Improve documentation about PKCE

[gargrag]

Hi, we are trying to adopt the tool, and we are struggling trying to configure PKCE with google auth, PKCE it's kind of new, we may not be fully getting it. But is it possible that you guys can help us configure that, so that we can contribute to the docs?

The issue now, is that without an auth provider, the app is not usable. We also detected that may be an inconsistency between the docs and the code with this env var

I also asked on a separate issue, and I tried reading the docs, but is still not clear, and I think this may be the case for the majority of the users.

Thanks

[johnbuhay]

Is anyone successfully using the PKCE plugin? We are getting 401 responses but no redirect or log detailing why. Here is what we have tried so far and what we have learned:

I have not confirmed yet what Authorized redirect URIs to list on the IDP side of things. Can you point us to this? What I have found is

dispatch/src/dispatch/static/dispatch/src/auth/pkceAuthProvider.js

Line 96 in 355eb65

window.location.protocol + "//" + window.location.host + "/implicit/callback"

dispatch configuration

DISPATCH_AUTHENTICATION_PROVIDER_SLUG=dispatch-auth-provider-pkce
DISPATCH_AUTHENTICATION_PROVIDER_PKCE_JWKS=https://www.googleapis.com/oauth2/v3/certs
VUE_APP_DISPATCH_AUTHENTICATION_PROVIDER_PKCE_OPEN_ID_CONNECT=https://accounts.google.com/.well-known/openid-configuration
VUE_APP_DISPATCH_AUTHENTICATOIN_PROVIDER_PKCE_CLIENT_ID=<IDP generated>.apps.googleusercontent.com

According to the documentation DISPATCH_AUTHENTICATION_PROVIDER_PKCE_JWK is necessary. I think you meant DISPATCH_AUTHENTICATION_PROVIDER_PKCE_JWKS and the type is incorrect/not specified? Although this URL is available in the .well-known/openid-configuration response

• https://hawkins.gitbook.io/dispatch/configuration/app#dispatch_authentication_provider_pkce_jwk-default-true
• https://github.com/Netflix/dispatch/search?q=DISPATCH_AUTHENTICATION_PROVIDER_PKCE_JWK&unscoped_q=DISPATCH_AUTHENTICATION_PROVIDER_PKCE_JWK

other resources:

• https://www.oauth.com/oauth2-servers/single-page-apps/
• https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow
• https://developers.google.com/identity/protocols/oauth2/web-server
• https://developers.google.com/identity/protocols/oauth2/openid-connect

[kevgliss]

Unfortunately, I believe every IDP will be a little bit different. I haven't personally tried to integrate with the Google IDP itself (we have an internal IDP based on Ping) so I don't have explicit directions however our hope is that in choosing PKCE as a standard we should be able to support any IDP that supports PKCE.

A few thoughts:

@gargrag @johnbuhay -- Yes, you're correct, the docs should say DISPATCH_AUTHENTICATION_PROVIDER_PKCE_JWKS not DISPATCH_AUTHENTICATION_PROVIDER_PKCE_JWK. See here

As far as what redirectURI to list, it's up to your IDP what they allow, some allow wildcarding i.e. you could whitelist the root of the app https://dispatch.example.net/* others will require a known callback so you would use https://dispatch.example.net/implicit/callback that should then forward you along.

You said you're receiving a 401, are you being forwarded to your IDP provider? Some things you could check:

Are you seeing successful requests to your openIdConnect issuer in your network tab? This call happends here

If you are getting redirected to your IDP, are you getting a code_verifier query parameter back? This is a query parameter unique to PKCE, if not it could point to a configuration issue on the IDP.

If it helps this is what the console looks like for a valid PKCE handshake:

One last thing, looking at the google docs it looks like this is a lot closer to what I would expect:
https://developers.google.com/identity/protocols/oauth2/native-app

I know it's listed as a native app (which is confusing), but that's only because that is where folks typically use PKCE.

cc @willbengtson

[johnbuhay]

No, we do not get redirected to the IDP

I have verified the IDP configuration successfully using the /implicit/callbackauthorized_uri and https://github.com/aaronpk/pkce-vanilla-js

*Note: wildcard substitution for paths are not supported by Google OAuth clients

[kevgliss]

Can you set a breakpoint here:
https://github.com/Netflix/dispatch/blob/develop/src/dispatch/static/dispatch/src/router/index.js#L27

And verify that you're entering the PKCE auth flow?

