Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

As user I want others to authenticate using OIDC, so access is secured #3

Open
6 tasks done
whymatter opened this issue May 1, 2020 · 2 comments
Open
6 tasks done

As user I want others to authenticate using OIDC, so access is secured #3

whymatter opened this issue May 1, 2020 · 2 comments

Comments

@whymatter
Copy link
Contributor

whymatter commented May 1, 2020
edited
Loading

Purpose

harbour.rocks targets on-premise installations and is therefore intended to authenticate users with an existing identity. Nowadays OIDC (Open Id Connect) is used for authenticating people by a third party authentication provider.

Authentication should work with any OIDC provider but we are testing especially with Azure AD

After extensive research and many hours wasted, I decided to use the code flow with PKCE, which is a client-driven flow replacing the old implicit flow. A good article is liked down below.

Terminology

OpenId Provider => Azure (they provide an identification)
Relying Party => harbour.rocks (since we are relying on azure for authentication)

Requirements

  • harbour UI has to generate the code_verifier and store it
  • harbour UI has to redirect to the OpenId Provider
  • OpenId Provider performs authentication
  • OpenId Provider redirects to harbour UI
  • harbour UI exchanges id_token only (need code_verifier for this)
  • harbour UI calls /auth endpoint with id_token
  • harbour IAM registers new user (if new)
  • If harbour * notices an invalid id_token it returns 401 Unauthorized
  • harbour UI has to redirect to login on 401 Unauthorized

Notes

  • Logout not implemented for now

Subtasks

  • Setup login button, directly generate code_verifier and redirect to OpenId Provider
  • On redirect from OpenId Provider, exchange id_token
  • Implement /refresh endpoint to either create harbour user (return 201) or do nothing (return
  • Include id_token in every request
  • On 401 Unauthorized redirect to login (which is the OIDC Provider)200)
  • GraphQL mutation to refresh user account (IAM endpoint does exist /refresh)

Some Links

https://openid.net/connect/

https://openid.net/specs/openid-connect-core-1_0.html

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc

https://christianlydemann.com/implicit-flow-vs-code-flow-with-pkce/

https://christianlydemann.com/openid-connect-with-angular-8-oidc-part-7/
whymatter added a commit that referenced this issue May 1, 2020
@whymatter
#3 added redirect to azure login
d0e000b
whymatter added a commit that referenced this issue May 2, 2020
@whymatter
#3 refresh user info endpoint / docker-password set
632d73e
whymatter added a commit that referenced this issue May 2, 2020
@whymatter
#3 refactored http handler a bit
e5d1dc7
@whymatter
Copy link
Contributor Author

Authorization: Bearer <id_token>

@whymatter
Copy link
Contributor Author

mutation Refresh {
refresh() { }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@whymatter