Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oauth #50

Merged
merged 38 commits into from
Jun 12, 2018
Merged

Oauth #50

merged 38 commits into from
Jun 12, 2018

Conversation

cainlevy
Copy link
Member

@cainlevy cainlevy commented May 8, 2018
edited

Adds OAuth support to AuthN.

In this setup, AuthN hides all of the OAuth 2.0 implementation details from the main application. The main application redirects users through AuthN and then relies on the refresh endpoint to acquire an identity token.

An AuthN account may have a linked identity with each configured provider.

Only Google OAuth has been implemented, but other providers are easy to add.

Currently there is no way for the application to know if a user's session originated with OAuth. In the future, AuthN may provide the application with the user's current access token for business logic.

Outcomes

There are three success outcomes of the OAuth integration:

  1. Login -- if the provider identity has been linked before, AuthN will establish a session for the existing account. The application should already have a user profile.
  2. Account Connection -- if the provider identity is unknown but AuthN has a valid session for an account that has not linked to the provider, then AuthN will connect the identity to the existing account.
  3. Signup -- if the provider identity is unknown and AuthN does not have a current session, then AuthN will attempt to create a new account with the linked identity. The application should detect a missing user profile and finish registration.

Failure outcomes include:

  • Attempting to redirect to a URL that does not match one of the configure application domains
  • Tampering with the OAuth return URL
  • Attempting a CSRF attack on the OAuth return action
  • Taking more than an hour to complete the OAuth flow
  • Attempting to authenticate with a locked account

TODO

  • integration proof with demo app
  • Docs on new config variables
  • Docs on howto
  • More provider integrations (Facebook & GitHub are priorities)
  • List the new feature (beta)

Fixes #11

@cainlevy
data methods for saving and finding oauth accounts
e1b8e90
@cainlevy
begin sketching oauth endpoints
1093540
@cainlevy
prefer context.TODO()
832547c
@cainlevy
handle oauth process failures consistently
d707637
@cainlevy
delete oauth accounts when archiving
7903cbe
@cainlevy
clean up TODOs
43acb28
@cainlevy
oauth providers must be configurable
6afdf57
@cainlevy
tests for oauth return cases
6219300
@cainlevy
support oauth connection to existing session
f1a19bd
@cainlevy
key failure test coverage
d4fcfa2
@cainlevy
use handler func naming convention for oauth
d1ba110
@cainlevy
refactor oauth provider integrations
725a951 
Provider is now a struct, not an interface. The constructor requires all
the necessary bits.

This makes it easier to put common behavior somewhere, like injecting
the return URL or adding extra scopes (TBD).
@cainlevy
new ENV var: GOOGLE_OAUTH_CREDENTIALS
a21c88d 
this enables google oauth integration. ideally the others only need a
single credential pair as well.
@cainlevy
require proper origin to start oauth
4b7274d
@cainlevy
create jwt for oauth state param
85cd7d9
@cainlevy
set nonce in cookie and state when beginning
33193b8
@cainlevy
implement oauth nonce verification
0e2e65e
@cainlevy
Merge branch 'master' into oauth
1865497
@cainlevy
return to redirect_uri when possible
3660f69 
in some degenerate cases we must return to a failsafe url
@cainlevy
return to authn from oauth provider
24477ca
@cainlevy
locked users may not oauth, either
f7564cc
@cainlevy
encode nonce for cookie transport
ec03fb2
@cainlevy
origin header is not available on GET
1971950
@cainlevy
credentials have two pieces
7b6d132
@cainlevy
must provide valid redirect uri?
b44ab37 
i can't see how it's necessary here. should clean this up.
@cainlevy
fix session cookie path when set during oauth flow
9dc1c67
@cainlevy
delete nonce cookie after usage
09dcfc4
@cainlevy
add database constraint on identities per account
ca4438f
@cainlevy
rely on uniqueness constraint in endpoint logic
8082f8c
@cainlevy
fail oauth if user has session linked to other id
0b68321
@k1ng440
Copy link

k1ng440 commented May 24, 2018

does it work now?

@cainlevy
Copy link
Member Author

yes! 🎉

i currently have it working in a demo app, and have written some basic docs for how to integrate. i've been ill the past few days, though, and haven't settled on a release plan.

if you're in a position to build and try this branch that would be awesome. otherwise i'll plan on making a new release of authn with oauth in some kind of beta status.

@cainlevy
Copy link
Member Author

Hope this is helpful! https://github.com/keratin/authn-server/blob/b7bf46763b147b0b189db4ce0a431d5b1ed7f7ff/docs/guide-implementing_oauth.md

@cainlevy cainlevy merged commit e2580fb into master Jun 12, 2018
@cainlevy cainlevy deleted the oauth branch June 12, 2018 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@cainlevy @k1ng440