Docker/planka
Docker/planka
1
0
Fork 0
mirror of https://github.com/plankanban/planka.git synced 2025-07-19 05:09:43 +02:00
Code Issues Releases Activity
planka/client/src/sagas/login/services/login.js

123 lines
3.2 KiB
JavaScript
Raw Normal View History

feat: Improve OIDC SSO (#524) The OIDC implementation merged in https://github.com/plankanban/planka/pull/491 is flawed for multiple reasons. It assumes that the access_token returned by the IDP has to be a JWT parseable by the RP which is not the case [1]. Many major IDPs do issue tokens which are not JWTs and RPs should not rely on the contents of these at all. The only signed token which has a standardized format for direct RP consumption is the OIDC ID token (id_token), but this by default doesn't contain many claims, especially role claims are omitted from them by default for size reasons. To get these additional claims into the ID token, one needs an IDP with support for the "claims" parameter. It requires manual specification of the JWKS URL which is mandatory in any OIDC discovery document and thus never needs to be manually specified. It also makes the questionable decision to use a client-side code flow with PKCE where a normal code flow would be much more appropriate as all user data is processed in the backend which can securely hold a client secret (confidential client). This has far wider IDP support, is safer (due to direct involvement of the IDP in obtaining user information) and doesn't require working with ID tokens and claim parameters. By using a server-side code flow we can also offload most complexity to the server alone, no longer requiring an additional OIDC library on the web client. Also silent logout doesn't work on most IDPs for security reasons, one needs to actually redirect the user over to the IDP, which then prompts them once more if they actually want to log out. This implementation should work with any OIDC-compliant IDP and even OAuth 2.0-only IDPs as long as they serve and OIDC discovery document. [1] rfc-editor.org/rfc/rfc6749#section-5.1
2023-10-19 14:39:21 +02:00
import { nanoid } from 'nanoid';
import { call, put, select } from 'redux-saga/effects';
fix: OIDC finalization and refactoring
2023-10-17 19:18:19 +02:00
import { replace } from '../../../lib/redux-router';
Initial commit
2019-08-31 04:07:25 +05:00
fix: OIDC finalization and refactoring
2023-10-17 19:18:19 +02:00
import selectors from '../../../selectors';
ref: Refactoring
2022-08-04 13:31:14 +02:00
import actions from '../../../actions';
Project managers, board members, auto-update after reconnection, refactoring
2021-06-24 01:05:22 +05:00
import api from '../../../api';
feat: Invalidate access token on logout
2022-09-07 18:39:33 +05:00
import { setAccessToken } from '../../../utils/access-token-storage';
fix: OIDC finalization and refactoring
2023-10-17 19:18:19 +02:00
import Paths from '../../../constants/Paths';
export function* initializeLogin() {
const { item: config } = yield call(api.getConfig); // TODO: handle error
yield put(actions.initializeLogin(config));
}
Initial commit
2019-08-31 04:07:25 +05:00
ref: Refactoring
2022-08-04 13:31:14 +02:00
export function* authenticate(data) {
yield put(actions.authenticate(data));
Project managers, board members, auto-update after reconnection, refactoring
2021-06-24 01:05:22 +05:00
fix: OIDC finalization and refactoring
2023-10-17 19:18:19 +02:00
let accessToken;
Project managers, board members, auto-update after reconnection, refactoring
2021-06-24 01:05:22 +05:00
try {
fix: OIDC finalization and refactoring
2023-10-17 19:18:19 +02:00
({ item: accessToken } = yield call(api.createAccessToken, data));
Project managers, board members, auto-update after reconnection, refactoring
2021-06-24 01:05:22 +05:00
} catch (error) {
ref: Refactoring
2022-08-04 13:31:14 +02:00
yield put(actions.authenticate.failure(error));
Project managers, board members, auto-update after reconnection, refactoring
2021-06-24 01:05:22 +05:00
return;
}
feat: Invalidate access token on logout
2022-09-07 18:39:33 +05:00
yield call(setAccessToken, accessToken);
ref: Refactoring
2022-08-04 13:31:14 +02:00
yield put(actions.authenticate.success(accessToken));
Initial commit
2019-08-31 04:07:25 +05:00
}
ref: Refactoring
2023-10-19 16:05:34 +02:00
export function* authenticateUsingOidc() {
fix: OIDC finalization and refactoring
2023-10-17 19:18:19 +02:00
const oidcConfig = yield select(selectors.selectOidcConfig);
