iridiumidentity / iridium Goto Github PK

Is your feature request related to a problem? Please describe.
As a developer, I'd like to easily stand up and demonstrate the capabilities of Iridium for use with the Angular framework

Describe the solution you'd like
I'd like documentation and supporting code to help me get started with Iridium and an angular client as easily as possible.

Describe alternatives you've considered
n/a

Additional context
n/a

Is your feature request related to a problem? Please describe.

Because an SMTP server is needed to run with Iridium, standing the system up for experimenting and learning is not easy.

Describe the solution you'd like
I'd like an easy way to experiment with Iridium without needing to stand up an SMTP server.

Describe alternatives you've considered
We've thought about finding a way to print the email records to a log. Not sure how easy that would be to parse through manually.

Additional context
We found https://github.com/gessnerfl/fake-smtp-server. This may be a good starting point.

Is your feature request related to a problem? Please describe.
Why tenants exist in Iridium isn't clear.

Describe the solution you'd like

Describe alternatives you've considered

Additional context

Is your feature request related to a problem? Please describe.
As a developer, I'd like to be able to use Iridium with the Flask framework.

Describe the solution you'd like
We should add a client module with the project under the name iridium-client-flask. That uses a client credentials grant

The client should be able to be configured with a few parameters to run

• clientId
• clientSecret
• domain

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
The current set of docs does not support versioning. As the project grows, we will need snap shots of documentation related to the different versions of Iridium.
Describe the solution you'd like
I'd like to implement a library or system for versioning our site.

Describe alternatives you've considered
N/a

Additional context
We are looking into using mike in combination with mkdocs

Is your feature request related to a problem? Please describe.
// todo @joshfischer1108

Describe the solution you'd like
The way I currently understand this problem is one of complexity. You have many different options for starting, running, and configuring iridium and all of them require a number of steps. Building a "1-click" solution is about eliminating these options so that future users / developers can get started using iridium quickly and easily.

Describe alternatives you've considered

Additional context

Is your feature request related to a problem? Please describe.
Several people have asked about the end in mind for Iridium.

Describe the solution you'd like
Let's try to build a roadmap for Iridium in GitHub

Describe alternatives you've considered
n/a

Additional context
n/a

Is your feature request related to a problem? Please describe.
Currently the login box is hardcoded with the Iridium logo. We need to make this dynamic so that we can allow users to set a custom logo for each of their tenants.

Describe the solution you'd like
A way for a user to upload a logo and it to be presented correctly on the login page, per tenant.

Describe alternatives you've considered
n/a

Additional context
n/a

Is your feature request related to a problem? Please describe.
We need to add test coverage to our Next.js client.

Describe the solution you'd like
Adding unit tests as needed to get test code coverage

Describe alternatives you've considered
n/a

Additional context
This is a great way to get familiar with code base and the authorization code flow exchange

The current code base will compile but will fail as we do not have properties configured in the code base. We need to:

• document properties needed
• Add a template for users to show usage

Is your feature request related to a problem? Please describe.
I don't have a way to easily use iridium with an angular client.

Describe the solution you'd like
I'd like an angular-compatible library for use with the system.

Describe alternatives you've considered
Hand rolling all the features of implementing auth across clients can be tricky. I'd like for Iridium to give an implementation I can use.

Additional context
None.

We pass request parameters as a map through various service methods. This causes duplicated, hard-to-read code. We should remove the use of a map of parameters and explicitly call them out in the function definition.

An example of what needs to be removed is : here

This should not break or enhance any feature at this point. It should only clean up the code to make it more readable and maintainable.

It's not clear to users how they install or use iridium. As a first step to this, we need to build an install script to make the process easier for consumers to use iridium.

• The install script needs to take into account externalizing properties.
• The install script must support running iridium locally as a first pass.

