Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#5799 Use custom idp token for enterprise server authentication if special jwt is stored in local store #5802

Conversation

ioanmo226
Copy link
Collaborator

@ioanmo226 ioanmo226 commented Aug 5, 2024

This PR implemented functionality to use custom idp token for enterprise server authentication if special jwt is stored in local store

close #5799 // if this PR closes an issue


Tests (delete all except exactly one):

  • Tests added or updated

To be filled by reviewers

I have reviewed that this PR... (tick whichever items you personally focused on during this review):

  • addresses the issue it closes (if any)
  • code is readable and understandable
  • is accompanied with tests, or tests are not needed
  • is free of vulnerabilities
  • is documented clearly and usefully, or doesn't need documentation

@ioanmo226
Copy link
Collaborator Author

@sosnovsky Custom IDP id_token is now also used in EKM.
Please check.

@ioanmo226
Copy link
Collaborator Author

ioanmo226 commented Aug 6, 2024

By the way, are fes/ekm apis ready to accept custom idp id_tokens instead of google id_token?

@sosnovsky
Copy link
Collaborator

By the way, are fes/ekm apis ready to accept custom idp id_tokens instead of google id_token?

It's possible to configure custom IdP in Enterprise Service, but our documentation mentions that only Google is supported for end-users (https://flowcrypt.com/docs/technical/enterprise/configuration/authentication.html). Need to check if it works with custom IdP or some changes are needed for Enterprise Server too

Copy link
Collaborator

@sosnovsky sosnovsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works great! I was able to test setup with local FES and Auth0 IdP 🚀

test/source/mock/fes/customer-url-fes-endpoints.ts Outdated Show resolved Hide resolved
…re-it-should-be-used-for-enterprise-server-authentication-instead-of-google-jwt
@ioanmo226 ioanmo226 requested a review from sosnovsky August 7, 2024 06:08
Copy link
Collaborator

@sosnovsky sosnovsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well done 👍

@sosnovsky sosnovsky merged commit 0eee059 into master Aug 7, 2024
13 checks passed
@sosnovsky sosnovsky deleted the 5799-if-special-jwt-is-stored-in-local-store-it-should-be-used-for-enterprise-server-authentication-instead-of-google-jwt branch August 7, 2024 09:10
@ioanmo226
Copy link
Collaborator Author

@sosnovsky Have you checked FES side if it's ready to accept custom IDP id_tokens?

@ioanmo226
Copy link
Collaborator Author

How do you plan to support it?
You know once we publish this version, new version users would submit custom IDP id_tokens to FES/EKM. and old version users would submit google id_tokens to fes/ekm.
Is fes and ekm ready to accept both?

@sosnovsky
Copy link
Collaborator

I configured custom IdP (Auth0) in local Enterprise Server and tested EKM requests (for saving and retrieving private key) - they work well.

You know once we publish this version, new version users would submit custom IDP id_tokens to FES/EKM. and old version users would submit google id_tokens to fes/ekm.

Custom IdP id tokens will be used only by new customers who will have IdP configuration, our existing customers will continue to use Google id tokens, this change shouldn't affect them.

In ES configuration we set properties for user IdP (by default it's Google IdP) (https://flowcrypt.com/docs/technical/enterprise/configuration/authentication.html#end-user-properties-for-fes-and-ekm), so depending on this configuration properties ES will know which IdP should be used for verifying received tokens.

@ioanmo226
Copy link
Collaborator Author

Aha, I see
Thank you for your clarification

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants