add https + authentication

[Jean-Baptiste-Lasselle]

• https://dev.to/hahnmatthieu/2fa-with-nestjs-passeport-using-google-authenticator-1l32
• https://dev.to/backendless/2fa-login-plugin-featuring-totp-1hcd
• avec sms :
  • https://dev.to/hackmamba/how-to-build-a-one-time-passwordotp-verification-api-with-go-and-twilio-3363
  • en nestjs : https://dev.to/algodame/implementing-sms-enabled-two-factor-authentication-using-nestjs-twilio-and-prisma-52p
  • voir aussi comment faire ça avec vonage au lieu de twilio : https://medium.com/@irvilloshi/architecting-sms-based-2fa-for-enhanced-security-62e2e61e45e0

https://developer.vonage.com/en/verify/overview

• oidc keycloak:
  • https://dev.to/gabrielbiasi/automatic-sso-in-kubernetes-workloads-using-a-sidecar-container-3752
  • https://github.com/oauth2-proxy/oauth2-proxy
  • pour résoudre la faille existante https://github.com/oauth2-proxy/oauth2-proxy/security : refaire unbuild fromsource avec les redirect url en dur, pas de parsing / regex ? ah non les cve sont déjà patchées qd elles sont révélées,il faut utiliser les dernières releases
• soluce sécu : combiner 2FA

[Jean-Baptiste-Lasselle]

ok il me faut des specs pour l'authnetification :

Auth Specs

• I want OIDC auth, with keycloak or any other OIDC Identity provider that we can operate on our own servers
• I want 2FA with phone SMS OTP
• I want 2FA with Google Authenticator and Authy

HTTPS

• I want https setup with Envoy : https should be there even behind reverse proxy or api gateway
• I want TLS SSL Acme automation : we will deploy Pesto API to kubernetes first, even in development mode, using either kind or k3d, and there

[Jean-Baptiste-Lasselle]

ok, so the oauth token typically is stored in the server session, and or the client cookie, instead of the database, that's what was not clear long ago when i was trying to use passportjs :

Now, when the token expires, then the token is cleared from the cookies and/or server session.

the server is the proxy in our case https://oauth2-proxy.github.io/oauth2-proxy/behaviour

now i could use the cookie and no server session, for the authenticaton to remain stateless on server side, which would make the whole server side fully stateless, and therefore fully scalable.

https://forum.freecodecamp.org/t/handling-passportjs-authenticated-user-in-the-front-end/75913/10

there a tutorial to setup that kind of browser cookie auh without even any server session : https://alphonso-javier.medium.com/building-httponly-cookie-jwt-authentication-with-passport-js-27ec519b99c1 (important to not use any server session, to remain stateless, then we need to protect against various attacks, appaently, i need to find out more about this, im still not statisfied about what i read, all needs to be clarified fully. For exaple, if i receive an HTTP request, that contains a token, what requests can i run agaisnt keycloak to check the token is valid ?)

ok i finally foundexactly what o want, checking the JWT token signature using the Public Key of the identity server (the public key is in JWKS) , keycloak in my case, cf. https://stackoverflow.com/questions/71180228/how-to-verify-and-use-access-token-to-access-an-api-resource

So ok, what i would need to to know how to fetch the public key from Keycloak JWKS , and on every request i check the JWT s signature against the public key. Taht's for a rest API, now would i use the same for a web app authentication process ? Indeed yes if the web app consumes an API, , now this JWT signature checking can happen in envoy, or anysidecar, in front of my rest api or simply inrfont of any app like lakefs. I only need that on browser side / ckient side the token is storedin a cookie after sucessfully logging in to keycloak and getting the access token which is a JWT Token. really need to carfully check on that. Note envoy speccifically mentions a filter for CSRF protection also needs to be added.

Nope, I know, keycloak does store the access token in the cookie or whatever, we dont need o care about it, now on the envoy proxy, we need to check other things :

• that the access token signature is OK agaisnt public key in JWKS
• then to check that the expiration date is not in the past
• then to check authorization set by scopes
• alright we got it all

If the HTTP request is not doen from browser, but from api endpoint, to another, like server to server, then the api endpoint who sends the request, is responsible for storing its access token into a database, ad retrieve all , also there how do we use a refresh token , that, i don't know for sure yet. Definitel i will have to use wireshark to check all and every reuest, this authentication pattern i want to analze fully until i can explain absolutely every detail and make sure its all scallable stateless