flagr icon indicating copy to clipboard operation
flagr copied to clipboard

Published 20 hours ago verified publisher icon openflagr

OAuth Support

Open fenriskiba opened this issue 5 years ago • 7 comments

Currently, Flagr supports basic JWT Authentication from Cookies and Auth Headers but does not provide a way to acquire the token. It would be helpful for Flagr to support the industry-standard OAuth protocol and tokens.

OAuth defines a protocol for acquiring a signed JWT token via Query String and API, and includes an audience attribute to validate that the user is authorized to use the application in question (in this case Flagr). Flagr doesn't provide a way to acquire a JWT and can only validate the signature of the token without testing the token’s attributes

fenriskiba avatar Mar 01 '19 16:03 fenriskiba

I'd be interesting in helping work on this. I have a situation where I'd like to be able to auth against a Google login. Do we have any sense as to what would be necessary to make this happen?

crberube avatar Mar 05 '19 00:03 crberube

What are your current OAuth or SSO solution in your company? Is it possible that you implement your own login page with any ID providers you have, and just store the final access token as subdomain.your_company.com cookie?

At the beginning I was thinking of implementing a full-fledged OAuth2 flow, for example, leveraging https://github.com/markbates/goth and we can cover some major social login cases. I'm not 100% sure, but it needs flagr to be exposed publicly so that the external ID providers can send a POST callback. I didn't prioritize this approach because I want flagr to be 100% private within our cluster.

And moreover, it turns out that people usually have their own login flow, and we can just piggyback on it and just validate the access token.

That said, if any of you want to bring in OAuth, I'd be happy to help and review the PRs.

The steps I can think of as now:

  1. Set Config.JWTAuthNoTokenRedirectURL=/auth to be a local relative path GET /auth instead of redirecting to other website or pages.
  2. Set Config.JWTAuthPrefixWhitelistPaths to include /auth so that we don't validate access token for /auth related paths.
  3. Serve GET /auth with a static html page, with login buttons (e.g. Google, Github, and etc.). Buttons point to GET /auth/{provider}
  4. Serve GET /auth/{provider}/, POST /auth/{provider}/callback, and GET /auth/logout/{provider} with goth. For example, https://github.com/markbates/goth/blob/master/examples/main.go#L188-L218
  5. Set corresponding env variables for client_key and client_secret
  6. Expose flagr to the public so that Google or Github can send the callback to.

zhouzhuojie avatar Mar 05 '19 00:03 zhouzhuojie

I added the OAuth by putting flagr behind a reverse proxy and using vouch for authentication.

This is not an out of the box solution but it works really good.

irwing-reza avatar Mar 07 '19 18:03 irwing-reza

Interesting!

@zhouzhuojie thanks for the details.

I agree about keeping the application private within the cluster, that is how we have things set up right now as well. I was talking to some folks about how we want to handle auth and it sounds like we are moving towards using Google's Cloud Identity-Aware Proxy. I don't know a whole lot about it at this point, but I see that it can provide JWT tokens via signed headers with the ES256 algorithm. At this point the question from me would be are you open to a PR at some point that could expand the JWT handling in Flagr?

crberube avatar Mar 07 '19 19:03 crberube

Definitely open to it. We have HS256 and RS256 now, and it should be straightforward to add more JWT validations.

https://github.com/checkr/flagr/blob/master/pkg/config/middleware.go#L122-L132

zhouzhuojie avatar Mar 07 '19 19:03 zhouzhuojie

Hey all! I'm trying to setup flagr behind a OAuth2Proxy to be authenticated with google. Latest versions allow to proxy pass the Authorization header using the id_token that Google provides, it's a JWT token with the ES256 algorithm as @crberube said.

But from here I'm not sure how to proceed with flagr, as it's not properly authorizing resquests with those authorization headers.

We want to setup this for the audit_logs so we properly audit each interaction within flagr.

Thanks in advance.

pacoguzman avatar May 06 '19 13:05 pacoguzman

You can also enable the basic auth. For the GUI, you will be prompted to enter your user name and password. For the API, you will need pass header Authentication: Basic base64decode(username:password)

yulintan avatar Apr 17 '20 20:04 yulintan

Stale issue message

github-actions[bot] avatar Aug 26 '22 21:08 github-actions[bot]