support OAUTHBEARER - Githubissues

ergochat / ergo

A modern IRC server (daemon/ircd) written in Go.

https://ergo.chat/

MIT License

2.27k stars 180 forks source link

support OAUTHBEARER #2004

Closed slingamn closed 7 months ago

slingamn commented 2 years ago

https://emersion.fr/blog/2022/irc-and-oauth2/

In terms of ergo, all we need to do is:

Add a config option (to the auth-script block?) to enable advertising the OAUTHBEARER mechanism
Modify authenticateHandler to process OAUTHBEARER by forwarding it to an auth-script
Extend the auth-script protocol to take an additional oauthbearer field in the input (the output type is already sufficiently expressive)

slingamn commented 2 years ago

See #336 and #502 for related prior discussions.

prologic commented 10 months ago

Is anyone working on this at all? 🤔

slingamn commented 10 months ago

I started a draft but didn't finish it. Is this something you're interested in? I could prioritize it for the next release.

prologic commented 10 months ago

@slingamn Yes! 👌 Please 🙏 I'm looking to potentially do the following:

Stand up an Ergo instance
Stand up a gamja instance with OAuth2 support configured
Use my already working (quite well) Authelia for auth and OpenID/OAuth2 flows

This should enable me to stand up a mostly decent small team/startup chat/comms platform that is fully self-hosted without the issues I've been facing with Matrix (Synapse+Element).

slingamn commented 10 months ago

Nice, I'll plan to do this soon. You could help test :-)

prologic commented 10 months ago

Absolutely! 🙏🙇‍♂️

slingamn commented 8 months ago

@prologic sorry about the delay; I have a draft of this over at #2122. (See the changes to default.yaml for how to enable the feature.)

I successfully tested with Gamja and a local Authelia, but I had to patch out a couple checks in Authelia's libs relating to Gamja-Authelia interactions (i.e. unrelated to Ergo's OAUTHBEARER implementation itself):

A CSRF check here: https://github.com/ory/fosite/blob/f4114878826c6d26b6751a1ea61f69ebbc25d4f2/authorize_request_handler.go#L401-L410
Redirect URI validation here: https://github.com/ory/fosite/blob/f4114878826c6d26b6751a1ea61f69ebbc25d4f2/handler/oauth2/flow_authorize_code_token.go#L78-L85 (it expected https://example.com/gamja/ but received https://example.com/gamja/?scope=)

It's very likely that one or both of these issues is caused by my misconfiguration of Gamja and/or Authelia, but be advised that things may not work out of the box.

slingamn commented 8 months ago

(Ignore the jwt-auth config block or anything related to draft/bearer; those are for a related but distinct specification)

slingamn commented 7 months ago

@prologic any thoughts on when you might be able to test this? I was thinking of doing an early release that includes this change. (Sorry to pester you after I took so long implementing it ;-)

prologic commented 7 months ago

I haven't had an opportunity to try this out yet, been very busy with my day job. But it'son my list!

slingamn commented 7 months ago

Thanks! I'm pretty confident in the PR so I'm going to merge it now and you can test it from the master branch.