Closed tyduptyler13 closed 3 years ago
It looks like the workflow for OpenID Connect isn't fully backed for the "SP doesn't require state". It should take the user to /oauth2/authorize
@voidmain The docs i've been reading suggest that you can skip authorize and just send the user to the SP callback with an authorization token (as if they already did the SP login and called authorize). I can document that.
Not if they aren't logged into the OAuth endpoint of the IdP. That would be a HUGE security risk. If you want to cover every case for IdP initiated login, then technically you need 6 diagrams:
I agree that it is a huge risk. The two things I've grasped from reading about this is that its always insecure (because there is little to nothing protecting you from man in the middle), with the exception of my first OpenID option (state required) (because that is just OpenID Connect with a little bootstrapping), and that Auth0, Oracle, KeyCloak, and Duo seem to do it anyways.
As for the session, I believe I made an assumption that the only way to reach the launchpad is if the user is already logged in to FusionAuth. As for the SP session, it would have to be created as the user triggered the SP callback.
A good route forward would probably be to "support idp initated login", but actually just route everyone to the SP login page with the right parameters to trigger a FusionAuth login (regardless of Oauth or SAML). It would still look like idp initated login but be more secure. We could even make a blog post on why we did it that way and why its a bad idea to skip steps in a login workflow.
This will be shipping shortly, however it is only for IdP initiated login support through SAML v2. The launchpad capability within FusionAuth will be a separate feature. We will ship IdP initiated login under this issue, and then possibly open a new issue for the full launchpad idea within FusionAuth.
In an upcoming feature for additional MFA support, there will be an end user account management page and a landing page. Some of the launchpad ideas could be implemented on these pages by an end user.
@robotdan Is there a separate issue I can follow for the "Launchpad" feature?
I'm looking for a kind of "Application directory" for (authenticated) FusionAuth end users where they can see all of the apps available to them, and click a link to launch directly into the app (IdP initiated workflow; starting from FusionAuth).
Some of this is possible today - depending upon your needs. There is a set of self-service pages you can expose to your user, and a root landing page that can be themed. You may be able to build links or launch points into other applications here by building an OAuth Authorize URL on these pages.
But we don't have an official GH issue open to track the feature for a more built-in configurable launch pad. Please do open one if you are interested in this feature.
@robotdan nice! That may actually fit my needs perfectly, since it seems that there are some security concerns around IdP initiated logins, and launching right into the SP's login page (possibly with a query string instructing the SP to being the SP-initiated login with the FusionAuth IdP) is the preferred mechanism anyway.
IdP Initiated SSO / Launchpad
Problem
It is hard for a user to easily navigate to all of the supported websites and easily be authenticated.
Solution
The barrier could be reduced by using an IdP initiated login via a launchpad. This gives users two things:
Alternatives/workarounds
Keep bookmarks in the browser and manually find the login button for any of these features.
Additional context
Considerations
In researching this workflow, most other providers use SAML as it has a specifically designed mechanism for it.
OpenID Connect Implementation
SAML - Both 1.1 and 2.0 support this
OWASP Security
Related
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.