Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#5444 ConfiguredIDPOAuth shows authentication popup and save JWT to storage #5795

Conversation

ioanmo226
Copy link
Collaborator

@ioanmo226 ioanmo226 commented Jul 24, 2024

This PR implemented feature to let ConfiguredIDPOAuth shows authentication popup and save JWT to storage

close #5444// if this PR closes an issue


Tests (delete all except exactly one):

  • Tests added or updated

To be filled by reviewers

I have reviewed that this PR... (tick whichever items you personally focused on during this review):

  • addresses the issue it closes (if any)
  • code is readable and understandable
  • is accompanied with tests, or tests are not needed
  • is free of vulnerabilities
  • is documented clearly and usefully, or doesn't need documentation

Copy link

gitguardian bot commented Jul 24, 2024

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
Once a secret has been leaked into a git repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@ioanmo226 ioanmo226 marked this pull request as ready for review July 29, 2024 02:05
@ioanmo226 ioanmo226 requested a review from sosnovsky as a code owner July 29, 2024 02:05
Copy link
Collaborator

@tomholub tomholub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some comments for code clarity, just a quick review

test/source/mock/lib/oauth.ts Outdated Show resolved Hide resolved
test/source/tests/tooling/browser-recipe.ts Outdated Show resolved Hide resolved
test/source/tests/setup.ts Outdated Show resolved Hide resolved
test/source/tests/setup.ts Outdated Show resolved Hide resolved
test/source/tests/tooling/browser-recipe.ts Outdated Show resolved Hide resolved
Copy link
Collaborator

@tomholub tomholub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than the redirect page in progress, my comments were addressed 👍

Copy link
Collaborator

@sosnovsky sosnovsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good for me 👍 Just need to fix redirect part mentioned by Tom.
Probably we can use launchWebAuthFlow method, which enables auth flows for non-Google IdP. There is also getRedirectURL method for generating correct redirect URL.

@ioanmo226
Copy link
Collaborator Author

I previously decided to use our own oauth solution instead of launchwebAuthFlow because of below reason.
Also we need to add identity permission in manifest.

#4660 (comment)

Looks good for me 👍 Just need to fix redirect part mentioned by Tom. Probably we can use launchWebAuthFlow method, which enables auth flows for non-Google IdP. There is also getRedirectURL method for generating correct redirect URL.

@ioanmo226
Copy link
Collaborator Author

The biggest problem with launchWebAuthflow is we have limited control for UI testing.

@sosnovsky
Copy link
Collaborator

Also we need to add identity permission in manifest.

Maybe it can be added without any additional confirmation popup, like scripting permission - it was added with manifest v3 migration and didn't require user confirmation.

The biggest problem with launchWebAuthflow is we have limited control for UI testing.

Probably it'll work the same as our current mock implementation - it'll open mock authorization endpoint and will wait until it receives auth token. Also a couple years passed since your initial comment about poor documentation, there should be more guides about it's implementation. I think it's worth to check these methods for our auth process, and if it's still broken - then try to use https://EXTENSION_ID.chromiumapp.org/oauth as redirect url (such urls are generated by getRedirectURL method)

@ioanmo226
Copy link
Collaborator Author

@tomholub and @sosnovsky,

I suggest updating our OAuth mechanism. Currently, we inject oauth2_inject.js in robots.txt to obtain the authorization code. Instead, we could set the redirect URI to https://{extensionId}.chromiumapp.org/, listen for chrome.tabs.onUpdated, and check if the tab ID matches the newly created auth window's tab ID and if the tab URL matches the redirect URI.
Then, we can retrieve the authorization code directly.
This approach mirrors what the launchWebAuthFlow function does.

Let me know your thoughts!

PS: We cannot rely on a content script solution for handling OAuth redirects. When OAuth redirects to our Chrome extension page (or to https://{extensionId}.chromiumapp.org), Chrome prevents the content from loading due to security concerns. As a result, the content script does not load, making it unusable for capturing the authorization code in this scenario.

@ioanmo226
Copy link
Collaborator Author

I agree.
Let me try with your suggested solution and then try with my above solution if it doesn't work.

Also we need to add identity permission in manifest.

Maybe it can be added without any additional confirmation popup, like scripting permission - it was added with manifest v3 migration and didn't require user confirmation.

The biggest problem with launchWebAuthflow is we have limited control for UI testing.

Probably it'll work the same as our current mock implementation - it'll open mock authorization endpoint and will wait until it receives auth token. Also a couple years passed since your initial comment about poor documentation, there should be more guides about it's implementation. I think it's worth to check these methods for our auth process, and if it's still broken - then try to use https://EXTENSION_ID.chromiumapp.org/oauth as redirect url (such urls are generated by getRedirectURL method)

@sosnovsky
Copy link
Collaborator

Let me try with your suggested solution and then try with my above solution if it doesn't work.
Sounds good, let's try it this way. Usually such native solutions work better in Chrome, and it'll simplify our code to something like this:

chrome.identity.launchWebAuthFlow({
  'url': authConf.oauth.authCodeUrl + '?client_id=' + clientId + '&response_type=token',
  'interactive': true
}, function(redirectUri) {
  // Extract token from redirectUri.
});

@tomholub
Copy link
Collaborator

tomholub commented Jul 31, 2024

Also we need to add identity permission in manifest.

Maybe it can be added without any additional confirmation popup, like scripting permission - it was added with manifest v3 migration and didn't require user confirmation.

The biggest problem with launchWebAuthflow is we have limited control for UI testing.

Probably it'll work the same as our current mock implementation - it'll open mock authorization endpoint and will wait until it receives auth token. Also a couple years passed since your initial comment about poor documentation, there should be more guides about it's implementation. I think it's worth to check these methods for our auth process, and if it's still broken - then try to use https://EXTENSION_ID.chromiumapp.org/oauth as redirect url (such urls are generated by getRedirectURL method)

The problem from what I remember was that the identity mechanism only allowed to authenticate with the account that is connected to your browser. So no multi user to my knowledge

I wouldn't start working on replacing that unless we run into a roadblock with our existing mechanisms. They work well imo

@ioanmo226
Copy link
Collaborator Author

Maybe we could only use launchWebAuthFlow for custom IDP authentication and keep using our customized OAuth solution for google IDP.
What's your thouht?

@ioanmo226
Copy link
Collaborator Author

Ohhh. just tested and this problem is now past story.
I can now login to any account. We can use launchWebAuthFlow solution for google IDP too I think
image

The problem from what I renege was that the identity mechanism only allowed to authenticate with the account that is connected to your browser

@tomholub
Copy link
Collaborator

@tomholub and @sosnovsky,

I suggest updating our OAuth mechanism. Currently, we inject oauth2_inject.js in robots.txt to obtain the authorization code. Instead, we could set the redirect URI to https://{extensionId}.chromiumapp.org/, listen for chrome.tabs.onUpdated, and check if the tab ID matches the newly created auth window's tab ID and if the tab URL matches the redirect URI.

Then, we can retrieve the authorization code directly.

This approach mirrors what the launchWebAuthFlow function does.

Let me know your thoughts!

PS: We cannot rely on a content script solution for handling OAuth redirects. When OAuth redirects to our Chrome extension page (or to https://{extensionId}.chromiumapp.org), Chrome prevents the content from loading due to security concerns. As a result, the content script does not load, making it unusable for capturing the authorization code in this scenario.

I would like to, but last I tried it didn't work. I think we are using web application type of oauth credentials in oauth settings on google, which doesn't allow setting this type of redirect url meant due extensions. While when trying to use the extension type, it had some other limitations making it unusable for our purposes (I think no pffline_mode or maybe something else). I wouldn't try to change anything unless we absolutely have to. If the current gmail mechanism works, I don't think we have to.

Of course, if I'm wrong and it's just a matter of adding this redirect url and a small code change, then sure. But from my experience, you'll run into a lot of dead ends.

@tomholub
Copy link
Collaborator

Ohhh. just tested and this problem is now past story.

I can now login to any account. We can use launchWebAuthFlow solution for google IDP too I think

image

The problem from what I renege was that the identity mechanism only allowed to authenticate with the account that is connected to your browser

If it seems easy to do and simplifies things then sure. Does it allow offline_mode? Also, does it work the same on firefox?

@tomholub
Copy link
Collaborator

But how about we leave existing google mechanism untouched in this pr if it works. Try out the new identity mechanism on 3rd party logins. That way no risk. We gain some experience with it in a low impact scenario.

Then we can consider changing google login as well in a separate PR in future version.

@sosnovsky
Copy link
Collaborator

Yeah, it should be safe to start using new identity flow for 3-rd party IdPs, and if no issues found - migrate Google IdP to it later.

@ioanmo226
Copy link
Collaborator Author

Sounds good!. Thank you

@ioanmo226
Copy link
Collaborator Author

Yeah, it works same on Firefox

If it seems easy to do and simplifies things then sure. Does it allow offline_mode? Also, does it work the same on firefox?

@ioanmo226 ioanmo226 requested review from tomholub and sosnovsky August 2, 2024 00:06
Copy link
Collaborator

@tomholub tomholub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code looks good on my end, didn't test it

@sosnovsky
Copy link
Collaborator

@ioanmo226 do you have active test instance of auth0? I tried to use credentials which you previously shared with me, but got error Authorization page could not be loaded.

@ioanmo226
Copy link
Collaborator Author

ioanmo226 commented Aug 2, 2024

Yeah. I have active test instance. How did you test? With which client_id, client_secret did you test. And also did you test with local FES?

@ioanmo226
Copy link
Collaborator Author

Ohh. I just remember I rotated previous client secret because previous one was in git history.
Just sent new client secret to your email

@ioanmo226
Copy link
Collaborator Author

ioanmo226 commented Aug 2, 2024

FYI, redirect_url in authentication.oauth is useless/not required in client configuration as redirect_url needs to be same for all oauth (custom IDP) configurations. (https://EXTENSION_ID.chromiumapp.org/oauth)

@sosnovsky
Copy link
Collaborator

I just implicitly set authentication configuration in fetchAndSaveClientConfiguration method, without local FES.
For redirect URL I used chrome.identity.getRedirectURL('oauth'), but it still gives me Authorization page could not be loaded. error.
My extension id is the same as I previously shared with you for redirect URL (pjohdcpiapjhagmakkjpgjmodmgfmkkd).

@tomholub
Copy link
Collaborator

tomholub commented Aug 2, 2024

FYI, redirect_url in authentication.oauth is useless/not required in client configuration as redirect_url needs to be same for all oauth (custom IDP) configurations. (https://EXTENSION_ID.chromiumapp.org/oauth)

Probably also true on android and ios, but it could be useful if we ever do authentication on the web. Once we figure this out, we'll update the docs.

@ioanmo226
Copy link
Collaborator Author

I haven't added bnjglocicdkmhmoohhfkfkbbkejdhdgc redirect_url before. Just added to my auth0 config. Please check again.

Copy link
Collaborator

@sosnovsky sosnovsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All good now, works great, thanks!

@sosnovsky sosnovsky merged commit 0ead411 into master Aug 2, 2024
13 checks passed
@sosnovsky sosnovsky deleted the 5444-configuredidpoauth-should-produce-an-oauth-window-+-save-jwt-to-storage branch August 2, 2024 18:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ConfiguredIdpOAuth should produce an oauth window + save JWT to storage
3 participants