Etimo ID is a basic implementation of OAuth2, without all the bloat.
At a later stage, OpenID Connect will also be implemented.
See the Development wiki page for information on how to contribute to development.
A dotnet implementation of OAuth2.
Home Page: https://etimo.se
License: MIT License
Etimo ID is a basic implementation of OAuth2, without all the bloat.
At a later stage, OpenID Connect will also be implemented.
See the Development wiki page for information on how to contribute to development.
It should have pretty good descriptions of all the inputs and outputs of the system.
Add a worker that cleans up expired authorization codes, refresh tokens and access tokens.
We need someplace to register an account.
Create a Dockerfile that runs this project.
Add a a "Logo" field where one can upload a base64 encoded image.
Add an AuditLog controller and log events here, e.g. successful/failed authentications.
A user should be able to fetch his/her own logs.
n/t
The Application should decide which flows to allow.
When opening the solution in Visual Studio 2019 with ReSharper, there are a lot of errors regarding code style.
We want ReSharper to respect the .editorconfig file. Is it missing settings or can ReSharper be configured to respect it fully?
An Application should be able to have more than one RedirectUri.
redirect_uri
should be validated against the existing RedirectUris.Allow a client to generate a certificate with a public and private key instead of using a client secret.
Only keep the public key on the server, and return the private key in the response.
Also allow the client itself to upload just a public key for a pre-generated certificate (in case the client does not trust us to generate a certificate).
This is just to be OAuth2 compliant.
It should be disabled by default.
Currently only the authorization code flow will generate a refresh token.
Make it work for all flows and let the Application decide which flows to enable refresh token for.
By default, it should only be enabled for authorization code flow.
It should be possible to have different lifetimes depending on grant type.
When we release v1.0, we want etimo-id to be automatically deployed every time we release a new version.
AWS?
If an auth code or refresh token is used more than once, create an audit log of the incident.
Issuer should be e.g. https://id.etimo.se/my-application
This is needed for e.g. fetching openid connect configuration, since it is not the same for all applications.
When logging in with Blazor, this url gets called:
https://localhost:5011/oauth2/authorize?client_id=11111111-1111-1111-11111111111111111
&redirect_uri=https%3A%2F%2Flocalhost%3A5012%2Fauthentication%2Flogin-callback
&response_type=code
&scope=openid%20profile
&state=4189f1c5eb134962ab3998ae3e882abd
&code_challenge=dJBLgGeU1VJt0R55orSTpYhkAl8IIMvSRnDBZrtPLuA
&code_challenge_method=S256
&prompt=none
&response_mode=query
It returns 400 today. Make it work.
Add a GitHub action that creates a code coverage report.
Upload it to codecov.io
While the rate limiter will stop the worst brute forcing, it will still allow an intruder to brute force a single user's account.
Add a "FailedAttempts" field to the user that increments when someone fails to login to that user account.
If the login fails more than X times (according to appsettings.json setting), ban that user from logging into that account for Y minutes (appsettings.json).
Store the banned ip (with the target userId) in distributed memory, and stop the user from logging in early in the request pipeline.
Add support for prompt parameter on GET /authorize request.
The Authorization Server MUST NOT display any authentication or consent user interface pages.
An error is returned if:
The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent.
The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an error, typically login_required.
The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client. If it cannot obtain consent, it MUST return an error, typically consent_required.
The Authorization Server SHOULD prompt the End-User to select a user account. This enables an End-User who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they might have current sessions for. If it cannot obtain an account selection choice made by the End-User, it MUST return an error, typically account_selection_required.
For GDPR reasons. Even if IP addresses aren't considered personal data, the IP address is likely unusable after 30 days anyway.
Remove the if-statement in controllers where the "admin" role overrides the scopes.
Since roles will not grant access to the appropriate scopes, admins will have the scopes necessary to administer the resources.
We should be able to add roles.
User N-N Role
Roles should be used when issuing JWT tokens.
Built-in roles:
Admin -> admin:
scopes
User -> read:
+ write:
scopes
As per https://tools.ietf.org/html/rfc6749#section-4.1.2.1
When using authorization code flow, the client needs to be informed about errors by way of query parameters instead of using exceptions and json responses.
Create a new Required attribute called "OAuthRequiredAttribute" that takes a parameter "ErrorInQueryComponent = true".
If true, we will not throw a 400 bad request if the parameter is missing, but instead return the error as part of the query component.
Use PlantUML images for the flow pages.
When opening the solution in Visual Studio 2019 with ReSharper, there are a lot of errors regarding code style.
We want ReSharper to respect the .editorconfig file. Is it missing settings or can ReSharper be configured to respect it fully?
It should contain information about how to write bug reports, how to format commit messages, etc.
Add Scope support to Applications.
Asking for a specific Scope in an auth request should validate against the Application.
The asked for Scope should be saved in the AuthorizationCode and the RefreshToken.
Make frontend with Blazor.
This is needed for Blazor to be able to login.
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
Add a test project. Anything to get us started with testing.
Currently, we only return the scope if the scope was specified.
Always return the scope that was granted. It is extractable from the access token itself, so we should include the information in the response as well.
Applications should be allowed to explicitly allow the use of client_id/client_secret in the request body.
This is for clients that have problems with using basic authentication in headers.
We want to restructure the project into the following:
./
certs/ # development certificates
components/ # our nuget packages
docs/ # documentation files
uml/ # uml diagrams
samples/ # samples / examples
scripts/ # helper scripts for developing / running
src/ # source code for main project
test/ # test projects
It seems scopes are doubled when scope is not specified in authorization code flow.
When login fails more than 3 times -- create an audit log of the incident.
It should be possible to limit the scope of these flows as well.
It should propagate into refresh_tokens also, if they are set to generate.
Update endpoints to not include child objects when you get all resources.
If the request does not contain a state, the redirect uri should not contain a state either.
The scopes must be unique to etimo-id.
Otherwise, if "admin:user" is also used by a client, we could potentially create problems.
After cloning the project (i.e. no artifacts folder), you run the update-database.csx script.
It won't work.
You have to do the following:
dotnet build
dotnet ef database update -v -p src/Etimo.Id.Data -s src/Etimo.Id.Api --msbuildprojectextensionspath artifacts/obj/Etimo.Id.Data
dotnet ef database update -v -p src/Etimo.Id.Data -s src/Etimo.Id.Api --msbuildprojectextensionspath artifacts/obj/Etimo.Id.Api
The first update will fail, the second will succeed. Then you only need to run the second one for it to succeed.
In the case of the Application
resource, create ApplicationQueryOptions
that inherits from QueryOptions
.
QueryOptions
should contain information about pagination (skip, take).
ApplicationQueryOptions
should contain filtering information that is specific to the Application entity.
There might not be any filtering options for Applications right now, but there might be later and best to keep it consequential.
Do this for all resources.
Some response parameters are generated by the server. It should be obvious on swagger what length these parameters have:
If a user gets locked, it should be possible for an admin (or the user itself, with a valid token) to unlock it.
PUT /users/{id}/unlock
It should be PUT since we are updating a state, and the call is idempotent.
GET /auditlogs
Should return a list of all auditlogs (if admin), or a list of all auditlogs belonging to the caller (user), if the caller is missing the admin scope.
GET /users/<id>/auditlogs
Should return a list of all the auditlogs related to that user.
GET /applications/<id>/auditlogs
Should return a list of all auditlogs for the application.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.