canton-network-da
Copy link
Copy Markdown
Contributor

canton-network-da commented May 5, 2026

[backport] Reminder

Please consider backporting to the following branches:

  • release-line-0.6.2
  • release-line-0.6.1
  • release-line-0.6.0
  • release-line-0.5.18

▶️ Please check the boxes for branches that you wish to backport to and backport PRs will
automatically be created when you merge this PR.

And your PR is currently against base branch: main.

Note: Any PR comment containing [backport] will be considered for auto-backporting upon merge,
you can always add those manually for PRs that did not get these reminders. You can also edit
this comment manually and add more branches that this should be backported to.

@pawelperek-da pawelperek-da marked this pull request as ready for review May 6, 2026 12:56
rautenrieth-da
rautenrieth-da approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@rautenrieth-da rautenrieth-da left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks reasonable to me.

@pawelperek-da pawelperek-da force-pushed the pawel/auth0-security-improvements branch from 79fc8da to 61980ac Compare May 6, 2026 20:25
@pawelperek-da pawelperek-da merged commit 4e779e8 into main May 7, 2026
66 checks passed
@pawelperek-da pawelperek-da deleted the pawel/auth0-security-improvements branch May 7, 2026 07:07
martinflorian-da added a commit that referenced this pull request May 8, 2026
@martinflorian-da
Revert "Setup OIDC conformant Auth0 config (#5395)" (#5465)
49998ce 
It breaks infra deployments: DACH-NY/cn-test-failures#8318 (comment)

[static]

This reverts commit 4e779e8.
@pawelperek-da pawelperek-da mentioned this pull request May 8, 2026
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ray-roestenburg-da ray-roestenburg-da Awaiting requested review from ray-roestenburg-da

@rautenrieth-da rautenrieth-da Awaiting requested review from rautenrieth-da

@isegall-da isegall-da Awaiting requested review from isegall-da

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pawelperek-da @canton-network-da @rautenrieth-da