Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

configure openid connect #809

Merged
merged 17 commits into from
May 28, 2024
Merged

configure openid connect #809

merged 17 commits into from
May 28, 2024

Conversation

hahn-kev
Copy link
Collaborator

@hahn-kev hahn-kev commented May 16, 2024

this PR enables the use of openID connect to authenticate 3rd party apps with lexbox. For now this is disabled except in local dev, it's pending key storage decisions. We need to store signing and encryption keys somewhere and I'm not sure what the best option is right now for production.

How to test:

  1. open this page https://oidcdebugger.com/
  2. enter the following
  3. authorize URL: http://localhost:3000/api/login/open-id-auth
  4. clinet id: becf2856-0690-434b-b192-a4032b72067f
  5. scope: openid profile
  6. response type, check only code
  7. token URI: http://localhost:3000/api/login/token
  8. response mode query
  9. click Orange send request button
  10. if you're not logged in go to the next step, otherwise go to step 13
  11. you should land at the lexbox login page with a large ReturnUrl query parameter in the URL, login like normal (google login unknown?), once login is finished proceed to the next step
  12. if you haven't approved this app before go to the next step otherwise go to step 15
  13. you should land on a page asking if you want to permit "Oidc Debugger" to access your data:
    image
  14. Click Approve to let the debugger have access
  15. should arrive at a page like this:
    image
  16. scroll down and you should see a section labeled ID Token, you should be able to find your name in the payload json object.

if you want to test out the access token (first box, very large token), you can execute a request like this:

GET https://localhost:3000/api/AuthTesting/requires-auth
Authorization: Bearer {token here}

it should return success with your users name. This represents a token that could be used by a 3rd party app like Language Forge, FLEx lite, or Living Dictionaries to access APIs on behalf of the user.

flow diagram:

flowchart TD
    approve{Has approved already}
    approveUser(Do you approve?)
    start[debugger authorize] -->|Logged in| approve
    start -->|Not logged in| login(Login)
    login --> approve
    approve -->|no| approveUser
    approve -->|yes| debugger
    approveUser -->|"Approve (success)"| debugger
    approveUser -->|"Deny (fail)"| debugger
Loading

Copy link

github-actions bot commented May 16, 2024

UI unit Tests

11 tests   11 ✅  0s ⏱️
 3 suites   0 💤
 1 files     0 ❌

Results for commit aabb651.

♻️ This comment has been updated with latest results.

Copy link

github-actions bot commented May 16, 2024

C# Unit Tests

57 tests  ±0   57 ✅ ±0   9s ⏱️ ±0s
11 suites ±0    0 💤 ±0 
 2 files   ±0    0 ❌ ±0 

Results for commit aabb651. ± Comparison against base commit 1ce357a.

♻️ This comment has been updated with latest results.

@hahn-kev hahn-kev requested review from myieye, rmunn and megahirt May 16, 2024 22:34
.Add("appName", await applicationManager.GetDisplayNameAsync(application) ?? "Unknown app")
.Add("scope", request.Scope ?? "")
.Add("postback", data);
return Redirect($"/authorize{queryString.Value}");

Check warning

Code scanning / CodeQL

URL redirection from remote source

Untrusted URL redirection due to [user-provided value](1).
return BadRequest();
}

if (IsAcceptRequest())

Check failure

Code scanning / CodeQL

User-controlled bypass of sensitive method

This condition guards a sensitive [action](1), but a [user-provided value](2) controls it.
hahn-kev added 2 commits May 20, 2024 13:25
…was always null in `CompleteGoogleLogin` due to using the wrong property.
backend/LexBoxApi/Auth/AuthKernel.cs Show resolved Hide resolved
backend/LexBoxApi/Controllers/LoginController.cs Outdated Show resolved Hide resolved
frontend/vite.config.ts Outdated Show resolved Hide resolved
@myieye
Copy link
Contributor

myieye commented May 28, 2024

I did a little design work on this.
Still reviewing...commit coming soon.

image

Copy link
Contributor

@myieye myieye left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's all the feedback I have. Everything seems to be working.
It's somewhat unbelievable that this all suddenly exists 😆 👏

backend/LexBoxApi/Controllers/LoginController.cs Outdated Show resolved Hide resolved
backend/LexBoxApi/Controllers/LoginController.cs Outdated Show resolved Hide resolved
hahn-kev added 2 commits May 28, 2024 09:59
# Conflicts:
#	backend/LexBoxApi/appsettings.Development.json
#	backend/LexData/Migrations/LexBoxDbContextModelSnapshot.cs
….cs, revert some changes made to vite.config.ts
@hahn-kev hahn-kev merged commit e3d7d16 into develop May 28, 2024
13 of 14 checks passed
@myieye myieye deleted the chore/openid-connect branch May 29, 2024 13:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants