Closed avaidyam closed 1 year ago
Per @bvescovi-orangeloops Further research is needed to verify the viability of this feature. Are you able to provide a check in date when we should hear from you?
I would say first days of April, probably on my return I'll have feedback for the PAT piece. However I should be able to spend some more time researching that.
We've analyzed what Keycloack offers us to implement a custom user storage provider that connects with the current credentials service. We concluded that to develop this feature we’ll need a few things from a development perspective:
GET credential/?search="email"&first=1&max=10
This will return the page, defined by first and max params, from the list of credentials filtering the access_key by the search param.
GET credential/:access_key/?secret="password"
This will return true if the credential exists and the password is correct or throw an error otherwise. We could encrypt with the same algorithm that the passwords are being stored to avoid sending the raw password in this request
GET credential/count
This will return the number of credentials that are in the system.
We will be basing the extension in this example
[ ] Authentication method for the Keycloack Server We suggest taking advantage of the Access Token implementation and use an access token for this configuration to authorize calls to the backend
[ ] User Required Attributes for Keycloak
cc: @avaidyam @ertjlane
I’d like for us to write a small NodeJS/Express script/app instead of using Keycloak for now. We don’t necessarily want Keycloak to be used to manage multiple OAuth servers, this implementation should only be a “loopback” for OAuth to connect back to the built-in Credentials database for legacy support.
Let’s use node-oidc-provider
, which offers a LOT of functionality out of the box for free. Here’s a tutorial. The sample code from the tutorial should be really easy to get started with. In ~50 LOC it’s a functional OAuth/OIDC server with a built-in (debugging use) signing key and login page. Adding Mongo to this to verify accounts against the Credential database should be easy too. It also has comprehensive API docs for writing adapters
Here are the steps I think it will take:
node-oidc-provider
demo app and verify it works.mongodb
driver and access/query the Credentials
database. (We do not want to add credentials endpoints to LAMP-server
directly when this makes a lot more sense for right now.)node-oidc-provider
adapter for our Credentials mongodb
setup. Example of a custom adapter suitable for MongoDB here.{ access_key: “some@email.com”, password: “” }
(Perhaps null
instead of ””
works too.)Hi @avaidyam We’ve got some progress in the OAuth custom server. We were able to:
Fantastic, thank you @bvescovi-orangeloops! @ertjlane Could you create a new repo LAMP-auth-server
for this? Thanks!
done
I’ve pushed my changes with a minimal documentation to the repo Here's a couple of videos showcasing the functionality.
@Bruno thanks for this! @carlan1 Could you see if this is replicable?
@avaidyam I encountered some issues when adding typescript and docker to the project but I was able to run it after some changes. here's the PR
To support in-place upgrades to OAuth2, we need a plugin for an off-the-shelf OAuth2 server like Keycloak to support reading/writing credentials to the existing LAMP MongoDB database as the server currently does when OAuth2 is disabled. (More info to come...)
This means there are 3 main authentication strategies for LAMP:
Credential.password
will no longer work.Credential.password
will no longer work.