Purpose
harbour.rocks targets on-premise installations and is therefore intended to authenticate users with an existing identity. Nowadays OIDC (Open Id Connect) is used for authenticating people by a third party authentication provider.
Authentication should work with any OIDC provider but we are testing especially with Azure AD
After extensive research and many hours wasted, I decided to use the code flow with PKCE, which is a client-driven flow replacing the old implicit flow. A good article is liked down below.
Terminology
OpenId Provider => Azure (they provide an identification)
Relying Party => harbour.rocks (since we are relying on azure for authentication)
Requirements
- harbour UI has to generate the
code_verifier and store it
- harbour UI has to redirect to the OpenId Provider
- OpenId Provider performs authentication
- OpenId Provider redirects to harbour UI
- harbour UI exchanges
id_token only (need code_verifier for this)
- harbour UI calls /auth endpoint with
id_token
- harbour IAM registers new user (if new)
- If harbour * notices an invalid
id_token it returns 401 Unauthorized
- harbour UI has to redirect to login on
401 Unauthorized
Notes
- Logout not implemented for now
Subtasks
Some Links
https://openid.net/connect/
https://openid.net/specs/openid-connect-core-1_0.html
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
https://christianlydemann.com/implicit-flow-vs-code-flow-with-pkce/
https://christianlydemann.com/openid-connect-with-angular-8-oidc-part-7/
Purpose
harbour.rocks targets on-premise installations and is therefore intended to authenticate users with an existing identity. Nowadays OIDC (Open Id Connect) is used for authenticating people by a third party authentication provider.
Authentication should work with any OIDC provider but we are testing especially with Azure AD
After extensive research and many hours wasted, I decided to use the code flow with PKCE, which is a client-driven flow replacing the old implicit flow. A good article is liked down below.
Terminology
OpenId Provider => Azure (they provide an identification)
Relying Party => harbour.rocks (since we are relying on azure for authentication)
Requirements
code_verifierand store itid_tokenonly (needcode_verifierfor this)id_tokenid_tokenit returns401 Unauthorized401 UnauthorizedNotes
Subtasks
code_verifierand redirect to OpenId Providerid_tokenid_tokenin every request401 Unauthorizedredirect to login (which is the OIDC Provider)200)Some Links
https://openid.net/connect/
https://openid.net/specs/openid-connect-core-1_0.html
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
https://christianlydemann.com/implicit-flow-vs-code-flow-with-pkce/
https://christianlydemann.com/openid-connect-with-angular-8-oidc-part-7/