authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

web: use OAuth

Open BeryJu opened this issue 1 year ago • 9 comments

Details

Migrate web interfaces (User and Admin) to use OAuth instead of session tokens

  • [ ] Update api-explorer to work with Oauth since it currently relies on session auth

Checklist

  • [ ] Local tests pass (ak test authentik/)
  • [ ] The code has been formatted (make lint-fix)

If an API change has been made

  • [ ] The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • [ ] The code has been formatted (make web)
  • [ ] The translation files have been updated (make i18n-extract)

If applicable

  • [ ] The documentation has been updated
  • [ ] The documentation has been formatted (make website)

BeryJu avatar Nov 22 '23 16:11 BeryJu

Deploy Preview for authentik-storybook failed.

Name Link
Latest commit a68f5deed9145165e47cadb83fcc32719299cd0a
Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/668c2348f687f70008aee799

netlify[bot] avatar Nov 22 '23 16:11 netlify[bot]

What is the motivation for this?

Does this mean the tokens will now be stored in Javascript instead of as httponly, secure cookie? To the best of my knowledge that would mean a security degradation.

septatrix avatar Dec 04 '23 18:12 septatrix

What is the motivation for this?

Does this mean the tokens will now be stored in Javascript instead of as httponly, secure cookie? To the best of my knowledge that would mean a security degradation.

The advantage is that you'll be able to set access restrictions on different interfaces, and in the future also having different OAuth scopes that give different permissions

Ideally we wouldn't store the token in the client at all aside from in memory and re-request one when the page is refreshed

BeryJu avatar Dec 04 '23 18:12 BeryJu

The advantage is that you'll be able to set access restrictions on different interfaces, and in the future also having different OAuth scopes that give different permissions

Ideally we wouldn't store the token in the client at all aside from in memory and re-request one when the page is refreshed

That sounds like a good idea, however, I see no reason why the OAuth token couldn't be stored in a cookie instead

septatrix avatar Dec 04 '23 20:12 septatrix

Yeah that's also fair, tbf I haven't done much research on this and the localstorage is what this oidc library uses by default

BeryJu avatar Dec 04 '23 21:12 BeryJu

It seems like the current value of the authentik_session token already is a JWT. Why not simply use that instead? If you want to check which scopes a user has (e.g. to omit some API calls which would fail or to hide navigation menus) you can add those to the return value of /api/v3/core/users/me/

I haven't done much research on this

Not the answer I would have expected from someone with a company whose product is security ;P

septatrix avatar Dec 04 '23 21:12 septatrix

It seems like the current value of the authentik_session token already is a JWT. Why not simply use that instead? If you want to check which scopes a user has (e.g. to omit some API calls which would fail or to hide navigation menus) you can add those to the return value of /api/v3/core/users/me/

The session cookie is a JWT for other reasons (mainly so that the go router can know if requests are authenticated without checking with the python code)

I haven't done much research on this

Not the answer I would have expected from someone with a company whose product is security ;P

Hence the PR is not merged yet, but also everything is a trade off and regardless of that I'd set a pretty short access token, especially for the admin interface

BeryJu avatar Dec 04 '23 22:12 BeryJu

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 46.17%. Comparing base (1b19b3d) to head (d4a6874). Report is 5 commits behind head on main.

:exclamation: There is a different number of reports uploaded between BASE (1b19b3d) and HEAD (d4a6874). Click for more details.

HEAD has 3 uploads less than BASE | Flag | BASE (1b19b3d) | HEAD (d4a6874) | |------|------|------| |e2e|7|4|
Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #7692       +/-   ##
===========================================
- Coverage   92.56%   46.17%   -46.40%     
===========================================
  Files         713      711        -2     
  Lines       34971    34710      -261     
===========================================
- Hits        32372    16027    -16345     
- Misses       2599    18683    +16084
Flag Coverage Δ
e2e 44.75% <100.00%> (-4.12%) :arrow_down:
integration 25.40% <100.00%> (+<0.01%) :arrow_up:
unit ?

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Dec 18 '23 16:12 codecov[bot]

Deploy Preview for authentik-docs ready!

Name Link
Latest commit a68f5deed9145165e47cadb83fcc32719299cd0a
Latest deploy log https://app.netlify.com/sites/authentik-docs/deploys/668c23488e4f790008891bc8
Deploy Preview https://deploy-preview-7692--authentik-docs.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

netlify[bot] avatar Jun 18 '24 16:06 netlify[bot]