Oauth Implementation

[yinho999]

Feature Request

Hope we can add Oauth to the starter kit as an option for authorization. Might need to move auth into a separate crate https://www.shuttle.rs/blog/2023/08/30/using-oauth-with-axum

[arferreira]

I really need this feature, that's because users have been complaining a bit during signup process....

[yinho999]

@kaplanelad I am thinking whether we should migrate the authentication process to a dedicated crate, such as Active Store for storage, to enhance the authorization/authentication management. Could you please share your thoughts on this issue?

[jondot]

The shuttle blog covers most bases for a generic oauth impl (need to add provider column). I believe the first person that implements such a mechanism will end up with:

1. A controller that can handle multi provider callbacks (e.g. google/callback, facebook/callback etc.), registering new users with valid authentication, logging in, expiring provider sessions.
2. [optional] A migration that adds an oauth token table (here called sessions) to user relation (not a must to actually wire it as a relation, this can be a standalone session table)
3. A new table: oauth_provider_sessions, capturing: user id, provider token, provider type, metadata (expiration, etc)

All in all, this can be just 2 files: 1 controller, 1 migration, to copy to your project to have this functionality.

If anyone already has this "live" on their Loco project, we can take it and make it generalistic for the SaaS starter.

[yinho999]

@jondot I would like to work on this sample project.

[jondot]

@yinho999 sure thing! i will assign you, thanks!

[yinho999]

@jondot @arferreira I have successfully implemented a working example by following the Shuttle guide. All dependencies from Shuttle have been removed, and the code has been updated to Axum v0.7. I plan to start integrating Oauth2 into the SaaS starter tomorrow. https://github.com/yinho999/loco-playground/blob/oauth/src/bin/oauth.rs

[kaplanelad]

@yinho999 do you think we need to add this documentation in loco.rs website?

About your very nice, do you want to write a blog post on that?

[yinho999]

@kaplanelad Yes, I agree with the idea of adding the OAuth2 documentation to the site to guide developers on how to use the functionality. I can also write a blog post about OAuth2 after the code, tests, and documentation are completed.

[arferreira]

@yinho999 do you think we need to add this documentation in loco.rs website?

About your very nice, do you want to write a blog post on that?

I think it is essential, after applying it here at the company I will create a blog post explaining its use.

[kaplanelad]

thanks @arferreira

[yinho999]

@arferreira @kaplanelad @jondot Sorry for the late update. Over the last few days, I've been doing some research and found out that our shuttle implementation of the Authorized Code Granted might have a potential security issue, mainly because the CSRF token isn't being generated or verified.

I've gone ahead and made some revisions to address this issue in both my demo code and the code I'm currently working on. Could I ask for your feedback on the updates, especially regarding the code structure?

https://github.com/yinho999/loco-playground/blob/oauth/src/bin/oauth.rs

[kflk]

What about WEBAUTHN and passkeys? Google, Apple, Microsoft etc have recently added support. You might take some inspiration from rusty Kanidm identity management. https://github.com/kanidm/webauthn-rs

[yinho999]

@kflk According to my knowledge the Webauthn and Passkeys are not related with the OAuth protocol. Would you mind creating a separate ticket for Webauthn and Passkeys and we can discuss there, please?

[yinho999]

@arferreira Quick update about this issue. I have completed the coding for the library and the demo, including tests for the Authorization Code Grant. The documentation will be finished within the next two days, after which I will create a pull request for the Authorization Code Grant feature.

[yinho999]

@jondot @kaplanelad @arferreira Would you guys provide me some feedback for improvment please? Thanks!👍

[arferreira]

Hey @yinho999 can you help me to test it with loco?

[yinho999]

Hey @yinho999 can you help me to test it with loco?

What can I help?

[arferreira]

Hey @yinho999 can you help me to test it with loco?

What can I help?

Actually you helped lol

[yinho999]

@jondot @kaplanelad https://docs.rs/axum-extra/latest/axum_extra/extract/cookie/struct.PrivateCookieJar.html

I am migrating the OAuth2 feature from the Loco library and converting it into an initializer. However, there is one problem that stops me from doing that. I am currently using the PrivateCookieJar to handle the user information between endpoints. The PrivateCookieJar requires AppState to implement the FromRef trait for Key to convert it. However since AppContext is located within the loco_rs crate, I cannot add the field into the AppContext and implement the FromRef trait into AppContext(violate orphan rule).

// this impl tells `SignedCookieJar` how to access the key from our state
impl FromRef<AppState> for Key {
    fn from_ref(state: &AppState) -> Self {
        state.key.clone()
    }
}

[yinho999]

@jondot @kaplanelad I finished migrating and perfecting the code the previous week. Could you guys review the library and provide me with some feedback, please? https://crates.io/crates/loco-oauth2

[dinosath]

Is there any plan to merge or add some parts of the loco-oauth2 crate to the loco-extras?

[yinho999]

Is there any plan to merge or add some parts of the loco-oauth2 crate to the loco-extras?

Currently I don't have any plan to merge/add the loco-oauth2 crate to loco-extras.

[kaplanelad]

Thanks, @yinho999, for creating this crate! I'm sure it helps a lot of users with this issue.