Describe the bug
Iridium does not successfully authorize after redirect when using docker container

To Reproduce
Steps to reproduce the behavior, (we are assuming you have the CLI installed in the root folder of the project)

1. Update the file

tools/schedulers/compose/local-iridium-compose.yml

with the docker image iridiumidentity/iridium-core-server-nightly:latest

2. Stand up iridium via compose

$ docker compose -f tools/schedulers/compose/local-iridium-compose.yml up [-d] 

3. init the database

$ cd iridium-0.1.4-bin
$ ./bin/iridium init \
--host=localhost \
--port=3306 \
--user=root \
--password \
--allow-github=true

4. Enter database password, GitHub client ID, and client Secret in CLI prompts
5. Take generated management app id and replace the YOUR_CLIENT_ID in the following file

${projectRoot}/iridium-angular-client/projects/iridium-ui/src/environments/environment.ts 

6. Start the management app

cd iridium-angular-client && ng build ngx-iridium-client && ng serve

7. Attempt to log in with the GitHub provider and you'll see an error message in the iridium management UI that states There was an error retrieving access token

Expected behavior
The user should be redirected from the GitHub to localhost:4200/callback, and access_token created and redirected to localhost:4200/dashboard to finalize the login flow.

Screenshots
none

Desktop (please complete the following information):

• OS: OSX
• Browser: Chrome,
• Version 112.0.5615.137

Additional context
This problem was discovered by @rwithers

Is your feature request related to a problem? Please describe.
Understanding what Irudium is all about.

Describe the solution you'd like
A simple architecture diagram and table or list of the software components would help newcomers like me understand what's going on.

Describe alternatives you've considered
I could hack around, but I suspect that it would be quickly frustrating.

Is your feature request related to a problem? Please describe.
The angular build process is not managed by Maven, our main build tool. I'd like a way to run mvn package and have the Angular client built by proxy with Maven. We should still be able to run individual npm commands in the angular client module. E.g. npm install.

Describe the solution you'd like
We need to make the Angular client a Maven module.

Describe alternatives you've considered
I'm open to other suggestions.

Additional context
n/a

Is your feature request related to a problem? Please describe.
As someone wanting to try out Iridium, I find it hard to spin up an instance quickly.

Describe the solution you'd like
I'd like a way to learn about the functionality of Iridium and how I can use it without needing to spin up technical resources manually.

Describe alternatives you've considered

• https://www.gitpod.io - could be a good solution for this problem.
• An example of use with gitpods is here: https://github.com/MarquezProject/marquez#try-it
• Docker Dev Containers could be a solution.

Additional context

Describe the bug
The documentation on how to register a GitHub application isn't clear on the callback URL. We need to clarify how to correctly enter this information.

To Reproduce
Read the documentatioun

Link is here: https://docs.iridium.software/0.2.1/5.-External-Identity-Providers/create-github-application/

Is your feature request related to a problem? Please describe.
As we are deprecating the use of local users and passwords in the system, we will no longer need to notify users about password changes, new accounts, etc.

Describe the solution you'd like
We should remove the SMTP configuration, and functions from the project

Describe alternatives you've considered
n/a

Additional context
n/a

Is your feature request related to a problem? Please describe.
As a developer, I'd like to use Iridium on my React project.

Describe the solution you'd like
I'd like a client to use with React to implement an authorization code flow exchange from the browser.

Describe alternatives you've considered
If we don't build the client, others will have to manually execute all of the steps to run an authorization code flow, it's not super straightforward to the average user.

Additional context
An example of how this could be done is in this PR.

Could #142 be used as both a React and Next.js client since Next.js uses React? What issues would we run into?

Is your feature request related to a problem? Please describe.
The Next.js client build process is not managed by Maven, our main build tool. I'd like a way to run mvn package and have the Next.js client built by proxy with Maven. We should still be able to run individual npm commands in the next.js client module. E.g. npm install.

Describe the solution you'd like
We need to make the Angular client a Maven module.

Describe alternatives you've considered
I'm open to other suggestions.

Additional context
n/a

Describe the bug
When I try to reset my password from the main login screen, I'm routed to the incorrect view.

To Reproduce
Steps to reproduce the behavior:

1. Go to Sign in through any application
2. Click on 'reset password'

Expected behavior
A screen that asks for a user email to start the password reset process.

Screenshots
after clicking reset password above I'm routed to this page.

Additional context
n/a

Is your feature request related to a problem? Please describe.
I'd like a way to be able to refresh my bearer token without re-logging in.

