Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: oidc authentication and session management #217

Merged
merged 1 commit into from
Apr 11, 2023
Merged

feat: oidc authentication and session management #217

merged 1 commit into from
Apr 11, 2023

Conversation

kushsharma
Copy link
Member

@kushsharma kushsharma commented Apr 1, 2023
edited

  • on successful authentication, a cookie with sid is set
  • on successful authentication, a jwt token in response headers is set via x-user-token containing details related to the user and its org
  • jwt public keys are available at /jwks.json
  • check examples/auth directory for usage
  • feat(shield): support for oidc authentication proton#253

Additional config added in app section

  # configuration to allow authentication in shield
  authentication:
    # to use shield as session store
    session:
      # both of them should be 32 chars long
      # hash helps identify if the value is tempered with
      hash_secret_key: "hash-secret-should-be-32-chars--"
      # block helps in encryption
      block_secret_key: "block-secret-should-be-32-chars-"
    # once authenticated, server responds with a jwt with user context
    token:
      # generate key file via "./shield server gen rsa"
      rsa_path: ./temp/rsa
      iss: "http://localhost.shield"
    # external host used for oidc redirect uri, e.g. http://localhost:7400/admin/v1beta1/auth/callback
    oidc_callback_host: http://localhost:7400/admin/v1beta1/auth/callback
    # oidc auth server configs
    oidc_config:
      google:
        client_id: "xxxxx.apps.googleusercontent.com"
        client_secret: "xxxxx"
        issuer_url: "https://accounts.google.com"

@kushsharma kushsharma added the enhancement New feature or request label Apr 1, 2023
@kushsharma kushsharma force-pushed the authn-session branch 3 times, most recently from e2e4e2f to 41b5f35 Compare April 2, 2023 08:02
@coveralls
Copy link

coveralls commented Apr 2, 2023
edited

Pull Request Test Coverage Report for Build 4658548589

  • 52 of 317 (16.4%) changed or added relevant lines in 9 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-1.5%) to 56.005%
Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/api/v1beta1/v1beta1.go 0 13 0.0%
cmd/serve.go 0 16 0.0%
cmd/server.go 14 30 46.67%
internal/store/postgres/flow_repository.go 0 18 0.0%
internal/store/postgres/session_repository.go 0 18 0.0%
internal/api/v1beta1/user.go 24 47 51.06%
internal/store/postgres/organization_repository.go 0 48 0.0%
internal/api/v1beta1/authenticate.go 13 126 10.32%
Totals Coverage Status
Change from base Build 4496853566: -1.5%
Covered Lines: 4696
Relevant Lines: 8385
💛 - Coveralls

@kushsharma kushsharma marked this pull request as ready for review April 2, 2023 09:43
@kushsharma kushsharma mentioned this pull request Apr 2, 2023
Merged
@kushsharma
feat: oidc authentication and session management
90b0a5c 
- on successful authentication a cookie with 'sid' is set
- on successful authentication a jwt token in response headers
is set via 'x-user-token' containing details related to user and its org
- jwt public keys are available at /jwks.json

Signed-off-by: Kush Sharma <thekushsharma@gmail.com>
pyadav
pyadav reviewed Apr 6, 2023
View reviewed changes
config/config.yaml
block_secret_key: "block-secret-should-be-32-chars-"
# once authenticated, server responds with a jwt with user context
token:
# generate key file via "./shield server gen rsa"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To generate key file, command is

./shield server keygen

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, I think example dir does not contains all files
Am I missing something?

@kushsharma kushsharma requested a review from pyadav April 10, 2023 10:15
@kushsharma kushsharma merged commit 1f89e16 into main Apr 11, 2023
6 checks passed
@kushsharma kushsharma deleted the authn-session branch April 11, 2023 03:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pyadav pyadav Awaiting requested review from pyadav

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@kushsharma @coveralls @pyadav