Finish SSO (Single Sign on)

[mate-h]

Signin flow

• all containers by default 401 unless authenticated
• whitelist SSO pages: /signin, /signin/reset-password

move firebase login API from svelte kit to fastify set cookie cross subdomain for all containers Environment specific signin flow

Include ssh username in custom claims firebase user

[mate-h]

Single sign on (SSO) pros

• no need to copy passwords across domains
• more secure with 2FA
• customized cookie expiry policy, redo 2FA auth challenge every day

SSO cons

• hard to implement
• time investment

[mate-h]

[mate-h]

I made some progress yesterday and it seems that the domain localhost will not allow for cookies on code.localhost or any subdomain. So I decided to use sorosbot.local domain for local development to mitigate this issue.

[mate-h]

How it works

Globally the application will redirect to https://$HOST/signin?next=... where $HOST is either sorosbot.com or localhost.dev depending on the environment. When the user completes the sign in challenge, the application will forward to the url specified in the next get parameter, see chart above.

Signin page

All static files that the sign in page has to access need to be explicitly whitelisted for the nginx configuration at
sorosbot.com/nginx/vhost.d/localhost.dev and
sorosbot.com/nginx/vhost.d/sorosbot.com

New subdomain for service on localhost.dev

Note: not applicable to sorosbot.com production environment

Assuming that newservice is added on subdomain.localhost.dev Append the new service configuration to docker-compose.yml. If the service is served over https internally, the certificate path config for service needs to be added in docker/config.dev.yml and docker/config.prod.yml. The following snippet will extend from these files:

extends:
  file: ./docker/config.${CERT_TARGET}.yml
  service: newservice

where $CERT_TARGET is either prod or dev.

localhost.dev cerfiticate DNS entries need to be updated with DNS.5 = subdomain.$NAME at sorosbot.com/nginx/bin/cert.sh:42

Regenerate the certificate with

/bin/bash -c ./nginx/bin/cert.sh
docker exec nginx-proxy nginx -s reload

The new subdomain needs to be added to nginx/etc/hosts and /etc/hosts of the local system.

echo "127.0.0.1       subdomain.localhost.dev" > ./nginx/etc/hosts
sudo echo "127.0.0.1       subdomain.localhost.dev" > /etc/hosts

[mate-h]

Still TODO: remove sign in challenge from freqtrade UI and portainer, leave user management as is

[mate-h]

Latest sign in attempt error on sorosbot.com

request to https://api/session failed, reason: 
Hostname/IP does not match certificate's altnames: 
Host: sorosbot.com. is not cert's CN: letsencrypt-nginx-proxy-companion

Solution https://github.com/nginx-proxy/acme-companion/blob/main/docs/Standalone-certificates.md

[mate-h]

Removed this snippet

const ca = [];
// TODO: depending on environment
try {
    ca.push(fs.readFileSync("/etc/nginx/certs/default.crt"));
    ca.push(fs.readFileSync("/etc/nginx/certs/root.pem"));
}
catch {
    //
}
try {
    ca.push(fs.readFileSync("/etc/nginx/certs/sorosbot.com.chain.pem"));
    ca.push(fs.readFileSync("/etc/nginx/certs/sorosbot.com.crt"));
}
catch {
    //
}
https.globalAgent.options.ca = ca;

Added this despite recommendations not to, it's internal DNS so it should be fine either way

https.globalAgent.options.rejectUnauthorized = false;

[mate-h]

When redoing the HTTP let's encrypt SSL challenge, remove the proxy from cloudflare DNS. otherwise the challenge fails. Next renewal time is: Thu Jul 22 10:14:40 UTC 2021