-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the ability to configure and provide Oauth2 #485
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm still a little confused where Kanidm comes into the Oauth2 process. We're both the client and the server? Are we the Auth server but not the resource server? What do we do differently from the oauth2 crate
?
if self.qs_write.get_changed_ouath2() { | ||
self.qs_write | ||
.get_oauth2rs_set(au) | ||
.and_then(|oauth2rs_set| self.oauth2rs.reload(oauth2rs_set))?; | ||
} | ||
// Commit everything. | ||
self.oauth2rs.commit(); | ||
self.pw_badlist_cache.commit(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait can you give a quick rundown on what pieces of Oauth2 this file implements? I watched some videos on it but am still very confused.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are an identity provider.
Consider an application like "gitter". When you go there is says "do you want to authenticate with github?". In this case the "resource server" is gitter, and kanidm would be "github", where we are providing identities and authorisation to external applications.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So ideally in the future there would be options like "Sign in with Kanidm"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For resource servers, yes, they could add that option. More generically it's "sign in with openidconnect" or "sign in with oauth", which has more relevance inside an organisation that the public internet.
Right, oauth2 has three parts:
Oauth2 is a system that allows a client, when accessing a resource server, to be redirected to the IDP to make authorisation decisions on behalf of the resource server. In this way, Kanidm will be the IDP. We also need to implement some client and resource server behaviour for testing the behaviour of our IDP. The oauth2 crate is extremely "opinionated" and only implements the components to be a resource server. It is not possible to use it to be a IDP or Client. Additionally, even for our use as an RS, because it's so opinionated it makes it more complex to try and use it as it implements so much magic behind the scenes, that it's a lot simpler to just bypass that crate all together. edit: you may want to look at https://github.com/kanidm/kanidm/blob/master/designs/oauth.rst for an extended discussion Does that help? |
06dd4f5
to
ef6d0d6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Though I am no expert in the domain of OAuth, the core functionalities in this PR seems to be implemented correctly to me.
But I think we should add more comments for the OAuth-related functions. Also we could write down the functions/APIs call flow during a successful authentication session. I think that will make it easier to understand.
a41c2e6
to
b69d89b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a way I can see what new changes have been applied since last review? It only shows me which files have changes, not which specific lines.
let form_req = AccessTokenRequest { | ||
grant_type: "authorization_code".to_string(), | ||
code: code.to_string(), | ||
redirect_uri: Url::parse("https://demo.example.com/oauth2/flow") | ||
.expect("Invalid URL"), | ||
client_id: None, | ||
code_verifier: pkce_code_verifier.secret().clone(), | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this how AccessTokenRequest
s are being created outside of tests too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pretty much yeah :)
.await | ||
.expect("Unable to decode AccessTokenResponse"); | ||
|
||
// Step 4 - inspect the granted token. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still todo? Isn't this the most important part?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No? Token inspection is another rfc and I after I merge this I plan to open a handful of follow up issues such as token introsection :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't find any issues with this, but... that's a low bar :)
b69d89b
to
db5f6a0
Compare
Thank you all for your reviews! I'm going to open some follow up issues now |
Fixes #329 relates #278. This is the core implementation of Oauth2 for Kanidm. There are still a number of outstanding todos such as: