Coder Social home page Coder Social logo

ihton / verdaccio-azure-ad-login Goto Github PK

View Code? Open in Web Editor NEW
6.0 2.0 1.0 877 KB

Let your users authenticate into Verdaccio via Azure AD OAuth 2.0 API

License: MIT License

TypeScript 97.45% JavaScript 2.55%
hacktoberfest hacktoberfest2021 microsoft verdaccio verdaccio-plugin authentication azure-active-directory

verdaccio-azure-ad-login's Introduction

Verdaccio Auth via Azure Active Directory

Let your users authenticate into Verdaccio via Azure AD OAuth 2.0 API

Install

As simple as running:

$ npm install -g verdaccio-azure-ad-login

Configure

auth:
    azure-ad-login:
        # REQUIRED, Azure application tenant
        tenant: ""
        # REQUIRED, Azure client_id
        client_id: ""
        # REQUIRED, Azure application client_secret
        client_secret: ""
        # OPTIONAL, default email domain for accounts, example: organization.com
        organization_domain: ""
        # OPTIONAL, custom azure scope for users
        # Standard scope: user.read openid profile offline_access
        # Other permissions added here will be added to the end of the standard one
        scope: ""
        # OPTIONAL, users of these groups will be allowed to authenticate
        # This requires the App to have GroupMember.Read.All permission:
        # https://docs.microsoft.com/en-us/graph/api/user-getmembergroups?view=graph-rest-1.0&tabs=http
        allow_groups:
          - "developer"

Logging In

To log in using NPM, run:

    npm adduser --registry  https://your.registry.local

As the username for Azure ActiveDirectory is the email addresses and cannot contain @, replace the @ with two periods ..
Example: usermail..organization.com

The address will be parsed and converted to a normal email address for authentication.

You can specify the organization_domain if most or all of your users use the same email provider or an own mail server. In this case users will be able to log in using its local part (or id) from the mail as username, being able to override the default domain via the .. convention mentioned previously.
Example:

auth:
    azure-ad-login:
        organization_domain: 'organization.com'

User example email: [email protected]
Local part: own_email
The user will be able to log in using own_email as the npm username.

How does it work?

User provides a login/password which he uses to perform auth on Azure ActiveDirectory. Verdaccio will grant access to the user only if he is in at least one of the groups from the "allow_groups" option.

This option provides a way to specify which teams and their roles should be authorized by Verdaccio. If team name is set without roles it would be treated as any role grants a successful sign in for the user. Controversial, if roles are specified within the team, Verdaccio will check if signed user has an appropriate role in the team.

After this it is becomes possible to configure team-based access.

Package Access

By default, all users connected using Azure AD will be a member of azuread group.

packages:
  '**':
    access: $all
    publish: azuread # only Azure AD authenticated members will be allow to publish

verdaccio-azure-ad-login's People

Contributors

aziztitu avatar fxmatalgaba avatar ihton avatar

Stargazers

avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

aziztitu

verdaccio-azure-ad-login's Issues

Plugin not found

I'm getting a "Plugin not found" error with this module. I read that if a plugin is not valid that it shows this message as well. Does this need to get updated to the latest Verdaccio?

Installing another plugin verdaccio-activedirectory that loads correctly and both are getting installed to the same location.

E409 Conflict - Unclear message on wrong credentials

When using wrong credentials to log in the plugin won't override the "addUser" callback, falling back into any other plugin. This will make Verdaccio send whatever message from other plugins, not being clear for the end user what happened with his credentials.

For example, if we have registration disabled on the htpasswd plugin while using azure-ad-login the message displayed would be:
409 Conflict - PUT http://domain.com/-/user/org.couchdb.user:username - user registration disabled

Adding the addUser endpoint and sending a custom error message should enhance this behaviour.
Being able to send a custom message without breaking the addUser flow for other plugins would be perfect, if possible.

Doc URL: https://verdaccio.org/docs/plugin-auth/#adduser-callback
Extra Info: verdaccio/verdaccio#441

Verdaccio registry login is not working with MFA enabled user in AAD

Hi I have configured verdaccio in app service and integrated with AAD. Now issue is MFA enabled users are not able to login. And MFA not enabled users are able to login to verdaccio registry.

Below is the log:

error--- Error authentication in Azure >> Error: Failed requesting Azure AD access token: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.

