Adds Auth0 as IdP #1611
Adds Auth0 as IdP #1611
Conversation
|
|
||
| constructor(private readonly sessionManager: SessionManager<Auth0Session>) {} | ||
|
|
||
| async getAccessToken( |
There was a problem hiding this comment.
Does it actually make sense to implement OAuth for auth0? Do they have their own APIs that you'd want to talk to? Otherwise I'm thinking we just stick to using it as a IdP only
There was a problem hiding this comment.
I don't have that use case. It was more for someone to use if they wished so.
What are the bare minimum for the Idp? I would need OpenIdConnectApi but ProfileInfoApi, BackstageIdentityApi, SessionStateApi as well?
There was a problem hiding this comment.
Bare minimum for providing a Backstage Identity for now would be ProfileInfoApi, BackstageIdentityApi, SessionStateApi. I think it might make sense to go with only that tbh, as afaik the access and ID tokens would be from the the actual provider used to log in to auth0, and at that point we likely want to stick to the purpose-built APIs we already have for that, e.g. googleAuthApi etc.
There was a problem hiding this comment.
@Rugvip UserSettings's OIDCProviderSettings requires for the API Ref to extend OpenIdConnectApi. I think we should support at least OpenID/ID token since we might not have a dedicated API for some Idp that uses Auth0 supports.
If you prefer to remove it anyway, does it make sense to have it as a SignIn provider? I could me mixing up the concepts of Backstage identity and Open ID
There was a problem hiding this comment.
Removed OAuthAPI.getaccessToken() in the meantime
There was a problem hiding this comment.
The OIDCProviderSettings isn't part of the sign-in flow though, that's for OAuth, i.e. access delegation. A bit more info that here: https://github.com/spotify/backstage/blob/master/docs/auth/index.md#accessing-third-party-services.
Backstage Identity isn't fully settled yet, right now it's mostly there so that we can add some constraints to the implementation of auth providers that want to be used for sign-in. Either way the Backstage identity is a partial implementation of Open ID Connect. Looking at for example the Google provider, which implements both Open ID and Backstage Identity, you get two different ID Tokens, one that proves your Google identity, and one that proves your Backstage identity.
| import { Observable } from '../../../../types'; | ||
|
|
||
| type CreateOptions = { | ||
| // TODO(Following the words of Rugvip): These two should be grabbed from global config when available, they're not unique to Auth0Auth |
There was a problem hiding this comment.
Gonna try to get around to this after these PRs have landed 😅
There was a problem hiding this comment.
JK :D, I can follow up this to clean it up
| tokenParams(): object { | ||
| return { | ||
| 'type': 'web_server', | ||
| 'grant_type': 'client_credentials' |
There was a problem hiding this comment.
This confuses me, I assume we would've wanted authorization_code?
There was a problem hiding this comment.
Yeah I assumed the same but they get the access token with that grant type 🤔 Example in their lib: https://github.com/auth0/passport-auth0/blob/096f789bea36a45a18d1a06accdd73decfb65131/lib/index.js#L143
There was a problem hiding this comment.
Looks like it's hardcoded to authorization_code in the base strategy, so you could just leave it out here: https://github.com/jaredhanson/passport-oauth2/blob/e20f26aad60ed54f0e7952928cbb64979ef8da2b/lib/strategy.js#L167
There was a problem hiding this comment.
Yes, it makes sense. I can test with authorization code to see if behaves according to the RFC
There was a problem hiding this comment.
It works as expected. Wonder why their lib has client_credentials 🤷
| OAuthApi & ProfileInfoApi & BackstageIdentityApi & SessionStateApi & OpenIdConnectApi | ||
| >({ | ||
| id: 'core.auth.auth0', | ||
| description: 'Provides authentication towards Gitlab APIs', |
There was a problem hiding this comment.
the description needs to be updated
| ) { | ||
| if (process.env.NODE_ENV !== 'development') { | ||
| throw new Error( | ||
| 'Failed to initialize OAuth2 auth provider, set AUTH_OAUTH2_CLIENT_ID, AUTH_OAUTH2_CLIENT_SECRET, AUTH_OAUTH2_AUTH_URL, and AUTH_OAUTH2_TOKEN_URL env vars', |
There was a problem hiding this comment.
The env vars in the error and warning messages need to be updated.
| } from '../types'; | ||
| import OAuth2Strategy from 'passport-oauth2'; | ||
|
|
||
| interface OAuth0ProviderConfig { |
There was a problem hiding this comment.
rename OAuth0ProviderConfig -> Auth0ProviderConfig?
| refreshToken: string; | ||
| }; | ||
|
|
||
| export class OAuth2AuthProvider implements OAuthProviderHandlers { |
There was a problem hiding this comment.
rename OAuth2AuthProvider -> Auth0Provider?
jaime-talkdesk
force-pushed
the
adds_auth0
branch
5 times, most recently
from
0bf1895
to
21afcf8
Compare
jaime-talkdesk
force-pushed
the
adds_auth0
branch
from
21afcf8
to
fed39a1
Compare
|
Resolved conflicts with master. The auth config implementation has changed a bit since this was submitted, so we'll need to add auth0 back in the |
|
Hey @jaime-talkdesk - looks like the backend parts need more fixes before this is good to go. We'll take a stab at it in the next couple of days. Let us know if you want to take it up? |
|
Hey @soapraj, thanks for completing the rest 🙏 |
Hey, I just made a Pull Request!
Adds Auth0 for as Identity Provider to Sign In.
I ended up not using
passport-auth0since it's quite opinionated in the sense they have requirements around using request.session which is not being used in the other passport implementations, as well it's own nonce implementation. This would require to addexpress-sessionwhich I'm not sure if this is the way we want to go.✔️ Checklist
yarn test