Switch to Auth0 for authentication, stop providing authentication to other services #9
Comments
|
@garbas is interested in working on this, too. |
|
I'm exploring the Server + Client API quick-start as it seems to be a good option. Fooling around was here: taskcluster/taskcluster-login@master...djmitche:auth0api. Open questions:
|
|
I would also invite @srfraser since he has more experience with Auth0 |
|
So what I've been working on is the auth0 API authentication model. Concretely, my plan has been this:
It has some rough edges, and I'm not sure it's going to work. The big issue is, the access_token is a JWT that contains very little information about the user, so I don't see how the /v1/credentials endpoint would construct appropriate scopes for the temporary certificate. I asked on the Auth0 Community boards, and the answer so far is to use Rules to insert additional claims into the JWT -- but I don't think I could fit enough information into a JWT.. |
|
The Python API makes further calls to the userinfo_uri when needing more data about a user, is that the call that's not working for you? https://github.com/puiterwijk/flask-oidc/blob/master/flask_oidc/__init__.py#L240 where the userinfo_uri is specified in https://auth.mozilla.auth0.com/.well-known/openid-configuration |
|
That's equivalent -- I think -- to what I was trying to do here: let a0 = new auth0js.WebAuth({
domain: cfg.auth0.domain,
clientID: 'l23BM36nbr3pUHBkwWqjCrYLiqV3YG3n',
});
let accessToken = req.headers.authorization.split(' ')[1];
a0.client.userInfo(accessToken, (error, user) => {and I was getting 401 errors, regardless of the clientId I supplied. I suspect that in the flask_oidc code you point to, the fact of bearing the access_token entitles the caller to the user information, since no other secret information is provided in the call. So I further suspect that the access_token I get granting the client access to my API does not have associated user info, hence the 401. But I'm just guessing. |
|
I'm guessing you've already tried the variant mentioned at https://auth0.com/docs/libraries/auth0js/v8#extract-the-authresult-and-get-user-info ? |
|
I think so? I think that's the equivalent of |
|
Ah, I think the difference is, in that case, the auth0 instance was initialized with the client's credentials (domain and clientID). Hmm. OK, I can mess with this a bit more and see what works. |
|
The community post didn't turn up much of use - it's possible to inject a little info into the jwt, using Auth0 Rules. And there's a suggestion to use hooks to synchronize LDAP, gihtub, etc. into a local user database -- but there are not hooks defined for changes to that information, so I don't think that would work. |
|
OK, I had some success after fooling around. The critical bit was to request the |
|
Concept is proven (taskcluster/taskcluster-login#48). This isn't quite ready to implement yet, but I think everyone is agreed that this is the way forward. |
|
As a side note, our auth0 prod now supports the API calls as well (just like dev), since last saturday |
|
Happening this quarter! |
|
Getting closer to complete! \o/ |
|
I'll be turning off Okta support today, but Auth0's up and running and has been for a few days now. |
|
OK, Okta's off. We're stlil providing auth to other services, but that will end soon enough. |
We currently do a poor job of providing authentication to other services, notably treeherder. We do a swell job of providing authorization, though! Let's reposition ourselves so that we provide a really awesome mechanism for API access control that is usable both by API implementers and API users. We are already pretty awesome for API implementers, so this idea only changes the situation for API users.
Proposal
use a three-party authentication system to allow user-facing apps to get taskcluster credentials for their users. The parties are
The flow is this:
This corresponds to the Auth0 "API" functionality, with TC taking the part of the API. It's a little different from Auth0's plan in that Auth0 expects the API to accept OIDC tokens directly, whereas TC expects TC credentials. So we add the single OIDC -> TC credential transaction for that purpose.
Advantages
With this in place, we can transition services currently using the login.taskcluster.net redirect flow for logins to instead use this mechanism. This includes Treeherder, Treestatus, and probably a few others. The advantage for these users comes from better support for authentication (they get a rich set of information from auth0) and a more dynamic login process. It also puts the burden of user management on the IAM team, and not us.
Links
The text was updated successfully, but these errors were encountered: