Skip to content

As user I want others to authenticate using OIDC, so access is secured #3

Description

@whymatter

Purpose

harbour.rocks targets on-premise installations and is therefore intended to authenticate users with an existing identity. Nowadays OIDC (Open Id Connect) is used for authenticating people by a third party authentication provider.

Authentication should work with any OIDC provider but we are testing especially with Azure AD

After extensive research and many hours wasted, I decided to use the code flow with PKCE, which is a client-driven flow replacing the old implicit flow. A good article is liked down below.

Terminology

OpenId Provider => Azure (they provide an identification)
Relying Party => harbour.rocks (since we are relying on azure for authentication)

Requirements

  • harbour UI has to generate the code_verifier and store it
  • harbour UI has to redirect to the OpenId Provider
  • OpenId Provider performs authentication
  • OpenId Provider redirects to harbour UI
  • harbour UI exchanges id_token only (need code_verifier for this)
  • harbour UI calls /auth endpoint with id_token
  • harbour IAM registers new user (if new)
  • If harbour * notices an invalid id_token it returns 401 Unauthorized
  • harbour UI has to redirect to login on 401 Unauthorized

Notes

  • Logout not implemented for now

Subtasks

  • Setup login button, directly generate code_verifier and redirect to OpenId Provider
  • On redirect from OpenId Provider, exchange id_token
  • Implement /refresh endpoint to either create harbour user (return 201) or do nothing (return
  • Include id_token in every request
  • On 401 Unauthorized redirect to login (which is the OIDC Provider)200)
  • GraphQL mutation to refresh user account (IAM endpoint does exist /refresh)

Some Links

https://openid.net/connect/

https://openid.net/specs/openid-connect-core-1_0.html

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc

https://christianlydemann.com/implicit-flow-vs-code-flow-with-pkce/

https://christianlydemann.com/openid-connect-with-angular-8-oidc-part-7/

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions