Open-Assistant icon indicating copy to clipboard operation
Open-Assistant copied to clipboard

Published 20 hours ago verified publisher icon LAION-AI

Support OAuth and JWT in the backend

Open fozziethebeat opened this issue 2 years ago • 7 comments
trafficstars

This is a big issue.

When complete, the web frontend should be able to directly call the backend service using JSON Web Tokens (JWTs) and users should be able to complete an OAuth flow through the backend. This would let us (in a separate issue) clean up the web service and remove the API routes completely.

To do this I propose the following steps:

  • [x] Get JWT authentication working on the backend using the web generated JWTs. This requires HKDF to encrypt and decrypt the tokens and sharing the current secret.
  • [ ] Test out a few API calls from the web client directly to the backend using JWT. This will require changing some sharing permissions for the token on the web side so it can be shared cross site.
  • [x] Implement Discord OAuth 2.0 Flow on the backend. A user should be able to go through it and get a valid JWT sent from the backend.
  • [ ] Implement some kind of email magic link login equivalent to Next Auth's
  • [ ] Replicate the User and Account tables from the web database to the Backend's database
  • [ ] Copy over data from the web database to the backend database.

fozziethebeat avatar Jan 20 '23 09:01 fozziethebeat

Step 1 should replicate this next auth code

fozziethebeat avatar Jan 20 '23 09:01 fozziethebeat

Ok just to get this straight: we want to move authentication and authorization entirely to the python backend?

AbdBarho avatar Jan 28 '23 13:01 AbdBarho

@fozziethebeat instead of fleshing out an entire auth-n and auth-z implementation on the backend, why not offload this responsability to a dedicated IAM server, like Keycloak? This would basically require close to no implementation, since Keycloak covers most of the requirements out of the box. It would handle the issuance of short-lived access tokens to authenticated clients, and ensure their validity when used. Securing the OA stack with Keycloak requires, in essence, that the client-adapters are configured on the backend and frontend side. The backend would use this adapter, while for the SPA, we'd follow this approach or this implementation. We would also use this extension to provide Discord auth.

If this is a desirable approach, I can work on this.

occupytheweb avatar Jan 29 '23 04:01 occupytheweb

I'd like to avoid adding any more additional dependencies, especially any additional SAAS dependencies. We picked NextAuth originally to avoid things like Supabse or Auth0. I think running our own auth built into the backend is sufficient.

fozziethebeat avatar Jan 29 '23 06:01 fozziethebeat

Ok just to get this straight: we want to move authentication and authorization entirely to the python backend?

That is the end goal yes. That way we can dissolve the web API routes entirely.

fozziethebeat avatar Jan 29 '23 06:01 fozziethebeat

I'd like to avoid adding any more additional dependencies, especially any additional SAAS dependencies. We picked NextAuth originally to avoid things like Supabse or Auth0. I think running our own auth built into the backend is sufficient.

OK, noted. Thanks.

occupytheweb avatar Jan 30 '23 08:01 occupytheweb

#943 is merged now. We need to expand beyond Discord, and actually add the ability to link Discord account to OA user

olliestanley avatar Feb 02 '23 18:02 olliestanley

I close this issue as completed.

andreaskoepf avatar May 05 '23 10:05 andreaskoepf