atomic-server icon indicating copy to clipboard operation
atomic-server copied to clipboard

Published 20 hours ago verified publisher icon atomicdata-dev

Consider supporting OIDC / SSO / Oauth

Open joepio opened this issue 3 years ago • 0 comments

Atomic Data introduces a new self-sovereign public key based authentication mechanism. This has its merits (users are in full control of their identity, instead of servers), but pretty much everyone out there already settled on a standard: Open ID Connect. Supporting this helps achieve a few goals:

  • Sign in with your existing OIDC account (google, facebook, or your companies SSO server). No need to create a new account!

Thoughts

  • We already have JWT support in the email branch #505
  • We still need a private key to sign commits, which should still be created and stored by the client.

Libraries Rust

Libraries JS

TODO

  • [x] endpoint for adding new Publickey to Agent
  • [x] JWT support
  • [ ] ENVs for OIDC
  • [ ] Store link between agent and user somewhere?

Flow

  • [ ] On starting AtomicServer, check presence of OAuth client + secrets in .env
  • [ ] (maybe) check if the Oauth server token is valid? Can also check this when signing in a user
  • [ ] Front-end checks if server supports some Oauth provider (e.g. google)
  • [ ] If true, show a button for this provider in the RegisterSignIn component
  • [ ] When clicked, get a token from the OAuth provider.
  • [ ] Store the token (I assume this is stored as cookie, so nothing we need to do)
  • [ ] Client tells server to create user / sign in?
  • [ ] Server checks cookie / HTTP headers for token
  • [ ] Server validates token with OAuth provider

Commits & private key management

If we sign in using some external identity provider, we are redirected to some page. This could be an endpoint that registers a public key to an Agent, adding it to the Agent resource.

Link with email

We're probably not going to be an identity provider, so we can keep things simple. Still, it would make sense to have email support for things like notifications.

But what about signing in using a magic link? Should users be able to add new public keys using email without using OIDC / Oauth? #276

joepio avatar Jan 07 '22 10:01 joepio