Task #309
closed
OAuth2 - proof of concept
100%
Description
Create a proof of concept implementation of IdM authentication/authorization based on design proposed in https://proj.bcvsolutions.eu/ngidm/doku.php?id=navrh:oauth.
Verify following ideas work or propose more suitable solutions:- authentication filter chain
- simple IdM OAuth2 server based on Spring OAuth project
- external OAuth2 auth. server ** external token issued to the client is used primarily for user authentication ** authorities are stored in IdM JWT token
Related issues
Updated by Radek Tomiška about 7 years ago
- Due date set to 11/23/2016
- Start date changed from 02/14/2017 to 11/23/2016
- Follows Task #202: OAuth2 - choose authentication implementation added
Updated by Radek Tomiška about 7 years ago
- Due date deleted (
11/23/2016) - Status changed from New to In Progress
Updated by Jan Helbich about 7 years ago
After a long effort I have discarded the idea of integrating Spring OAuth as IdM authentication server.
There are multiple reasons, but mainly I seem to be unable to configure other auth. filters (such as basic auth) to work with the framework right.
So currently I'm using the original IdM JWT token as authentication mechanism and only use the Spring Oauth as a library.
I have implemented and manually tested (cURL) Basic authentication (token independent)
and authenticating against remote trusted authority. The remote authority was set up as locally running OAuth2 server, which issues JWT tokens to user called "user".
The authentication is then done by redirecting the user to IdM login endpoint and issuing our custom JWT token.
I started work on "just in time authority management" - a possibility to revoke access to the API for users, who have some changes in the authorities since their
authentication token was issued. I got familiar with event processors and Iam currently enhancing the token by additional attributes (defined by specification) and testing.
There is only the token refreshing left from the original assignment. I have some questions here, which I'll prepare and send, hopefully by tomorrow.
Updated by Jan Helbich about 7 years ago
I have implemented and tested the just in time authorities management. Each token now has an issue date, which always has to be after last authorities modification date (IdmIdentity field). Last auth. modification is set when a role is added (TODO) or deleted, it should also work with role expiration (future work). Role events are intercepted by IdmIdentityRole processor with lowest order, so that all CRUD operations are run first.
I've also replace all java.util.Date occurences in JWT / authentication with Joda's DateTime.
Then I've encountered heavy problems when managing redirects while authenticating with remote auth. token in FE. It seems that isomorphic-fetch has some issues with redirects under CORS policies, which I haven't resolved yet. CORS block message:
Redirect from ... to ... has been blocked by CORS policy: Request requires preflight, which is disallowed to follow cross-origin redirect.
Updated by Jan Helbich about 7 years ago
The main problem seems to be the "Location" header, which causes the browser redirect. Without it the fetch at least accepts status 302.
I still cannot set any response headers, though. (???)
As I still cannot overcome the redirect both with and without CORS (or the redirect alone), the next idea is to send the redirect URL in the response body as an error and then parse it out. Unfortunately it seems even the status has to be an error, otherwise all ".then" callbacks are still called and currently there is no way to stop a "then" callback chain from executing in isomorphic-fetch...
Updated by Jan Helbich about 7 years ago
Redirects did not work, so I have implemented the SSO-like login using some kind of "pre request", as Radek suggested.
I have successfully tested the idea. Now if the user has a valid bearer token in the "Authorization" HTTP header, FE automatically logs them in.
If the IdM login expires but the original remote auth token bearer is still present in the HTTP request and valid, the user is automatically re-logged in. If the remote token is not valid, the user is redirected to /login page - that is the original behavior.
I'm not sure what is the preferred behavior for logout, though. Currently I've left it out, so if the user has a valid remote token a clicks on "Logout", he is immediately logged in again -> no logout for SSO.
I have also tested the JIT authority management - remove any user role that carries some authorities enforces token "expiration".
Updated by Jan Helbich about 7 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Jan Helbich to Radek Tomiška
I have finished the authentication filters, ale changes are pushed to github, branch "jhelbich/authfilters" as two commits.
I have updated the design outline in wiki as brief documentation, other docs are just javadoc and example test cases - is that enough?
Can you please make a review and provide feedback?
Updated by Radek Tomiška about 7 years ago
- Status changed from Needs feedback to In Progress
- Assignee changed from Radek Tomiška to Jan Helbich
- % Done changed from 0 to 90
I did test and review. All implemented features work smoothly, tests are very nice.
I found some minors:
- BE: some integration tests failed, FE: linter found 5 new warnings (forgotten concole, commented stomp client logger)
- move api interfaces to core api module, add javdoc with @author to all new classes and rename '...IdM...' to '..Idm..'