Describe the solution you'd like
We need to implement a feature to enable the use of refresh tokens.

Describe alternatives you've considered
n/a

Additional context
https://www.rfc-editor.org/rfc/rfc6749#section-1.5

Describe the bug
When you build the project with the typical mvn clean package command the assembly plugin prints out warnings complaining of line length.

To Reproduce
Steps to reproduce the behavior:

1. run mvn clean package
2. See warnings

[INFO] Reading assembly descriptor: src/assembly/src.xml
[INFO] Building tar: /Users/joshfischer/Source/iridium/iridium/iridium-cli/target/iridium-0.1.4-src.tar.gz
[WARNING] Entry: iridium-0.1.4-src/iridium-angular-client/projects/iridium-ui/src/app/components/confirmation-dialog/ longer than 100 characters.
[WARNING] Resulting tar file can only be processed successfully by GNU compatible tar commands
[WARNING] Entry: iridium-0.1.4-src/iridium-angular-client/projects/iridium-ui/src/app/components/dashboard/content/application-overview/ longer than 100 characters.
[WARNING] Entry: iridium-0.1.4-src/iridium-angular-client/projects/iridium-ui/src/app/components/dashboard/content/api-overview/ longer than 100 characters.
[WARNING] Entry: iridium-0.1.4-src/iridium-angular-client/projects/iridium-ui/src/app/components/dashboard/content/system-overview/ longer than 100 characters.
[WARNING] Entry: iridium-0.1.4-src/iridium-angular-client/projects/iridium-ui/src/app/components/dashboard/content/tenant-overview/ longer than 100 characters.
[WARNING] Entry: iridium-0.1.4-src/iridium-angular-client/projects/iridium-ui/src/app/components/dashboard/content/roles-overview/ longer than 100 characters.
[WARNING] Entry: iridium-0.1.4-src/iridium-angular-client/projects/iridium-ui/src/app/components/dashboard/content/user-overview/ longer than 100 characters.

Expected behavior
I'd like a way to suppress these warnings in the terminal

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: OSX

Smartphone (please complete the following information):

• n/a

Additional context

• n/a

Is your feature request related to a problem? Please describe.
In the current doc setup, versions are hardcoded in markdown files. This causes human error to show up quite often when deploying the docs.
As an example:

This page is a page specific to installing the CLI for version 0.2.1. But since the version is hardcoded in the doc on line 10 and on line 15 we often overlook these values and deploy with mismatching versions.

Describe the solution you'd like
I'd like a way to dynamically populate the versions in the markdown file in this example to match the URL the user visited in their browser.

E.g.: if the user visited docs.iridium.software/0.2.1/something the Markdown file could have some substitution for {selectedVersion} or similar.

Describe alternatives you've considered
I'm open to all suggestions.

Additional context
n/a

Is your feature request related to a problem? Please describe.
When testing how to use Iridium for my applications it would be nice to know how to revoke access of an application I authorized that is registered in Github. This is helpful as I'll be able to visualize all the steps of a customer working through my authorization flow.

Describe the solution you'd like
A set of documentation describing how to revoke access to a GitHub application.

Describe alternatives you've considered
n/a

Additional context

Is your feature request related to a problem? Please describe.
We need to add test coverage to our Angular client.

Describe the solution you'd like
Adding unit tests as needed to get test code coverage

Describe alternatives you've considered
n/a

Additional context
This is a great way to get familiar with the code base and the authorization code flow exchange

The system expects certain values to be present in the database for it to operate properly. Currently, we seed the database with an inflexible SQL script. We need to think of a way that we can easily allow developers to initialize the system with the configuration they want.

Things to think about:

• Do we want allow people to select the social providers they want to use?
• Do we want to default to no password option?
• Do we still want to allow passwords?
• Where will seed data live for social providers? E.g. below:
  • twitter
  • github
  • Microsoft
  • etc.

Is your feature request related to a problem? Please describe.
As someone managing a tenant with iridium, I'd like to be able to see all the users that have registered/signed in with my system.

