willkg
commented
7 years ago Grabbing this. I'll probably do it in a couple of passes.
Closed gdestuynder closed 7 years ago
willkg
commented
7 years ago Grabbing this. I'll probably do it in a couple of passes.
willkg
commented
7 years ago I'll do it with one pass. I fixed 1 and 2 already in a local branch. I'll work on item 3. I can lift that from Air Mozilla.
Also, this begs the question "should we throw this in a lib" and the answer is probably "yeah", so I'll think about that, too.
willkg
commented
7 years ago The new auth0 flow works on -stage.
I still need to implement item 3.
gdestuynder
commented
7 years ago It would be really cool in a lib. I would use it and put it on testrp.security.allizom.org as a demo for others. Note, theres some libs around though they don't do the session handling for example Ex: https://github.com/imanhodjaev/django-auth0
willkg
commented
7 years ago None of the auth0 libs I saw do the things you're asking us to do and I think some of the things we're looking for are going to be particular to Mozilla, so I don't think we can use someone else's library.
willkg
commented
7 years ago I hit some issues and wrote up a bugzilla bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1328705
I'm blocked on the outcome of that.
After that gets figured out, I have the following things to do:
id_token renewalgithub_handle field, profile form field and anything relatedAUTH0_PIPELINE configurablewillkg
commented
7 years ago The auth0 rewrite is fully functioning on -stage right now. I wrote the code in such a way that we could extract it as a standalone library in the future if there's a tangible need for such a thing. I also tried to write it such that it's easy to read and verify that the flows are correct.
The code is entirely in this directory:
https://github.com/mozilla/standup/tree/master/standup/auth0
I pinged @gdestuynder via email asking for a review. Depending on when he thinks he can do it, I might push this to -prod since it's blocking a ton of other things and peoples' ability to use the site.
willkg
commented
7 years ago Per @gdestuynder's email, I'm assigning this to him as a reminder for reviewing some time next week.
gdestuynder
commented
7 years ago Overall i think all key features are present/seems fine.
security:
nitpicks:
The endpoints don't seem to use discovery, though that's not required (it saves from having to hardcode path to some specific endpoints basically)
Client_ids are public, no problem :)
https://github.com/mozilla/standup/blob/master/standup/auth0/middleware.py#L119 I dont think this is mozilla specific - the id token is an OIDC requirement (http://openid.net/specs/openid-connect-core-1_0.html#IDToken). Basically without it, login must fail (which is fine in the code, just nit picking the comments)
All code that is required is standard OIDC except for the delegation endpoint which is auth0 specific (and the extra attributes in the id_token / user_profile, which are fine spec wise but not necessarily present with the same names or at all in other OIDC implementations) Most of the code has similar references, but basically, using straight up OIDC with Google or GitHub or other providers should normally work except for the delegation endpoint (ie the token renewal code).
Note: I do realize django demo of this on testrp.security.allizom.org would make this a lot easier. Maybe we (infosec) should take this code and port it there. Also, this is what is running on https://www.standu.ps right now correct? (it seems to be)
pmac
commented
7 years ago Also, this is what is running on https://www.standu.ps right now correct? (it seems to be)
Yes. We deployed it last week. Seems to be working well. We're considering extracting it to a usable library for at least all mozilla sites that need it (which will likely be many), but wanted buy-in from you before proceeding in that direction.
gdestuynder
commented
7 years ago definitely - a library would be great. maybe a good way to test that is for me to implement it on testrp.security.allizom.org. i also definitely would like both the security nitpicks addressed for that though ;-)
willkg
commented
7 years ago We dropped our auth0 implementation and switched to mozilla-django-oidc where I'll be putting future development efforts.
I think that library has most of the outstanding things from this issue except OP endpoint discovery which is covered in https://github.com/mozilla/mozilla-django-oidc/issues/71 .
If there are other outstanding things, we should create issues in that library, fix it there, and then update to the new version here.
Given that, I'm closing this out. Thank you!
Hi - I discussed this with :willkg on IRC prior to opening this issue.
Regarding the new Auth0 login for standup, I'm proposing to:
1) Use what we call our "hosted lock" which is hosted on auth0's properties on our behalf. The reason for this are: a) it makes the experience more consitent for users (any update there is reflected for all sites (as in relying parties/RPs) ) b) ensure password managers save the passwords for a single domain instead of every RP's domains, though this is specific to if you enable LDAP in the future
2) Not use Auth0 branding on the login button (currently it says "Login with Auth0") but instead something like "Login to standup". We have sample buttons as well if you want to re-use them.
3) Ensure you're able to refresh user sessions (i.e. if a user gets disabled because his account is compromised, that the account can no longer login to standu.ps within a certain amount of time).
Here's docs and examples for all this:
Notes: we plan to enhance our docs to make these more clear as well, when you request integration with the Mozilla SSO with OIDC and Auth0.