fix: Add state parameter to OIDC authorization url Closes #558
2023-12-09 17:06:45 +01:00
const state = nanoid();
window.sessionStorage.setItem('oidc-state', state);
feat: Improve OIDC SSO (#524) The OIDC implementation merged in https://github.com/plankanban/planka/pull/491 is flawed for multiple reasons. It assumes that the access_token returned by the IDP has to be a JWT parseable by the RP which is not the case [1]. Many major IDPs do issue tokens which are not JWTs and RPs should not rely on the contents of these at all. The only signed token which has a standardized format for direct RP consumption is the OIDC ID token (id_token), but this by default doesn't contain many claims, especially role claims are omitted from them by default for size reasons. To get these additional claims into the ID token, one needs an IDP with support for the "claims" parameter. It requires manual specification of the JWKS URL which is mandatory in any OIDC discovery document and thus never needs to be manually specified. It also makes the questionable decision to use a client-side code flow with PKCE where a normal code flow would be much more appropriate as all user data is processed in the backend which can securely hold a client secret (confidential client). This has far wider IDP support, is safer (due to direct involvement of the IDP in obtaining user information) and doesn't require working with ID tokens and claim parameters. By using a server-side code flow we can also offload most complexity to the server alone, no longer requiring an additional OIDC library on the web client. Also silent logout doesn't work on most IDPs for security reasons, one needs to actually redirect the user over to the IDP, which then prompts them once more if they actually want to log out. This implementation should work with any OIDC-compliant IDP and even OAuth 2.0-only IDPs as long as they serve and OIDC discovery document. [1] rfc-editor.org/rfc/rfc6749#section-5.1
2023-10-19 14:39:21 +02:00
const nonce = nanoid();
window.sessionStorage.setItem('oidc-nonce', nonce);
fix: Add state parameter to OIDC authorization url Closes #558
2023-12-09 17:06:45 +01:00
let redirectUrl = `${oidcConfig.authorizationUrl}`;
redirectUrl += `&state=${encodeURIComponent(state)}`;
redirectUrl += `&nonce=${encodeURIComponent(nonce)}`;
window.location.href = redirectUrl;
fix: OIDC finalization and refactoring
2023-10-17 19:18:19 +02:00
}
ref: Refactoring
2023-10-19 16:05:34 +02:00
export function* authenticateUsingOidcCallback() {
fix: Fallback to query if there is no fragment
2023-10-19 23:06:37 +02:00
// https://github.com/plankanban/planka/issues/511#issuecomment-1771385639
const params = new URLSearchParams(window.location.hash.substring(1) || window.location.search);
ref: Refactoring
2023-10-19 16:05:34 +02:00
fix: Add state parameter to OIDC authorization url Closes #558
2023-12-09 17:06:45 +01:00
const state = window.sessionStorage.getItem('oidc-state');
window.sessionStorage.removeItem('oidc-state');
const nonce = window.sessionStorage.getItem('oidc-nonce');
window.sessionStorage.removeItem('oidc-nonce');
ref: Refactoring
2023-10-19 16:05:34 +02:00
yield put(replace(Paths.LOGIN));
feat: Improve OIDC SSO (#524) The OIDC implementation merged in https://github.com/plankanban/planka/pull/491 is flawed for multiple reasons. It assumes that the access_token returned by the IDP has to be a JWT parseable by the RP which is not the case [1]. Many major IDPs do issue tokens which are not JWTs and RPs should not rely on the contents of these at all. The only signed token which has a standardized format for direct RP consumption is the OIDC ID token (id_token), but this by default doesn't contain many claims, especially role claims are omitted from them by default for size reasons. To get these additional claims into the ID token, one needs an IDP with support for the "claims" parameter. It requires manual specification of the JWKS URL which is mandatory in any OIDC discovery document and thus never needs to be manually specified. It also makes the questionable decision to use a client-side code flow with PKCE where a normal code flow would be much more appropriate as all user data is processed in the backend which can securely hold a client secret (confidential client). This has far wider IDP support, is safer (due to direct involvement of the IDP in obtaining user information) and doesn't require working with ID tokens and claim parameters. By using a server-side code flow we can also offload most complexity to the server alone, no longer requiring an additional OIDC library on the web client. Also silent logout doesn't work on most IDPs for security reasons, one needs to actually redirect the user over to the IDP, which then prompts them once more if they actually want to log out. This implementation should work with any OIDC-compliant IDP and even OAuth 2.0-only IDPs as long as they serve and OIDC discovery document. [1] rfc-editor.org/rfc/rfc6749#section-5.1
2023-10-19 14:39:21 +02:00
if (params.get('error') !== null) {
yield put(
ref: Refactoring
2023-10-19 16:05:34 +02:00
actions.authenticateUsingOidc.failure(
feat: Improve OIDC SSO (#524) The OIDC implementation merged in https://github.com/plankanban/planka/pull/491 is flawed for multiple reasons. It assumes that the access_token returned by the IDP has to be a JWT parseable by the RP which is not the case [1]. Many major IDPs do issue tokens which are not JWTs and RPs should not rely on the contents of these at all. The only signed token which has a standardized format for direct RP consumption is the OIDC ID token (id_token), but this by default doesn't contain many claims, especially role claims are omitted from them by default for size reasons. To get these additional claims into the ID token, one needs an IDP with support for the "claims" parameter. It requires manual specification of the JWKS URL which is mandatory in any OIDC discovery document and thus never needs to be manually specified. It also makes the questionable decision to use a client-side code flow with PKCE where a normal code flow would be much more appropriate as all user data is processed in the backend which can securely hold a client secret (confidential client). This has far wider IDP support, is safer (due to direct involvement of the IDP in obtaining user information) and doesn't require working with ID tokens and claim parameters. By using a server-side code flow we can also offload most complexity to the server alone, no longer requiring an additional OIDC library on the web client. Also silent logout doesn't work on most IDPs for security reasons, one needs to actually redirect the user over to the IDP, which then prompts them once more if they actually want to log out. This implementation should work with any OIDC-compliant IDP and even OAuth 2.0-only IDPs as long as they serve and OIDC discovery document. [1] rfc-editor.org/rfc/rfc6749#section-5.1
2023-10-19 14:39:21 +02:00
new Error(
`OIDC Authorization error: ${params.get('error')}: ${params.get('error_description')}`,
),
),
);
return;
}
fix: OIDC finalization and refactoring
2023-10-17 19:18:19 +02:00
fix: Add state parameter to OIDC authorization url Closes #558
2023-12-09 17:06:45 +01:00
const code = params.get('code');
if (code === null) {
yield put(
actions.authenticateUsingOidc.failure(new Error('Invalid OIDC response: no code parameter')),
);
return;
}
if (params.get('state') !== state) {
feat: Improve OIDC SSO (#524) The OIDC implementation merged in https://github.com/plankanban/planka/pull/491 is flawed for multiple reasons. It assumes that the access_token returned by the IDP has to be a JWT parseable by the RP which is not the case [1]. Many major IDPs do issue tokens which are not JWTs and RPs should not rely on the contents of these at all. The only signed token which has a standardized format for direct RP consumption is the OIDC ID token (id_token), but this by default doesn't contain many claims, especially role claims are omitted from them by default for size reasons. To get these additional claims into the ID token, one needs an IDP with support for the "claims" parameter. It requires manual specification of the JWKS URL which is mandatory in any OIDC discovery document and thus never needs to be manually specified. It also makes the questionable decision to use a client-side code flow with PKCE where a normal code flow would be much more appropriate as all user data is processed in the backend which can securely hold a client secret (confidential client). This has far wider IDP support, is safer (due to direct involvement of the IDP in obtaining user information) and doesn't require working with ID tokens and claim parameters. By using a server-side code flow we can also offload most complexity to the server alone, no longer requiring an additional OIDC library on the web client. Also silent logout doesn't work on most IDPs for security reasons, one needs to actually redirect the user over to the IDP, which then prompts them once more if they actually want to log out. This implementation should work with any OIDC-compliant IDP and even OAuth 2.0-only IDPs as long as they serve and OIDC discovery document. [1] rfc-editor.org/rfc/rfc6749#section-5.1