- warning message after change authorities for currently logged user is not shown (login dialog is shown correctly but logged user doesn't know why)
- annotation @RepositoryRestResource is not needed, you could remove it at all
- add new security configuration properties to docs https://proj.bcvsolutions.eu/ngidm/doku.php?id=navrh:konfigurace_aplikace
- FE: package.json - we are using npm package versions without wildcards (dependency with wildcard could broke the build)
Could you merge this branch to develop, after process this notes?
- flyway script for added entities has to be created (flyway is enabled in develop branch now)
Updated by Jan Helbich about 7 years ago
- Assignee changed from Jan Helbich to Radek Tomiška
Radek Tomiška wrote:
OK, well I could not reproduce the errors in tests.I did test and review. All implemented features work smoothly, tests are very nice.
I found some minors:
-BE: some integration tests failed, FE: linter found 5 new warnings (forgotten concole, commented stomp client logger)
-move api interfaces to core api module, add javdoc with @author to all new classes and rename '...IdM...' to '..Idm..'
- warning message after change authorities for currently logged user is not shown (login dialog is shown correctly but logged user doesn't know why)
-annotation @RepositoryRestResource is not needed, you could remove it at all
- add new security configuration properties to docs https://proj.bcvsolutions.eu/ngidm/doku.php?id=navrh:konfigurace_aplikace
-FE: package.json - we are using npm package versions without wildcards (dependency with wildcard could broke the build)Could you merge this branch to develop, after process this notes?
- flyway script for added entities has to be created (flyway is enabled in develop branch now)
Just to be sure, here is my setup:
- the git branch is jhelbich/authfilters
- cd backend/core
- #> mvn clean install -U
- 229 tests passed, 6 skipped
- cd backend/acc
- #> mvn clean install -U
- 7? tests passed
I've also run the tests in Eclipse, right click on project -> Run As -> JUnit test, all passing. Can you please check the tests one more time?
- 7? tests passed
I've also done some minor implementation refactoring, so the authentication filters are much more "lightweight" and there is no need to alter the spring configuration now (former implementation expected config in WebSEcurityConfig).
What I could not do was displaying warning message in FE when authorities change. I've tried to put it into the FlashMessageManager, where login error is checked, but I cannot add the message neither before nor after the LOGOUT dispatch. Do you have any tip on how to do this?
Updated by Radek Tomiška about 7 years ago
- Due date set to 04/07/2017
- Start date changed from 11/23/2016 to 04/07/2017
- Follows Feature #360: OpenAM - authentication endpoint added
Updated by Radek Tomiška about 7 years ago
- Assignee changed from Radek Tomiška to Jan Helbich
Tests are ok now, all are green .)
add Warning message) Maybe could be implemented as standard result code instead websocket message and could be handled in modal as Basic.Alert. But this is not necessary, we could implement this feature lately - plese create new minor ticket.
We could merge this ticket into develop, after flyway script will be added (and some refactoring about removed IdmRoleAuthority will be needed, sorry :/).
Updated by Jan Helbich almost 7 years ago
I've started with rebase on develop and resolving conflicts. The change of internal authorization model definitely made conflict resolution a challenging task.
There are still 2 test errors and 8 failures, but hopefully I'll have this done by tomorrow.
Updated by Jan Helbich almost 7 years ago
Tests fixed, code merged, conflicts resolved, tests fixed again, code committed and pushed to develop.
Doc update is remains the last thing to do.
Updated by Filip Měšťánek almost 7 years ago
[WARN] Remote login error occurred: { id: '082c5b48-a737-4881-872a-df5a28010568',
creation: '2017-05-03T13:23:23.019Z',
statusEnum: 'FORBIDDEN',
message: 'Forbidden.',
parameters:
{ path: '/idm-app/api/v1/authentication/remote-auth',
message: 'Access Denied' },
module: 'core',
statusCode: 403,
status: 'FORBIDDEN' }
Updated by Filip Měšťánek almost 7 years ago
Security manager FE class hides all flash messages during login or logout. The problem is, messages are hidden even when accessing the login page.
Updated by Jan Helbich almost 7 years ago
I've added EN docu to: https://proj.bcvsolutions.eu/ngidm/doku.php?id=en:navrh:authentication
CS version is outdated!
Updated by Jan Helbich almost 7 years ago
- Status changed from In Progress to Resolved
- % Done changed from 90 to 100
Thanks for feedback, guys! Remaining issues will be solved in a separate ticket, I'm closing this one.
Updated by Jan Helbich almost 7 years ago
- Status changed from Resolved to Closed
Updated by Radek Tomiška over 3 years ago
- Related to Defect #2600: Removing authorization policy form role assigned to many users fails added