Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UI: Authenticate with OAuth2 client ID / secret #1591

Closed
thjaeckle opened this issue Mar 4, 2023 · 4 comments · Fixed by #2032
Closed

UI: Authenticate with OAuth2 client ID / secret #1591

thjaeckle opened this issue Mar 4, 2023 · 4 comments · Fixed by #2032
Assignees
@thjaeckle
Labels
UI Issues related to the Ditto explorer UI
Milestone
3.6.0

Comments

@thjaeckle
Copy link
Member

thjaeckle commented Mar 4, 2023
edited
Loading

Currently the UI accepts a Bearer token for authenticating.
More comfortable however would be if the UI would authenticate against a configured OAuth provider endpoint, using a client ID and optional (not all OAuth flows require a secret) secret.

The Swagger UI also supports such a mode where the OAuth provider configuration is added.
As the Ditto UI saves the environments locally, the OAuth secret does not need to be persisted or configured statically which should suffice security wise.
@thjaeckle thjaeckle added the UI Issues related to the Ditto explorer UI label Mar 4, 2023
@thfries
Copy link
Contributor

thfries commented Mar 5, 2023

Interesting. Agree that would be great.
I was experimenting a while ago and concluded that the OAuth flows only work with a backend. So I stopped that at that time. I need to take another look and I would need some support here.
You remember that secrets are not persisted by the UI?

@thjaeckle
Copy link
Member Author

Yes, I remember.
However new OAuth2 flows like pkse do not require a secret, so for those this would be a really good fit.
For others, a backend proxy may add the secret without the need to leak it into the client.

@thfries
Copy link
Contributor

thfries commented Nov 19, 2023
edited
Loading

Hi @thjaeckle, I'm coming back to this ticket. PKCE looks very promising but it needs some infrastructure (Authorization Server and OAuth2 Proxy for ditto?) and I think it will be easier to test if this is available in the cloud. I started with Google as an authorization server and tried out the Google authentication to the sandbox HTTP API.

  • My Google Oauth ClientID and Secret did not work, because I do not know the redirect URL for the ditto sandbox server. Is there a more detailed description, how this use of sandbox HTTP API with Google should work? May be a good start would be to use the same approach for the UI as for the Swagger UI. But for that I would need to being able to test it
  • Do I understand right, that there is an OAuth2 proxy on the Ditto sandbox installed? If needed, can we extend that with PKCE flow? It would be nice to have Google SSO directly with the sandbox and the UI 😉. Another related question if the ditto sandbox is (could be) registered as application on Google (or github).

@thjaeckle
Copy link
Member Author

Hi @thfries

So the Ditto sandbox does not yet run OAuth2 proxy, but it should probably :D
Currently, there is only an nginx in front of Ditto which does some "magic" in inserting OpenId connect client secret for Google OAuth.
I however did not check that for a long time, no idea if this still works.

I will look into it once I find the time - that however could take a while :/

thjaeckle added a commit to beyonnex-io/ditto that referenced this issue Sep 25, 2024
@thjaeckle
eclipse-ditto#1591 add SSO via OIDC to Ditto UI
a12e220 
* make it configurable which OIDC issuers to use
* re-did a lot of the existing configuration of the Ditto UI
* added typing for Environment
@thjaeckle thjaeckle mentioned this issue Sep 25, 2024
Merged
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue Sep 25, 2024
@thjaeckle
eclipse-ditto#1591 add SSO via OIDC to Ditto UI
81946c3 
* make it configurable which OIDC issuers to use
* re-did a lot of the existing configuration of the Ditto UI
* added typing for Environment
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue Sep 25, 2024
@thjaeckle
eclipse-ditto#1591 add SSO via OIDC to Ditto UI
71066ff 
* make it configurable which OIDC issuers to use
* re-did a lot of the existing configuration of the Ditto UI
* added typing for Environment
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue Sep 26, 2024
@thjaeckle
eclipse-ditto#1591 improve refresh of browser, re-using stored token …
5d441fa 
…from local storage / oidc-library
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue Sep 26, 2024
@thjaeckle
eclipse-ditto#1591 improve refresh of browser, re-using stored token …
a7611f2 
…from local storage / oidc-library
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue Sep 26, 2024
@thjaeckle
eclipse-ditto#1591 provided documentation
a9fb98f
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue Sep 27, 2024
@thjaeckle
eclipse-ditto#1591 added docker-compose.yml for starting a mock oauth…
5db93f2 
…2 server in order to test SSO in Ditto UI
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue Sep 27, 2024
@thjaeckle
eclipse-ditto#1591 added docker-compose.yml for starting a mock oauth…
63b6aa2 
…2 server in order to test SSO in Ditto UI
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue Sep 27, 2024
@thjaeckle
eclipse-ditto#1591 added docker-compose.yml for starting a mock oauth…
5601fc5 
…2 server in order to test SSO in Ditto UI
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue Sep 27, 2024
@thjaeckle
eclipse-ditto#1591 added docker-compose.yml for starting a mock oauth…
04afe19 
…2 server in order to test SSO in Ditto UI
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue Sep 27, 2024
@thjaeckle
eclipse-ditto#1591 fixed issue in DefaultJwtValidator using "parseCla…
1ab694d 
…imsJws" instead of "parse"
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue Sep 27, 2024
@thjaeckle
eclipse-ditto#1591 fixed showing/hiding possible authentication metho…
8386ff9 
…ds in "Auth" modal
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue Sep 27, 2024
@thjaeckle
eclipse-ditto#1591 added oidc provider configuration field "extractBe…
4d3f27a 
…arerTokenFrom" to define from where to extract the Bearer token

* also used "state" to propagate back to client after redirect if main or oauth SSO was done, or both
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue Sep 27, 2024
@thjaeckle
eclipse-ditto#1591 added oidc provider configuration field "extractBe…
a165a43 
…arerTokenFrom" to define from where to extract the Bearer token

* also used "state" to propagate back to client after redirect if main or oauth SSO was done, or both
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue Sep 30, 2024
@thjaeckle
eclipse-ditto#1591 added current search "filter" to URL params in ord…
ce0f1e4 
…er to make search bookmarkable and survive SSO redirects

* base64 encoded url_state
@thjaeckle thjaeckle added this to the 3.6.0 milestone Sep 30, 2024
@thjaeckle thjaeckle self-assigned this Sep 30, 2024
thjaeckle added a commit that referenced this issue Oct 4, 2024
@thjaeckle
Merge pull request #2032 from beyonnex-io/feature/ditto-ui-sso
5ebe68d 
#1591 add SSO via OIDC to Ditto UI
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thjaeckle thjaeckle

Labels
UI Issues related to the Ditto explorer UI
Projects
Ditto Planning
Status: Done
Milestone
3.6.0
Development

Successfully merging a pull request may close this issue.

#1591 add SSO via OIDC to Ditto UI beyonnex-io/ditto
2 participants
@thjaeckle @thfries