Third party Authentication needed

[japrogramer]

I would like to be able to call my own app for authentication,

freshly created environment following this steps https://ohmyform.com/docs/install/

▶ docker images                                                                                                                                                                                            ∞❮❮❮
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ohmyform_ohmyform   latest              0ec5eeb85833        18 minutes ago      247MB
mongo               latest              50e17a9fdd96        7 days ago          492MB
mongo-express       latest              1447bda0175a        7 days ago          130MB
node                12-alpine           1f52b7199ba6        7 days ago          89.3MB
redis               latest              84c5f6e03bf0        13 days ago         104MB
mailhog/mailhog     latest              4de68494cd0d        6 weeks ago         392MB

Code/work/ohmyform  master ✔                                                                                                                                                                                   5d
▶ docker ps                                                                                                                                                                                                ∞❮❮❮
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                              NAMES
ef3e9135ed33        ohmyform_ohmyform   "docker-entrypoint.s…"   12 minutes ago      Up 12 minutes       3000/tcp, 0.0.0.0:5000->5000/tcp   ohmyform_ohmyform_1
687f7ac94df0        mongo-express       "tini -- /docker-ent…"   12 minutes ago      Up 12 minutes       0.0.0.0:5051->8081/tcp             ohmyform_mongoexpress_1
c49c28b9dcd3        mongo               "docker-entrypoint.s…"   12 minutes ago      Up 12 minutes       27017/tcp                          ohmyform_mongo_1
0e72aec8227f        mailhog/mailhog     "MailHog"                12 minutes ago      Up 12 minutes       1025/tcp, 0.0.0.0:5050->8025/tcp   ohmyform_mail_1
bef4aa102aa4        redis               "docker-entrypoint.s…"   12 minutes ago      Up 12 minutes       6379/tcp                           ohmyform_redis_1

I want it to be possible to create users who are admin role through an api call to my app

[wodka]

sounds interesting, would welcome a pr to see something like this

[andrew-the-drawer]

Hi, I would love to resolve this issue in Hacktoberfest. I really appreciate if someone in charge of this project could elaborate the workflow/requirement of this issue? Thanks a lot!!

P/S: If it's possible, I hope to be assigned to this issue.

cc: @wodka

[wodka]

Hi @lantrungseo :) that would be awesome!

right now I see 3 ways to add the authentication part:

Option 1) Oauth2 Option 2) SAML Option 3) Webhook

For us right now the easiest way would be to go with option 3) So within the AuthService (https://github.com/ohmyform/api/blob/master/src/service/auth/auth.service.ts) to call a webhook AUTH_WEBHOOK and based on the result create / authenticate the user.

The result for this should contain at least the following:

{
  "roles": ["user", "admin", "superuser"], // https://github.com/ohmyform/api/blob/master/doc/roles.md
  "username": "something"
}

Further: the moment AUTH_WEBHOOK is defined the register and reset password calls should be disabled!

---

and the second part would be to create a new mutation endpoint to create users with a role similar to the registration (role limited to the auth of the current user)

[japrogramer]

I think that Oauth2 would be the best option long term because it also handles authentication thru an existing app.

[wodka]

yes, but at the same time oauth is a bit different for every implementation.

[Mte90]

Any updates for Saml2?

[zoredache]

Since this is primarily used by docker, I wonder if it would be easier to support having ohmyform support trusting some HTTP header like X-Forwarded-User for providing the authentication.

It would allow someone to use Traefik along with one of the authentication middleware like forwardauth. There are several authentication implementations that allow ouauth, saml and so on that is compatible with the Traefik forwardauth.

I am able to use Traefik + traefik-forward-auth as my source of authentication for many other things.

[almereyda]

I like the simplicity of https://doc.traefik.io/traefik/v2.4/middlewares/forwardauth/ and was about to propose https://github.com/oauth2-proxy/oauth2-proxy/, too. It similarily supports to pass authentication headers (in multiple ways).

If not about OAuth2, more precicely we could be talking about implementing OIDC, instead.

SAML2 looks interesting for SSO environments, where you want to be able to centrally log out users.

[wodka]

I also like the idea with X-Forwarded-User - curious on how to best do this. As it would mean that we need to disable all in app authentication and fully rely on the header to indicate the information. Or always then reporting the authenticated flag for the graphql endpoint.

Tricky thing I'm thinking of right now is that the "public" endpoint should then have a different router in traefik to not have the header added.

[TimNilimaa]

Supporting X-Forwarded-User seems like an easy step to 'indirectly' support basically any authentication mechanism. At least easier than native OAuth2+OpenId Connect and SAML2 support.

From my understanding of usage of nginx with oauth2-proxy it shouldn't be any issue to route a dedicated path (public) to skip the auth-proxy. Could you elaborate a bit @wodka where you saw an issue with this?

One thing that I think could be important is that this perhaps requires that user accounts are automatically created/updated when an authenticated request comes in.