[kevgliss]

If you're building the JS app separately (i.e. not having the dispatch install do it for you). There are a few things you will have to do to get the var set correctly. Essentially you will need a .env available at build time for the frontend (it needs to exist in that dir). See: https://github.com/Netflix/dispatch/blob/develop/src/dispatch/static/dispatch/.env.example_vue_app

It could be we also need to specify VUE_APP_DISPATCH_AUTHENTICATION_PROVIDER_SLUG=dispatch-auth-provider-pkce in that particular file (to trigger that auth flow).

[willbengtson]

VUE_APP_DISPATCH_AUTHENTICATION_PROVIDER_SLUG=dispatch-auth-provider-pkce is needed and verified we use the dispatch-auth-provider-pkce plugin here

[johnbuhay]

We are building using the provided Dockerfile. Adding the .env and updating the vars solved our issue where the PKCE flow was not being initiated. I missed that.

We now have a new issue where process.env.VUE_APP_DISPATCH_AUTHENTICATION_PROVIDER_PKCE_OPEN_ID_CONNECT_URL in the debugger is unknown and AuthorizationServiceConfiguration fails to build the url.

Now,
the /.env file looks like

DISPATCH_AUTHENTICATION_PROVIDER_SLUG="dispatch-auth-provider-pkce"
VUE_APP_DISPATCH_AUTHENTICATION_PROVIDER_PKCE_OPEN_ID_CONNECT_URL="https://accounts.google.com"
VUE_APP_DISPATCH_AUTHENTICATION_PROVIDER_PKCE_CLIENT_ID="<REDACTED>.apps.googleusercontent.com"

the /src/dispatch/static/dispatch/.env file looks like:

# Authentication
VUE_APP_DISPATCH_OPEN_ID_CONNECT_URL="https://accounts.google.com"
VUE_APP_DISPATCH_CLIENT_ID="<REDACTED>.apps.googleusercontent.com"
VUE_APP_DISPATCH_AUTHENTICATION_PROVIDER_SLUG="dispatch-auth-provider-pkce"

thanks for your help

[johnbuhay]

So it seems we have an issue where at build time, process.env.VAR is not being interpolated.

Looking into
https://github.com/Netflix/dispatch/blob/develop/docker/Dockerfile#L92
https://github.com/Netflix/dispatch/blob/develop/setup.py

[kevgliss]

I wonder if we're missing a COPY for the ENV file at some point. I would have thought this would be enough:

https://github.com/Netflix/dispatch/blob/develop/docker/Dockerfile#L89

[johnbuhay]

I have discovered this VUE_APP_DISPATCH_AUTHENTICATION_PROVIDER_PKCE_OPEN_ID_CONNECT is unused.

It should be: VUE_APP_DISPATCH_AUTHENTICATION_PROVIDER_PKCE_OPEN_ID_CONNECT_URL

And the keys in .env.example_vue_app are only referenced in that file?

dispatch/src/dispatch/static/dispatch/.env.example_vue_app

Lines 2 to 3 in e6d3a3e

	VUE_APP_DISPATCH_OPEN_ID_CONNECT_URL=""
	VUE_APP_DISPATCH_CLIENT_ID=""

[johnbuhay]

I wonder if we're missing a COPY for the ENV file at some point. I would have thought this would be enough:

https://github.com/Netflix/dispatch/blob/develop/docker/Dockerfile#L89

It is enough and to verify I added RUN ls -lah /usr/src/dispatch/ && ls -lah /usr/src/dispatch/src/dispatch/static/dispatch/ && exit 1 to look for the .env during the build

[johnbuhay]

Status update:

After baking the client_id and oidc_url into a new container we are triggering the pkce plugin and redirect to the IDP for login.
We now get stuck on the /implicit/callback?...&prompt=consent.

Furthermore it seems the Google token retrieval requires client_secret, and I do not see anywhere we are providing that to dispatch.

Otherwise, it seems we will need to author a plugin to work with Google IDP...
https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow#request-parameter-response_type

[kevgliss]

We could add the ability to set the client_secret easily enough, according to the library we use to handle this flow (AppAuth) that "secret" isn't really a secret: openid/AppAuth-JS#46

Again, each IDP is a bit different. If you do wish to go down the road of having a different auth flow, I would be happy to merge something in if it makes it easier for folks to use the app.

[johnbuhay]

A few things to note

1 - I will try to get a PR merged in the openid/appauth library, that will probably take some time as other PR's seem to have stalled on the project. Currently, it is missing support for passing the optional client_secret to requests. I can understand why as the RFC6749#section-4.1.3 outlines.

2 - Creating Google OAuth credentials with Desktop type does not allow you to specify redirect_uri and are intentionally limited to "redirect_uris": ["urn:ietf:wg:oauth:2.0:oob", "http://localhost"].