"Loopback" OAuth2 server for existing Credentials support

[avaidyam]

To support in-place upgrades to OAuth2, we need a plugin for an off-the-shelf OAuth2 server like Keycloak to support reading/writing credentials to the existing LAMP MongoDB database as the server currently does when OAuth2 is disabled. (More info to come...)

This means there are 3 main authentication strategies for LAMP:

1. Legacy non-OAuth2 mode (aka Basic mode): everything functions the same as it currently does.
2. OAuth2 mode with loopback server: authentication will go through OAuth2 flow to the local Keycloak/other server which checks and modifies credentials in the LAMP database directly.
   • Existing Credential functions to modify Credential.password will no longer work.
   • Non-interactive tools (i.e. scripts/automations) may not be able to authenticate through OAuth2 directly and can instead use the PAT feature in #738.
3. OAuth2 cloud-provider mode: authentication will go through OAuth2 flow to a remote server (Google/Azure/etc) which manages credentials and user info entirely separately.
   • Existing Credential functions to modify Credential.password will no longer work.
   • Non-interactive tools (i.e. scripts/automations) may not be able to authenticate through OAuth2 directly and can instead use the PAT feature in #738.

[ertjlane]

Per @bvescovi-orangeloops Further research is needed to verify the viability of this feature. Are you able to provide a check in date when we should hear from you?

[bvescovi-orangeloops]

I would say first days of April, probably on my return I'll have feedback for the PAT piece. However I should be able to spend some more time researching that.

[bvescovi-orangeloops]

Development Plan

We've analyzed what Keycloack offers us to implement a custom user storage provider that connects with the current credentials service. We concluded that to develop this feature we’ll need a few things from a development perspective:

Extend LAMP-server to expose the endpoints below

• [ ] GET credential/?search="email"&first=1&max=10

This will return the page, defined by first and max params, from the list of credentials filtering the access_key by the search param.

• [ ] GET credential/:access_key/?secret="password"

This will return true if the credential exists and the password is correct or throw an error otherwise. We could encrypt with the same algorithm that the passwords are being stored to avoid sending the raw password in this request

• [ ] GET credential/count

This will return the number of credentials that are in the system.

Use the Keycloak-Custom project as a template to create a new LAMP-keycloak repository

• [ ] Add an extension to User Storage Provider to be able to query the LAMP-server to verify if the credential exists

We will be basing the extension in this example

Necessary definitions:

• [ ] Authentication method for the Keycloack Server We suggest taking advantage of the Access Token implementation and use an access token for this configuration to authorize calls to the backend

• [ ] User Required Attributes for Keycloak

  1. username -> access_key
  2. email -> access_key
  3. first name -> ???
  4. last name -> ???

• [ ] User Role or User Group could be used to show the Parent Type. Is this something we want to track? This should be handled in the server.

The configuration process for the keycloak service would be:

1. Log in as an admin to the server and generate an Access Token with Root privileges
2. Start the LAMP-keycloack container and log in to the Keycloack admin portal.
3. Add a new User Federation, using the lamp configuration with the next configurations
   • Server Base URL
   • Admin Access Token generated by the Server.

cc: @avaidyam @ertjlane

[avaidyam]

I’d like for us to write a small NodeJS/Express script/app instead of using Keycloak for now. We don’t necessarily want Keycloak to be used to manage multiple OAuth servers, this implementation should only be a “loopback” for OAuth to connect back to the built-in Credentials database for legacy support.

Let’s use node-oidc-provider, which offers a LOT of functionality out of the box for free. Here’s a tutorial. The sample code from the tutorial should be really easy to get started with. In ~50 LOC it’s a functional OAuth/OIDC server with a built-in (debugging use) signing key and login page. Adding Mongo to this to verify accounts against the Credential database should be easy too. It also has comprehensive API docs for writing adapters

Here are the steps I think it will take:

• [ ] Run node-oidc-provider demo app and verify it works.
• [ ] Integrate the Node mongodb driver and access/query the Credentials database. (We do not want to add credentials endpoints to LAMP-server directly when this makes a lot more sense for right now.)
• [ ] Write the node-oidc-provider adapter for our Credentials mongodb setup. Example of a custom adapter suitable for MongoDB here.
• [ ] Persist OIDC state in Redis.
• [ ] Basic “create first password”/“forgot password” implementation:
  • At the bottom of the login page, there should be a “forgot password” button that takes you to this form.
  • The Forgot Password form should have “email address”, “current password”, “new password” fields.
  • Brand new accounts as created from LAMP are associated to the OAuth provider by email address, and the password is NOT set by LAMP or the user creating the account.
  • In our case, this means the Credential has { access_key: “some@email.com”, password: “” } (Perhaps null instead of ”” works too.)
  • This means if the user enters a blank string/nothing into the “current password” field, they are able to set their password for the first time using the Forgot Password form.

[bvescovi-orangeloops]

Hi @avaidyam We’ve got some progress in the OAuth custom server. We were able to:

• Configure it to work with the mindlamp server
• Use it to log in with the credentials from the old database
• Reset the password (or set it for new credentials) There’s still some way to go as we’ll need to review the configuration, document the set up process and polish the user interface. To share this and discuss about it we’ll need a new repo. Could you create one?

[avaidyam]

Fantastic, thank you @bvescovi-orangeloops! @ertjlane Could you create a new repo LAMP-auth-server for this? Thanks!

[ertjlane]

done

[bvescovi-orangeloops]

I’ve pushed my changes with a minimal documentation to the repo Here's a couple of videos showcasing the functionality.

https://user-images.githubusercontent.com/12797520/231712237-49411aab-ad20-4db4-bbb8-2b67ed3ab13f.mov

https://user-images.githubusercontent.com/12797520/231712175-6cded057-f745-43a8-a3eb-71b00706ddcf.mov

[ertjlane]

@Bruno thanks for this! @carlan1 Could you see if this is replicable?

[bvescovi-orangeloops]

@avaidyam I encountered some issues when adding typescript and docker to the project but I was able to run it after some changes. here's the PR