ditto icon indicating copy to clipboard operation
ditto copied to clipboard

Published 20 hours ago verified publisher icon eclipse-ditto

UI: Authenticate with OAuth2 client ID / secret

Open thjaeckle opened this issue 1 year ago • 4 comments

Currently the UI accepts a Bearer token for authenticating. More comfortable however would be if the UI would authenticate against a configured OAuth provider endpoint, using a client ID and optional (not all OAuth flows require a secret) secret.

The Swagger UI also supports such a mode where the OAuth provider configuration is added. As the Ditto UI saves the environments locally, the OAuth secret does not need to be persisted or configured statically which should suffice security wise.

thjaeckle avatar Mar 04 '23 09:03 thjaeckle

Interesting. Agree that would be great. I was experimenting a while ago and concluded that the OAuth flows only work with a backend. So I stopped that at that time. I need to take another look and I would need some support here. You remember that secrets are not persisted by the UI?

thfries avatar Mar 05 '23 08:03 thfries

Yes, I remember. However new OAuth2 flows like pkse do not require a secret, so for those this would be a really good fit. For others, a backend proxy may add the secret without the need to leak it into the client.

thjaeckle avatar Mar 05 '23 17:03 thjaeckle

Hi @thjaeckle, I'm coming back to this ticket. PKCE looks very promising but it needs some infrastructure (Authorization Server and OAuth2 Proxy for ditto?) and I think it will be easier to test if this is available in the cloud. I started with Google as an authorization server and tried out the Google authentication to the sandbox HTTP API.

  • My Google Oauth ClientID and Secret did not work, because I do not know the redirect URL for the ditto sandbox server. Is there a more detailed description, how this use of sandbox HTTP API with Google should work? May be a good start would be to use the same approach for the UI as for the Swagger UI. But for that I would need to being able to test it
  • Do I understand right, that there is an OAuth2 proxy on the Ditto sandbox installed? If needed, can we extend that with PKCE flow? It would be nice to have Google SSO directly with the sandbox and the UI 😉. Another related question if the ditto sandbox is (could be) registered as application on Google (or github).

thfries avatar Nov 19 '23 09:11 thfries

Hi @thfries

So the Ditto sandbox does not yet run OAuth2 proxy, but it should probably :D Currently, there is only an nginx in front of Ditto which does some "magic" in inserting OpenId connect client secret for Google OAuth. I however did not check that for a long time, no idea if this still works.

I will look into it once I find the time - that however could take a while :/

thjaeckle avatar Nov 21 '23 20:11 thjaeckle