Add support to login using identity from an identity-aware proxy #715
|
@ -654,8 +654,7 @@ Default: `<empty>`
|
|||
|
||||
Identity-Aware Proxy configuration will allow users to authenticate through an identity-aware proxy in front of Vikunja.<br/>
|
||||
The proxy needs to supply a signed JWT over HTTP headers with claims for `sub`, `iss`, and `email`.
|
||||
This JWT must be signed using ECDSA or RSA.
|
||||
It must also serve the public keys for that signed JWT in the JWKS format.
|
||||
Take a look at the [default config file](https://kolaente.dev/vikunja/api/src/branch/master/config.yml.sample) for more information about how to configure this authentication.
|
||||
|
||||
Default: `<empty>`
|
||||
Default: `<empty>`
|
||||
|
||||
|
|
|
@ -106,11 +106,11 @@ func NewUserAuthTokenResponse(u *user.User, c echo.Context) error {
|
|||
func NewUserJWTAuthtoken(u *user.User) (token string, err error) {
|
||||
// Set claims
|
||||
claims := &AuthClaims{
|
||||
Type: AuthTypeUser,
|
||||
UserID: u.ID,
|
||||
UserUsername: u.Username,
|
||||
UserEmail: u.Email,
|
||||
UserName: u.Name,
|
||||
Type: AuthTypeUser,
|
||||
UserID: u.ID,
|
||||
UserUsername: u.Username,
|
||||
UserEmail: u.Email,
|
||||
UserName: u.Name,
|
||||
UserEmailRemindersEnabled: u.EmailRemindersEnabled,
|
||||
StandardClaims: jwt.StandardClaims{
|
||||
ExpiresAt: time.Now().Add(time.Hour * 72).Unix(),
|
||||
|
@ -249,7 +249,7 @@ func GetJWTConfig() middleware.JWTConfig {
|
|||
// GetOrCreateUserFromExternalAuth returns a user after finding or creating a matching user for the provided details
|
||||
func GetOrCreateUserFromExternalAuth(s *xorm.Session, issuer, subject, email, name, preferredUsername string) (u *user.User, err error) {
|
||||
if issuer == "" || subject == "" || email == "" {
|
||||
return nil, echo.NewHTTPError(http.StatusBadRequest, models.Message{Message: "Missing required data."})
|
||||
return nil, echo.NewHTTPError(http.StatusBadRequest, models.Message{Message: "Missing required data."})
|
||||
}
|
||||
|
||||
// Check if the user exists for that issuer and subject
|
||||
|
|
|
@ -70,7 +70,7 @@ func (err ErrIAPPublicKeysetMissing) HTTPError() web.HTTPError {
|
|||
}
|
||||
|
||||
// ErrIAPUserFrontendMismatch represents a "IAPUserDoesNotMatchFrontendUser" kind of error.
|
||||
type ErrIAPUserFrontendMismatch struct {}
|
||||
type ErrIAPUserFrontendMismatch struct{}
|
||||
|
||||
// IsErrIAPPublicKeysetMissing checks if an error is a ErrIAPUserFrontendMismatch.
|
||||
func IsErrIAPUserFrontendMismatch(err error) bool {
|
||||
|
@ -114,7 +114,7 @@ func (err ErrIAPUnsupportedJWTSigningMethod) HTTPError() web.HTTPError {
|
|||
}
|
||||
|
||||
// ErrIAPJWTMissingKID represents a "ErrIAPJWTMissingKID" kind of error.
|
||||
type ErrIAPJWTMissingKID struct {}
|
||||
type ErrIAPJWTMissingKID struct{}
|
||||
|
||||
// IsErrIAPUnsupportedJWTSigningMethod checks if an error is a ErrIAPJWTMissingKID.
