Auth works

[killua-eu]

• [ ] implement refresh token and secure the shit out of it (phone: secure storage, http only cookie)
• [ ] shorten jwt validity to minutes
• [ ] implement /api/auth/logout-all (regen shared secret or something so that everything gets invalid)
• [ ] implement refresh token blacklist, clean it on logout-all event
• [ ] check jwt algs, alg none prevention must be hardcoded
• [ ] check if we prevent rsa public key used hmac shared secret (dont allow algorithms use the wrong keys / with each key store what algo its for and what kind of key it is)
• [ ] microservices running on different instances will need to know the public keys used for signing tokens. public keys need to be cycled. to ensure the right pubkey is used for jwt verification, add a kid claim to jwt and a /api/auth/jwt/keys endpoint where microservices can fetch keys periodically.
• [ ] add /api/auth/jwt/exchange to exchange i.e. browser jwt for device jwt.
• [ ] decouple auth completely from glued so that we dont have to proxy requests via php
• [ ] break foreign key constraints on users
• [ ] without fk, we can't cascade delete. so either all uS need a delete api accepting a user id (with gdpr maybe anonymize and hide) or we need a webhook (publish/subscribe thing).
• [ ] /api/auth/jwt/revoke for user pressing logout button (store db what to kill?, put it into tokens? - maybe just have a webhook that will tell everybody to ignore all jwts issued from time_when_user_logged_out() - 3600 till time_when_user_logged_out() .. then each service will have a local cache of tokens to ignore ) ... maybe allow to revoke one refresh token or revoke all tokens for a user id.
• [ ] remember all issued refresh tokens and devices they were issued for (so this is mostly like a session)
• [ ] store all logins for all time
• [ ] handle semi-logged in users (i.e. password change required, or email not verified, or 2fa, ... leave users without a jwt or with a jwt without roles).
• [ ] decide where the fuck we stick in the sso and social logins shit and what shit it shall be :) @zelitomas

[killua-eu]

Run podman run -p 8080:8080 -e KEYCLOAK_USER=a -e KEYCLOAK_PASSWORD=a jboss/keycloak or daemonize podman run -d --name keycloak -p 8080:8080 -e KEYCLOAK_USER=a -e KEYCLOAK_PASSWORD=a jboss/keycloak