search

Wissance / Ferrum

Simple Go OpenId authorization server with Keycloak compatible API
https://wissance.github.io/Ferrum/
Apache License 2.0
6 stars 4 forks source link

Add authorization code support #29

Open EvilLord666 opened 1 year ago

EvilLord666 commented 1 year ago

[authorization code mechanism ] (https://www.keycloak.org/docs/latest/securing_apps/#_oidc)

This task is not about full authorization code flow because it depends on User Agent, but we here develop backend only, however, this part is up to Ferrum backend:

The application then uses the authorization code along with its credentials to obtain an Access Token, Refresh Token and ID Token from Keycloak.

awsoremod commented 1 month ago

The Authorization Code flow redirects the user agent to Keycloak. Once the user has successfully authenticated with Keycloak, an Authorization Code is created and the user agent is redirected back to the application. The application then uses the authorization code along with its credentials to obtain an Access Token, Refresh Token and ID Token from Keycloak.

The flow is targeted towards web applications, but is also recommended for native applications, including mobile applications, where it is possible to embed a user agent.

For more details refer to the Authorization Code Flow in the OpenID Connect specification.

awsoremod commented 1 month ago

This section describes how to perform authentication using the Authorization Code Flow. When using the Authorization Code Flow, all tokens are returned from the Token Endpoint.

The Authorization Code Flow returns an Authorization Code to the Client, which can then exchange it for an ID Token and an Access Token directly. This provides the benefit of not exposing any tokens to the User Agent and possibly other malicious applications with access to the User Agent. The Authorization Server can also authenticate the Client before exchanging the Authorization Code for an Access Token. The Authorization Code flow is suitable for Clients that can securely maintain a Client Secret between themselves and the Authorization Server.

awsoremod commented 1 month ago

The Authorization Code Flow goes through the following steps.

Client prepares an Authentication Request containing the desired request parameters. Client sends the request to the Authorization Server. Authorization Server Authenticates the End-User. Authorization Server obtains End-User Consent/Authorization. Authorization Server sends the End-User back to the Client with an Authorization Code. Client requests a response using the Authorization Code at the Token Endpoint. Client receives a response that contains an ID Token and Access Token in the response body. Client validates the ID token and retrieves the End-User's Subject Identifier.

awsoremod commented 1 month ago

Pipeline in keycloak

  1. from agent: get 
    http://localhost:8080/realms/master/protocol/openid-connect/auth?response_type=code&client_id=test&state=state_value&scope=offline_access&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Ftest-callback

    image response: html with post form - login or email and password. Contains:

    
checkCookiesAndSetTimer(
        "/realms/master/login-actions/restart?client_id=test&tab_id=__1o7N2Hxno&client_data=eyJydSI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC90ZXN0LWNhbGxiYWNrIiwicnQiOiJjb2RlIiwic3QiOiJzdGF0ZV92YWx1ZSJ9&skip_logout=true"
    );
``` ![image](https://github.com/user-attachments/assets/8783ba6e-75ba-413b-8e88-ddc1aaa51864) 2. from agent: send post from html form ![image](https://github.com/user-attachments/assets/13002bbf-6f4f-4f9f-ac0d-4b3893a77264) response with code 302. header exists code: ``` Location: http://localhost:8080/test-callback?state=state_value&session_state=9a2c6510-33c8-415e-bc98-ee09b1bdfda4&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Fmaster&code=cb8cc342-5a03-4198-a501-5c52aacb7e3e.9a2c6510-33c8-415e-bc98-ee09b1bdfda4.295693c8-e13f-49e9-8f94-bcd1ad841963 ``` 3. from agent: get token with using code ``` POST http://localhost:8080/realms/master/protocol/openid-connect/token Authorization: Basic dGVzdDpVSmZGTVM3ejltd21rQXFBbXpsc2ZqMzh3RkdhdlNSVQ== Request Body grant_type: "authorization_code" code: "cb8cc342-5a03-4198-a501-5c52aacb7e3e.9a2c6510-33c8-415e-bc98-ee09b1bdfda4.295693c8-e13f-49e9-8f94-bcd1ad841963" redirect_uri: "http://localhost:8080/test-callback" ``` response: ``` {"access_token":"eyJ...g","expires_in":60,"refresh_expires_in":0,"refresh_token":"ey...Xg","token_type":"Bearer","not-before-policy":0,"session_state":"9a2c6510-33c8-415e-bc98-ee09b1bdfda4","scope":"email offline_access profile"} ```