search

nextstrain / nextstrain.org

The Nextstrain website
https://nextstrain.org
GNU Affero General Public License v3.0
87 stars 49 forks source link

authn: Generalize support to ~any OIDC/OAuth2 IdP, not just AWS Cognito #731

Closed tsibley closed 8 months ago

tsibley commented 9 months ago

OIDC is OpenID Connect 1.0, which is an identity/authentication protocol layered on top of OAuth 2.0's authorization protocol. AWS Cognito implements OIDC/OAuth2 but our authn code hardcoded some assumptions about Cognito specifically. Undo that and parameterize and generalize the code to work (in theory) with other OIDC identity providers (IdPs). In practice, some additional changes may be necessary for specific other IdPs, but as-is I can get this generalized authn code to work against a test Azure AD IdP.

Outside of authn, there are still some other bits of the codebase which require Cognito. Those will be addressed in subsequent work.

This work is motivated by CDC AMD's efforts to host a copy of nextstrain.org internally in order to avail themselves of Groups internally.

Related-to: https://github.com/nextstrain/private/issues/94

Checklist

tsibley commented 9 months ago

@victorlin Tagged you for review specifically since you volunteered to be involved in this work.

tsibley commented 9 months ago

@victorlin Some notes on testing.

I've tested this against our testing env (e.g. using AWS Cognito) and also against an Azure AD I set up for the purpose (somewhat matching what CDC is using).

For Azure AD, I used a JSON file like so:

{ 
  "OIDC_IDP_URL": "https://login.microsoftonline.com/0ce9e8dc-e009-4cb4-8512-7989bd6906a8/v2.0", 
  "OAUTH2_CLIENT_ID": "c3d6647f-dccc-4a85-a2bb-fb8fbc7524a9", 
  "OAUTH2_CLIENT_SECRET": "SECRET FROM AZURE AD APP REGISTRATION", 
  "OAUTH2_CLI_CLIENT_ID": "REQUIRED; NOT YET SORTED OUT; WILL BE PART OF FUTURE NEXTSTRAIN CLI CONFIGURATION TOO", 
  "OIDC_USERNAME_CLAIM": "preferred_username", 
  "OIDC_GROUPS_CLAIM": "roles",
  "OIDC_IAT_BACKDATED_BY": 300,
  "COGNITO_USER_POOL_ID": "REQUIRED; NOT YET SORTED OUT", 
}

and then set CONFIG_FILE=path/to/that/file.json when running node server.js. The OAUTH2_CLIENT_SECRET needs to be replaced by the actual client secret.

@victorlin You can login to the Azure portal as azure-admin@nextstrain.org (creds in 1Password). From there, you can generate another client secret to use (or I can share the one I generated) under "App registration", find the app/client, click the secrets link, add a new one. Once you have the nextstrain.org server running locally, you can try logging in with test-user@nextstraintesting.onmicrosoft.com (password in 1Password).

I can also walk you thru all of this.

I should verify our testing env still works with this PR, as there've been some changes since my last check.