fabric8-services / fabric8-auth Goto Github PK
View Code? Open in Web Editor NEWIdentity and Access Management for fabric8 services
Home Page: https://auth.openshift.io/api/status
License: Apache License 2.0
Identity and Access Management for fabric8 services
Home Page: https://auth.openshift.io/api/status
License: Apache License 2.0
Add the model classes as per the auth server design doc.
As the first step we should provide our own implementation to cover all Keycloak functionality currently used by OSIO:
Moved from fabric8-services/fabric8-wit#1291
First at all we should get rid of public KC client and switch all services which use that client to our Auth API. Keycloak authN should be hidden behind Auth.
Currently users can change email without verification
We should load all existing users and identities from WIT to Auth service DB.
When any user or identity is updated via api.openshift.io we should call auth.openshfit.io to keep both DBs in sync.
It's the first step to sync the DBs. The next step would be to refactor the WIT user/identity model to keep only minimum user/identity information relevant to WIT. Then switch all the client to auth.openshfit.io and update WIT when the relevant user/identity info is updated in auth.openshift.io
cc: @kbsingh
We can load this key from KC - #29 and share it with others services so they don't have to hardcode it or load from Keycloak directly.
New /token/keys
endpoint:
GET /api/token/keys
or GET /api/token/keys?format=jwk
returns a JSON in the following (JWK) format:{
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"kid": "bNq-BCOR3ev-E6buGSaPrU-0SXX8whhDlmZ6geenkTE",
"kty": "RSA",
"n": "vQ8p-HsTMrgcsuIMoOR1LXRhynL9YAU0qoDON6PLKCpdBv0Xy_jnsPjo5DrtUOijuJcID8CR7E0hYpY9MgK5H5pDFwC4lbUVENquHEVS_E0pQSKCIzSmORcIhjYW2-wKfDOVjeudZwdFBIxJ6KpIty_aF78hlUJZuvghFVqoHQYTq_DZOmKjS-PAVLw8FKE3wa_3WU0EkpP-iovRMCkllzxqrcLPIvx-T2gkwe0bn0kTvdMOhTLTN2tuvKrFpVUxVi8RM_V8PtgdKroxnES7SyUqK8rLO830jKJzAYrByQL-sdGuSqInIY_geahQHEGTwMI0CLj6zfhpjSgCflstvw",
"use": "sig"
},
{
"alg": "RS256",
"e": "AQAB",
"kid": "9MLnViaRkhVj1GT9kpWUkwHIwUD-wZfUxR-3CpkE-Xs",
"kty": "RSA",
"n": "nwrjH5iTSErw9xUptp6QSFoUfpHUXZ-PaslYSUrpLjw1q27ODSFwmhV4-dAaTMO5chFv_kM36H3ZOyA146nwxBobS723okFaIkshRrf6qgtD6coTHlVUSBTAcwKEjNn4C9jtEpyOl-eSgxhMzRH3bwTIFlLlVMiZf7XVE7P3yuOCpqkk2rdYVSpQWQWKU-ZRywJkYcLwjEYjc70AoNpjO5QnY-Exx98E30iEdPHZpsfNhsjh9Z7IX5TrMYgz7zBTw8-niO_uq3RBaHyIhDbvenbR9Q59d88lbnEeHKgSMe2RQpFR3rxFRkc_64Rn_bMuL_ptNowPqh1P-9GjYzWmPw",
"use": "sig"
}
]
}
GET /api/token/keys?format=pem
returns a JSON in the following (PEM-like) format:{
"keys": [
{
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvQ8p+HsTMrgcsuIMoOR1LXRhynL9YAU0qoDON6PLKCpdBv0Xy/jnsPjo5DrtUOijuJcID8CR7E0hYpY9MgK5H5pDFwC4lbUVENquHEVS/E0pQSKCIzSmORcIhjYW2+wKfDOVjeudZwdFBIxJ6KpIty/aF78hlUJZuvghFVqoHQYTq/DZOmKjS+PAVLw8FKE3wa/3WU0EkpP+iovRMCkllzxqrcLPIvx+T2gkwe0bn0kTvdMOhTLTN2tuvKrFpVUxVi8RM/V8PtgdKroxnES7SyUqK8rLO830jKJzAYrByQL+sdGuSqInIY/geahQHEGTwMI0CLj6zfhpjSgCflstvwIDAQAB",