Describe the solution you'd like
I'd like to add a visual display of users for each tenant

Describe alternatives you've considered
n/a

Additional context
n/a

Is your feature request related to a problem? Please describe.
Just like we have an init command, we need a run or a start or similar command to execute from the Iridium CLI to ease the process of managing properties, and etc.

Describe the solution you'd like
I'd like a run command implemented in the Iridium CLI. iridium run ....args. It doesn't have to be exactly like this, it's only an idea at this point. The CLI should reference the application.properties file int the conf folder of the distribution.

Describe alternatives you've considered
We can already run the jar as java -jar ...., it would be better if we bundled the run command in with the project for a common interface.

Additional context

Is your feature request related to a problem? Please describe.
As a developer, I want my users to be able to log in to my system with their google account.

Describe the solution you'd like
We need to follow the RESTful guidelines here: https://developers.google.com/youtube/v3/guides/auth/server-side-web-apps#httprest_1
Describe alternatives you've considered
n/a
Additional context
n/a

Is your feature request related to a problem? Please describe.
As an admin of Iridium, I'd like to be able to allow my customer base to log into my system with their Microsoft account.

Describe the solution you'd like
I need to be able to add Microsoft via a no-code interface like we do with GitHub and Google

Describe alternatives you've considered
n/a
Additional context
n/a

Is your feature request related to a problem? Please describe.
The current implementation of iridium init is not flexible. To make changes to the configuration, we need to change hard-coded values and recompile.

Describe the solution you'd like
We need a way to externalize the properties in a way that they are not compiled into the jar, are easily modifiable, and are usable with each release.

Describe alternatives you've considered
The current path was a first-pass alternative that needs to be improved.

Additional context
n/a

Is your feature request related to a problem? Please describe.
As a developer, I'd like to use Iridium on my Next.js project.

Describe the solution you'd like
I'd like a client to use with Next.js to implement an authorization code flow exchange from the browser.

Describe alternatives you've considered
If we don't build the client, others will have to manually execute all of the steps to run an authorization code flow, it's not super straightforward to the average user.

Additional context

Is your feature request related to a problem? Please describe.
To increase the security of the management UI we should enable server-side rendering.

Describe the solution you'd like
We should enable this SSR (server-side rendering) with Angular Universal

Describe alternatives you've considered
none

Additional context
none

The class AttributeValidator inside iridium/iridium-server-base is missing corresponding tests.

Is your feature request related to a problem? Please describe.
Currently, we need to create external identity providers via the cli. However, this fix isn't intuitive for non-iridium developers using iridium.

Describe the solution you'd like
I'd like a way to integrate an external identity provider to secure my apps via the UI with iridium.

Describe alternatives you've considered
n/a

Additional context
n/a

Is your feature request related to a problem? Please describe.
As a developer, I'm unsure of how to open iridium in intellij to explore/work on the code.

Describe the solution you'd like
I'd like a way for people to easily open the project in intellij.

Describe alternatives you've considered
n/a

Additional context
n/a

Is your feature request related to a problem? Please describe.
As a developer, I want to be able to run Iridium from an IDE to test the changes I am making.

Describe the solution you'd like
A doc describing how to run iridium.

Describe alternatives you've considered

Additional context

Describe the bug
When working through the authorization code flow with the angular example we get this error when trying to get a bearer token from the server

[Error] Failed to load resource: Origin http://localhost:4300 is not allowed by Access-Control-Allow-Origin. Status code: 400 (token, line 0)

To Reproduce
Steps to reproduce the behavior:

1. Stand up Local database
2. Run Iridium and management UI from the source
3. login at admin, create a tenant and a SPA application
4. Use the client ID from SPA creation to add to this project and run it.
5. After logging in with the user the authorization code flow is blocked due to the CORS settings.

Expected behavior
The user should receive a bearer token. No CORS errors should occur

Screenshots

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [chrome and safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

Is your feature request related to a problem? Please describe.
I'd like to have another way to allow users to log into my system in a way other than needing to integrating an external identity provider such as github.

Describe the solution you'd like
I'd like a diagram to help explain how we can implement passkeys within Iridium.

