davidje13 / auth-backend Goto Github PK
View Code? Open in Web Editor NEWminimal API for integration with external authentication providers
License: MIT License
minimal API for integration with external authentication providers
License: MIT License
e.g Okta:
It should be possible to configure multiple SAML providers simultaneously
It may be desirable to provide a list of all retros within an organisation after logging in using saml
(migrated from davidje13/Refacto#18)
To allow easy integration with alternative authentication mechanisms, it should be possible to configure a trusted URL where it is assumed that if the user can reach the URL, they are trusted. This could be used with a proxy configured to require Mutual TLS for the configured path, for example.
const config = {
trustedEndpoint: {
path: 'my-trusted-path',
userIdHeader: 'X-Ssl-Cert-Hash',
},
};
Which could be combined with an nginx config:
ssl_verify_client on;
ssl_client_certificate /path/to/cert.crt;
ssl_verify_client optional;
location /ssoprefix/my-trusted-path {
if ($ssl_client_verify != "SUCCESS") { return 403; }
proxy_set_header X-Ssl-Cert-Hash $ssl_client_fingerprint;
}
It may be desirable to have other options than userIdHeader
, such as userId
for a fixed user ID for anybody able to reach the endpoint.
Things to consider:
authUrl
property?Alongside the google & github sign in currently offered.
This appears to need a paid Apple Developer account, so probably won't be implemented.
(migrated from davidje13/Refacto#1)
Alongside the google & github sign in currently offered.
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
(migrated from davidje13/Refacto#2)
GitLab seems to have updated their supported methods and now returns:
The authorization server does not support this response type.
This is mostly a client concern, but some server-side support will be needed for generating challenges.
Need to understand the create-account / login flows better;
What is the challenge for in the create
step? Seems to be focused on adding credentials to an existing account, but here we can consider it creating a new account with the new credentials. In this case, maybe the challenge is superfluous?
Server needs to be able to generate input params for the calls:
const options = await fetch('/auth/webauthn').then((r) => r.json());
let key = await navigator.credentials.get({ publicKey: { challenge: new UInt8Array(options.challenge) } });
if (!key) {
key = await navigator.credentials.create(options.create);
await fetch('/auth/webauthn', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ key: key.response.attestationObject }), // is clientDataJSON needed?
// ...
});
}
// we now (possibly) have a key which we can use to respond to a server challenge to exchange for a JWT
{
"challenge": [0, 0, 0, 0, 0, ..., 0],
"create": {
"publicKey": {
"rp": {},
"user": {},
"pubKeyCredParams": [],
}
}
}
The intended WebAuthn flow is still unclear; is the expected flow to create
first (but with excludeCredentials
somehow?) then always use the same get
call with data and a challenge to perform the JWT exchange?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.