"kid": "bNq-BCOR3ev-E6buGSaPrU-0SXX8whhDlmZ6geenkTE"
},
{
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnwrjH5iTSErw9xUptp6QSFoUfpHUXZ+PaslYSUrpLjw1q27ODSFwmhV4+dAaTMO5chFv/kM36H3ZOyA146nwxBobS723okFaIkshRrf6qgtD6coTHlVUSBTAcwKEjNn4C9jtEpyOl+eSgxhMzRH3bwTIFlLlVMiZf7XVE7P3yuOCpqkk2rdYVSpQWQWKU+ZRywJkYcLwjEYjc70AoNpjO5QnY+Exx98E30iEdPHZpsfNhsjh9Z7IX5TrMYgz7zBTw8+niO/uq3RBaHyIhDbvenbR9Q59d88lbnEeHKgSMe2RQpFR3rxFRkc/64Rn/bMuL/ptNowPqh1P+9GjYzWmPwIDAQAB",
"kid": "9MLnViaRkhVj1GT9kpWUkwHIwUD-wZfUxR-3CpkE-Xs"
}
]
}
similar to fabric8-services/fabric8-wit#1539
We don't have to store the public key in our configuration. We can load it from KC when starting and then check it regularly in case it's changed:
We can use the following endpoint to load the key:
https://sso.openshift.io/auth/realms/fabric8/protocol/openid-connect/certs
We would need to convert the JWK from this endpoint to a pem key
https://tools.ietf.org/html/rfc7517
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/oidc-generic.html
https://play.golang.org/p/mLpOxS-5Fy
This endpoint will be used by WIT and other resource servers to register resources for protection. We will follow the UMA specification for this, with the following enhancements:
Here's an example request:
POST /resource/ HTTP/1.1 Content-Type: application/json
Authorization: Bearer MHg3OUZEQkZBMjcx
...
{
"resource_scopes":[
"read-public",
"post-updates",
"read-private",
"http://www.example.com/scopes/all"
],
"icon_uri":"http://www.example.com/icons/sharesocial.png",
"name":"Tweedl Social Service",
"type":"http://www.example.com/rsrcs/socialstream/140-compatible",
"parent_resource_id":"KX30-1234",
“resource_id”:”aaaa-bbbb-cccc-dddd-9999-8888-7777-6666”
}
And here is a successful response:
HTTP/1.1 201 Created
Content-Type: application/json
Location: /rreg/KX3A-39WE
...
{
"_id":"KX3A-39WE",
"user_access_policy_uri":"http://as.example.com/rs/222/resource/KX3A-39WE/policy"
}
We need to disable email updates in UI until we start verifying emails - #62
It still will be possible to update email via API or in KC directly though.
If unapproved user tries to login we currently redirect to the OSIO/OSO registration page. We set this redirect URL via F8_AUTH_NOTAPPROVED_REDIRECT env var.
It can be confusing for users. Especially for user which have already registered and are waiting for approving.
We should create a dedicated page in openshiftio app with some proper explanation what is wrong and what user can do about it and redirect to that page instead.
Currently we ask users to link their GitHub accounts right after the first login. And we ask for full access to the user's GitHub account.
We should ask users to link GitHub when we actually need it (for example if only planner is used then we don't need GitHub account).
We also could ask for particular permissions/scopes instead of asking for full access. For example could ask for read access only until we really need to write something. Then we ask for write access. Etc.
So, our token management/storage API should support permission/scope elevation. Technically we could implement it via multiple GitHub links (one link per scope).
Details fabric8-ui/fabric8-ui#193 (comment)
Moved from fabric8-services/fabric8-wit#874
It doesn't make sense to keep PATCH under /users/:userID instead of /user
Moved from fabric8-services/fabric8-wit#881
Related to #32
Instead we could logout user from RHD and sso.openshift.io every time when a user is trying to login to OSIO.
The easiest way to do it is probably redirect user to https://api.openshift.io/api/logout?redirect=https%3A%2F%2Fapi.openshift.io%2Fapi%2Flogin%2Fauthorize%3Fredirect%3Dhttps%253A%252F%252Fopenshift.io instead of https://api.openshift.io/api/login/authorize
This is a follow up on #11 which was a temporal workaround to fix our CI.
@sbose78 please work with @hectorj2f to fix our docker-test-integration.
So, we will probably need to revert #11 and properly fix the test integration docker container (my attempt #12 didn't help).
/api/user
(don't change)
/api/users
(don't change)
/api/status
(don't change)
/api/login/authorize
-----> /api/login
/api/login/generate
-----> /api/token/generate
/api/login/refresh
-----> /api/token/refresh
/api/login/link
-----> /api/link
/api/login/linksession
-----> /api/link/session
/api/login/linkcallback
-----> /api/link/callback
/api/logout
(don't change)
/api/spaces/:spaceID/collaborators/:identityID
(don't change)
/api/spaces/:spaceID
(don't change)
/api/search/users
(don't change)
If there is something wrong with GitHub and OSO tokens we should force re-obtaining these tokens or re-linking accounts.
Moved from fabric8-services/fabric8-wit#1351
This is a place holder to follow all the requirements for the external tools (JBossTools...) auth integration.
As of yet the only issue is to get a well defined landing page: openshiftio/openshift.io#466
( Based on Aug 31st's discussion between @alexeykazakov and sbose )
Phase 1 - continue using WIT , but add support in AUTH. : #26
Phase 2 - start using the Auth service : #26
Phase 3 - Migrate data
Phase 4 - Switch UI to AUTH
Phase 5 - Clean up WIT
Moved from fabric8-services/fabric8-wit#1316
Moved from fabric8-services/fabric8-wit#880
We should add an optional param to our login API to issue an offline token instead of regular access token during login.
If scope=offline_access
param is added to the authentication request then the offline token will be issued instead of a regular refresh token.
We should have these settings in User's Profile page so the user can re-link accounts
Login:
Delegate actual login to Auth when WIT login is called. WIT will need to keep creating users/identities in the WIT DB when login is called.
User profile updates:
Call the corresponding Auth API to update users/identities when the user/identity is updated in WIT. If user doesn't exist in Auth then Auth should just ignore such a request (it may happen if it's an old user created before migration).
WIT should pass a special parameter with all Auth requests to let Auth know that these requests are cumming from WIT (we will need it later when we switch UI to Auth and start notifying WIT about new/updated users to avoid an endless loop).
Part of #79
This feature is intended to add required functions to the ResourceRepository DAO to allow advanced querying of resources, for example listing resources which are "child" resources of a specified parent.
Build/Test and Deploy fabric8-auth to preview and prod
Need to support private/public emails. Private email are not visible to other users.
Moved from fabric8-services/fabric8-wit#1288
Currently our tests cover only the first part of the flow when we call /api/login/authorize to create a state and redirect to KC. We need to cover the second part when after successful authentication KC redirects back to /api/login/authorize and passing the state from the first call.
Moved from fabric8-services/fabric8-wit#1277
Auth service should be used to list/add/remove space collaborators instead of WIT.
Copy all the existing users/identities from WIT to Auth (so, all the users are in sync in both WIT and Auth)
Part of #79
It's follow up on fabric8-services/keycloak-deployment#45
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.