Describe alternatives you've considered

Additional context

• WebAuthn RFC

Describe the bug
The command at this page [1] shows a docker command that does not work as expected

1. https://docs.iridium.software/0.2.0/2.-getting-started/2.run-iridium-locally/

The following:

$ docker run  --name mariadb \
    -p 3306:3306 \
    -e MYSQL_ROOT_PASSWORD=iridium \
    -e MYSQL_DATABASE=identities \
    -e MYSQL_USER=identity-api \
    -e MYSQL_PASSWORD=iridium \
    -d mariadb:latest

Should be changed to:

$ docker compose -f tools/schedulers/compose/local-dev-compose.yml up [-d]

Expected behavior
n/a

Screenshots
n/a

Additional context
cc @erzohrakhan

Is your feature request related to a problem? Please describe.
We should keep the Iridium clients grouped/named similarly for ease of understanding.

Describe the solution you'd like
Let's modify all clients to use iridium-client-{technology}

Describe alternatives you've considered
I'm open to other suggestions

Additional context
n/a

Is your feature request related to a problem? Please describe.
To enhance security we need to restrict the token refresh grant to confidential clients only.

Describe the solution you'd like
I think we should modify the current endpoint to restrict it to confidential clients only.

Describe alternatives you've considered
n/a

Additional context
n/a

Is your feature request related to a problem? Please describe.
We have the ability to add social provider login (github, facebook, google, etc) via directly making edits to the database. We need a way to allow for configuring which social provider each tenant would like to use for their login page. We do not need to account for all listed above in the first pass. We only need a path forward on how to get this done.

Describe the solution you'd like
I'd like a sub-menu in the admin dashboard that allows for a configurable login view

Describe alternatives you've considered
n/a

Additional context
n/a

Is your feature request related to a problem? Please describe.
Currently the docker containers do not mount a volume where volatile data can be stored. This causes the system to require reinitialization after the containers come back up.

Describe the solution you'd like
We need a way of mounting in a volume both locally and in prod.

Describe alternatives you've considered
There are many options for volume level block storage

Additional context
The biggest problem with this is that locally the re-initialization means that any data that is stored is lost between testing and developing. There should also be control over the volumes based on the promotional context the system is in.

Is your feature request related to a problem? Please describe.
Currently the iridium-angular-client is a bit messy in terms of code format consistency. I'd like a way to lint or enforce a code format within this module.

Describe the solution you'd like
I'd like to use a tool like ng lint to help with this task. As a developer, I could run a command like ng lint to format my code to a specific format. If we could do this, we could use code formatting as part of a pre-check for quality in PRs as well.

Describe alternatives you've considered
I have not. I'm open to using any tool that will get the job done well.

Additional context
n/a

Is your feature request related to a problem? Please describe.
When client errors happen during the login process, It would be useful to display a page that displays the error in a more human-friendly way that a JSON response

Describe the solution you'd like
We should create an error handling page to report errors out in a way that will

1. Give the user some information of the error
2. Securely give the user information. (do not spill secrets, allow people to hit the database looking for users, etc. )

Describe alternatives you've considered
N/A

Additional context
The current view when errors occur is attached.

Describe the bug
When adding an external provider to a tenant through the management UI, the list of available external provider templates to add does not take in account the list of external providers already associated with a tenant. As a result, a user could add a "Login with Github" or "Login with Google" button twice to their Login in Box. A user should only be able to add an external provider to their login box if it has not been added before.
To Reproduce
Steps to reproduce the behavior:

1. Go to 'https://{hostNameForUI}/dashboard'
2. Select a tenant
3. Click on Login Box -> Login Bot Settings
4. Click on "Add Provider"
5. See bug where you can still select a provider even though it's already been added. See screenshot below

Expected behavior
a user should only be able to select a provider that has not been added to their login box yet.

Screenshots

1. See that we have GitHub added already as a provider in below image

1. We can still select GitHub as a provider - this is wrong. We should not be able to select GitHub again.

Additional context
This exists as of 0.2.2-SNAPSHOT

Is your feature request related to a problem? Please describe.
OAuth 2.x is complex. The next generation protocol coming is gnap..

Describe the solution you'd like
Let's see how we can enhance Iridium with the gnap protocol

Describe alternatives you've considered
n/a

Additional context
n/a.