Add the ability to configure and provide Oauth2

[Firstyear]

Fixes #329 relates #278. This is the core implementation of Oauth2 for Kanidm. There are still a number of outstanding todos such as:

• Resource Server display names
• Scope mapping
• Authorisation/Filtering of who can access what resource servers
• Token introspection
• The Web UI elements for a clean workflow
• Open ID Connect
• Book chapters and documentation of how to configure resource servers

• [ x ] cargo fmt has been run
• [ x ] cargo clippy has been run
• [ x ] cargo test has been run and passes
• [ - ] book chapter included (if relevant)
• [ x ] design document included (if relevant)

[QnnOkabayashi]

I'm still a little confused where Kanidm comes into the Oauth2 process. We're both the client and the server? Are we the Auth server but not the resource server? What do we do differently from the oauth2 crate?

[QnnOkabayashi]

Wait can you give a quick rundown on what pieces of Oauth2 this file implements? I watched some videos on it but am still very confused.

[Firstyear]

We are an identity provider.

Consider an application like "gitter". When you go there is says "do you want to authenticate with github?". In this case the "resource server" is gitter, and kanidm would be "github", where we are providing identities and authorisation to external applications.

[QnnOkabayashi]

So ideally in the future there would be options like "Sign in with Kanidm"?

[Firstyear]

For resource servers, yes, they could add that option. More generically it's "sign in with openidconnect" or "sign in with oauth", which has more relevance inside an organisation that the public internet.

[Firstyear]

I'm still a little confused where Kanidm comes into the Oauth2 process. We're both the client and the server? Are we the Auth server but not the resource server? What do we do differently from the oauth2 crate?

Right, oauth2 has three parts:

• Client, the browser where a user is sitting
• Resource Server, the system or resource you want to access
• Identity Provider, the holder of who you are and decided if you have access.

Oauth2 is a system that allows a client, when accessing a resource server, to be redirected to the IDP to make authorisation decisions on behalf of the resource server.

In this way, Kanidm will be the IDP.

We also need to implement some client and resource server behaviour for testing the behaviour of our IDP.

The oauth2 crate is extremely "opinionated" and only implements the components to be a resource server. It is not possible to use it to be a IDP or Client. Additionally, even for our use as an RS, because it's so opinionated it makes it more complex to try and use it as it implements so much magic behind the scenes, that it's a lot simpler to just bypass that crate all together.

edit: you may want to look at https://github.com/kanidm/kanidm/blob/master/designs/oauth.rst for an extended discussion

Does that help?

[victorcwai]

Though I am no expert in the domain of OAuth, the core functionalities in this PR seems to be implemented correctly to me.
But I think we should add more comments for the OAuth-related functions. Also we could write down the functions/APIs call flow during a successful authentication session. I think that will make it easier to understand.

[QnnOkabayashi]

Is there a way I can see what new changes have been applied since last review? It only shows me which files have changes, not which specific lines.

[QnnOkabayashi]

Is this how AccessTokenRequests are being created outside of tests too?

[Firstyear]

Pretty much yeah :)

[QnnOkabayashi]

Still todo? Isn't this the most important part?

[Firstyear]

No? Token inspection is another rfc and I after I merge this I plan to open a handful of follow up issues such as token introsection :)

[yaleman]

I can't find any issues with this, but... that's a low bar :)

[Firstyear]

Thank you all for your reviews! I'm going to open some follow up issues now