And below is the config file:

# It allows all users to do anything, so don't use it on production systems.
#
# Do not configure host and port under `listen` in this file
# as it will be ignored when using docker.
# see https://verdaccio.org/docs/en/docker#docker-and-custom-port-configuration
#
# Look here for more config file examples:
# https://github.com/verdaccio/verdaccio/tree/master/conf
#

# path to a directory with all packages
storage: /verdaccio/storage/data
# path to a directory with plugins to include
plugins: /verdaccio/plugins

web:
  # WebUI is enabled as default, if you want disable it, just uncomment this line
  #enable: false
  title: Verdaccio
  # comment out to disable gravatar support
  # gravatar: false
  # by default packages are ordercer ascendant (asc|desc)
  # sort_packages: asc

auth:
  #htpasswd:
   # file: /verdaccio/storage/htpasswd
    # Maximum amount of users allowed to register, defaults to "+infinity".
    # You can set this to -1 to disable registration.
    # max_users: 1000
  azure-ad-login:
    # REQUIRED, Azure application tenant
    tenant: "***************************"
    # REQUIRED, Azure client_id
    client_id: "***************************"
    # REQUIRED, Azure application client_secret
    client_secret: "********************************"
    # OPTIONAL, default email domain for accounts, example: organization.com
    organization_domain: "abc.com"
    # OPTIONAL, custom azure scope for users
    # Standard scope: user.read openid profile offline_access
    # Other permissions added here will be added to the end of the standard one
    scope: ""
    # OPTIONAL, users of these groups will be allowed to authenticate
    # This requires the App to have GroupMember.Read.All permission:
    # https://docs.microsoft.com/en-us/graph/api/user-getmembergroups?view=graph-rest-1.0&tabs=http

    #allow_groups:
    #  - "Developer"        

security:
  api:
    jwt:
      sign:
        expiresIn: 60d
        notBefore: 1
  web:
    sign:
      expiresIn: 7d
      notBefore: 1

# a list of other known repositories we can talk to
uplinks:
  npmjs:
    url: https://registry.npmjs.org/

packages:
  '@*/*':
    # scoped packages
    access: $authenticated
    publish: $authenticated
    unpublish: $authenticated
    proxy: npmjs

  '**':
    # allow all users (including non-authenticated users) to read and
    # publish all packages
    #
    # you can specify usernames/groupnames (depending on your auth plugin)
    # and three keywords: "$all", "$anonymous", "$authenticated"
    access: $authenticated

    # allow all known users to publish/publish packages
    # (anyone can register by default, remember?)
    publish: $authenticated
    unpublish: $authenticated

    # if package is not available locally, proxy requests to 'npmjs' registry
    proxy: npmjs

middlewares:
  audit:
    enabled: true

# log settings
logs:
  - { type: stdout, format: pretty, level: http }
  #- {type: file, path: verdaccio.log, level: info}

Potential security risk.

The plugin as stands outputs the user's login name and password to logger.debug (in index.ts).

Couldn't this potentially expose every single user's Active Directory credentials in a plaintext file?

I'm no expert, but it seems as if having this line at least commented out by default (if not removed completely) would be a more secure option in a published package.

Suggestion - Log error_description in requestToken

Just wanted to provide some feedback on my experience with getting Azure setup correctly for this plugin. I will note before doing this, I've never had any experience with Azure so I've been learning as I go. People more experienced with Azure would probably not run into the small set backs I had.

While trying to get this to work, I kept getting a 401 response from requestToken. I wasn't sure if it was because my config was wrong or if I didn't properly set up something in Azure. I went in and added a console.log(error) to the catch in requestToken. I found that provided a very useful description of what was wrong: error.data.error.error_description.

I think if this could be logged with verdaccio by default that would greatly aid in future users getting everything setup. It helped guide me through each step to get Azure to allow my application. Here are some examples of the errors_descriptions:

 error_description: 'AADSTS7000215: Invalid client secret is provided.\r\n' +
        'Trace ID: a54987ef-9412-4f90-90db-2ae821715d00\r\n' +
        'Correlation ID: 1ade5c99-eea7-4311-9052-5b0397d94d86\r\n' +
        'Timestamp: 2021-02-24 20:15:05Z',

error_description: "AADSTS65001: The user or administrator has not consented to use the application with ID 'XXXXX' named 'Verdaccio'. Send an interactive authorization request for this user and resource.\r\n" +
        'Trace ID: 83f9eadf-f822-4976-95c5-223524335f00\r\n' +
        'Correlation ID: 339214ad-7976-44dc-adb6-41252c20fcd5\r\n' +
        'Timestamp: 2021-02-24 20:17:58Z',

This would be useful at least in debug mode.

Thanks again! This plugin is great and I'm so glad I don't have to make everyone accounts manually with htpasswd.

Unable to get the plugin working!

Can someone please tell me if the plugin works?
i am unable to get it working as it always says "bad username/password, access denied"

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.