harbour icon indicating copy to clipboard operation
harbour copied to clipboard

Published 20 hours ago verified publisher icon harbourrocks

As user I want others to authenticate using OIDC, so access is secured

Open whymatter opened this issue 4 years ago • 2 comments

Purpose

harbour.rocks targets on-premise installations and is therefore intended to authenticate users with an existing identity. Nowadays OIDC (Open Id Connect) is used for authenticating people by a third party authentication provider.

Authentication should work with any OIDC provider but we are testing especially with Azure AD

After extensive research and many hours wasted, I decided to use the code flow with PKCE, which is a client-driven flow replacing the old implicit flow. A good article is liked down below.

Terminology

OpenId Provider => Azure (they provide an identification) Relying Party => harbour.rocks (since we are relying on azure for authentication)

Requirements

  • harbour UI has to generate the code_verifier and store it
  • harbour UI has to redirect to the OpenId Provider
  • OpenId Provider performs authentication
  • OpenId Provider redirects to harbour UI
  • harbour UI exchanges id_token only (need code_verifier for this)
  • harbour UI calls /auth endpoint with id_token
  • harbour IAM registers new user (if new)
  • If harbour * notices an invalid id_token it returns 401 Unauthorized
  • harbour UI has to redirect to login on 401 Unauthorized

Notes

  • Logout not implemented for now

Subtasks

  • [x] Setup login button, directly generate code_verifier and redirect to OpenId Provider
  • [x] On redirect from OpenId Provider, exchange id_token
  • [x] Implement /refresh endpoint to either create harbour user (return 201) or do nothing (return
  • [x] Include id_token in every request
  • [x] On 401 Unauthorized redirect to login (which is the OIDC Provider)200)
  • [x] GraphQL mutation to refresh user account (IAM endpoint does exist /refresh)

Some Links

https://openid.net/connect/

https://openid.net/specs/openid-connect-core-1_0.html

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc

https://christianlydemann.com/implicit-flow-vs-code-flow-with-pkce/

https://christianlydemann.com/openid-connect-with-angular-8-oidc-part-7/

whymatter avatar May 01 '20 11:05 whymatter