|
||||
func IsErrIAPJWTMissingKID(err error) bool {
|
||||
|
|
|
@ -16,4 +16,4 @@
|
|||
|
||||
package identityawareproxy
|
||||
|
||||
// TODO test GetWebAuth()
|
||||
// TODO test GetWebAuth()
|
||||
|
||||
|
|
|
@ -67,7 +67,7 @@ type openIDAuthInfo struct {
|
|||
}
|
||||
|
||||
type identityAwareProxyAuthInfo struct {
|
||||
Enabled bool `json:"enabled"`
|
||||
Enabled bool `json:"enabled"`
|
||||
}
|
||||
|
||||
type legalInfo struct {
|
||||
|
|
|
@ -99,7 +99,7 @@ func RenewToken(c echo.Context) (err error) {
|
|||
newToken, err := auth.RenewToken(s, c)
|
||||
if err != nil {
|
||||
_ = s.Rollback()
|
||||
return handler.HandleHTTPError(err, c)
|
||||
return handler.HandleHTTPError(err, c)
|
||||
}
|
||||
|
||||
if err := s.Commit(); err != nil {
|
||||
|
|
|
@ -32,16 +32,11 @@ var doc = `{
|
|||
"host": "{{.Host}}",
|
||||
"basePath": "{{.BasePath}}",
|
||||
"paths": {
|
||||
"/auth/identityawareproxy/login": {
|
||||
"post": {
|
||||
"security": [
|
||||
{
|
||||
"JWTKeyAuth": []
|
||||
}
|
||||
],
|
||||
"description": "After a redirect from the OpenID Connect provider to the frontend has been made with the authentication ` + "`" + `code` + "`" + `, this endpoint can be used to obtain a jwt token for that user and thus log them in.",
|
||||
"/auth/identityawareproxy/token": {
|
||||
"get": {
|
||||
"description": "Generates a short-lived JWT based on the identity from the identity-aware proxy in order to provide the front-end with user id and username info",
|
||||
"consumes": [
|
||||
"application/json"
|
||||
"N/A"
|
||||
],
|
||||
"produces": [
|
||||
"application/json"
|
||||
|
@ -49,7 +44,7 @@ var doc = `{
|
|||
"tags": [
|
||||
"auth"
|
||||
],
|
||||
"summary": "Authenticate a user with OpenID Connect",
|
||||
"summary": "Authenticate a user from the Identity-Aware Proxy",
|
||||
"responses": {
|
||||
"200": {
|
||||
"description": "OK",
|
||||
|
@ -8631,9 +8626,6 @@ var doc = `{
|
|||
"properties": {
|
||||
"enabled": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
|
@ -15,16 +15,11 @@
|
|||
},
|
||||
"basePath": "/api/v1",
|
||||
"paths": {
|
||||
"/auth/identityawareproxy/login": {
|
||||
"post": {
|
||||
"security": [
|
||||
{
|
||||
"JWTKeyAuth": []
|
||||
}
|
||||
],
|
||||
"description": "After a redirect from the OpenID Connect provider to the frontend has been made with the authentication `code`, this endpoint can be used to obtain a jwt token for that user and thus log them in.",
|
||||
"/auth/identityawareproxy/token": {
|
||||
"get": {
|
||||
"description": "Generates a short-lived JWT based on the identity from the identity-aware proxy in order to provide the front-end with user id and username info",
|
||||
"consumes": [
|
||||
"application/json"
|
||||
"N/A"
|
||||
],
|
||||
"produces": [
|
||||
"application/json"
|
||||
|
@ -32,7 +27,7 @@
|
|||
"tags": [
|
||||
"auth"
|
||||
],
|
||||
"summary": "Authenticate a user with OpenID Connect",
|
||||
"summary": "Authenticate a user from the Identity-Aware Proxy",
|
||||
"responses": {
|
||||
"200": {
|
||||
"description": "OK",
|
||||
|
@ -8614,9 +8609,6 @@
|
|||
"properties": {
|
||||
"enabled": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
|
@ -1210,8 +1210,6 @@ definitions:
|
|||
properties:
|
||||
enabled:
|
||||
type: boolean
|
||||
name:
|
||||
type: string
|
||||
type: object
|
||||
v1.legalInfo:
|
||||
properties:
|
||||
|
@ -1338,11 +1336,11 @@ paths:
|
|||
summary: User Avatar
|
||||
tags:
|
||||
- user
|
||||
/auth/identityawareproxy/login:
|
||||
post:
|
||||
/auth/identityawareproxy/token:
|
||||
get:
|
||||
consumes:
|
||||
- application/json
|
||||
description: After a redirect from the OpenID Connect provider to the frontend has been made with the authentication `code`, this endpoint can be used to obtain a jwt token for that user and thus log them in.
|
||||
- N/A
|
||||
description: Generates a short-lived JWT based on the identity from the identity-aware proxy in order to provide the front-end with user id and username info
|
||||
produces:
|
||||
- application/json
|
||||
responses:
|
||||
|
@ -1354,9 +1352,7 @@ paths:
|
|||
description: Internal error
|
||||
schema:
|
||||
$ref: '#/definitions/models.Message'
|
||||
security:
|
||||
- JWTKeyAuth: []
|
||||
summary: Authenticate a user with OpenID Connect
|
||||
summary: Authenticate a user from the Identity-Aware Proxy
|
||||
tags:
|
||||
- auth
|
||||
/auth/openid/{provider}/callback:
|
||||
|
|
Loading…
Reference in New Issue
🙂