2023-10-19 14:39:21 +02:00
yield put(
ref: Refactoring
2023-10-19 16:05:34 +02:00
actions.authenticateUsingOidc.failure(
fix: Add state parameter to OIDC authorization url Closes #558
2023-12-09 17:06:45 +01:00
new Error('Unable to process OIDC response: state mismatch'),
feat: Improve OIDC SSO (#524) The OIDC implementation merged in https://github.com/plankanban/planka/pull/491 is flawed for multiple reasons. It assumes that the access_token returned by the IDP has to be a JWT parseable by the RP which is not the case [1]. Many major IDPs do issue tokens which are not JWTs and RPs should not rely on the contents of these at all. The only signed token which has a standardized format for direct RP consumption is the OIDC ID token (id_token), but this by default doesn't contain many claims, especially role claims are omitted from them by default for size reasons. To get these additional claims into the ID token, one needs an IDP with support for the "claims" parameter. It requires manual specification of the JWKS URL which is mandatory in any OIDC discovery document and thus never needs to be manually specified. It also makes the questionable decision to use a client-side code flow with PKCE where a normal code flow would be much more appropriate as all user data is processed in the backend which can securely hold a client secret (confidential client). This has far wider IDP support, is safer (due to direct involvement of the IDP in obtaining user information) and doesn't require working with ID tokens and claim parameters. By using a server-side code flow we can also offload most complexity to the server alone, no longer requiring an additional OIDC library on the web client. Also silent logout doesn't work on most IDPs for security reasons, one needs to actually redirect the user over to the IDP, which then prompts them once more if they actually want to log out. This implementation should work with any OIDC-compliant IDP and even OAuth 2.0-only IDPs as long as they serve and OIDC discovery document. [1] rfc-editor.org/rfc/rfc6749#section-5.1
2023-10-19 14:39:21 +02:00
),
);
return;
fix: OIDC finalization and refactoring
2023-10-17 19:18:19 +02:00
}
fix: Add state parameter to OIDC authorization url Closes #558
2023-12-09 17:06:45 +01:00
if (nonce === null) {
feat: Improve OIDC SSO (#524) The OIDC implementation merged in https://github.com/plankanban/planka/pull/491 is flawed for multiple reasons. It assumes that the access_token returned by the IDP has to be a JWT parseable by the RP which is not the case [1]. Many major IDPs do issue tokens which are not JWTs and RPs should not rely on the contents of these at all. The only signed token which has a standardized format for direct RP consumption is the OIDC ID token (id_token), but this by default doesn't contain many claims, especially role claims are omitted from them by default for size reasons. To get these additional claims into the ID token, one needs an IDP with support for the "claims" parameter. It requires manual specification of the JWKS URL which is mandatory in any OIDC discovery document and thus never needs to be manually specified. It also makes the questionable decision to use a client-side code flow with PKCE where a normal code flow would be much more appropriate as all user data is processed in the backend which can securely hold a client secret (confidential client). This has far wider IDP support, is safer (due to direct involvement of the IDP in obtaining user information) and doesn't require working with ID tokens and claim parameters. By using a server-side code flow we can also offload most complexity to the server alone, no longer requiring an additional OIDC library on the web client. Also silent logout doesn't work on most IDPs for security reasons, one needs to actually redirect the user over to the IDP, which then prompts them once more if they actually want to log out. This implementation should work with any OIDC-compliant IDP and even OAuth 2.0-only IDPs as long as they serve and OIDC discovery document. [1] rfc-editor.org/rfc/rfc6749#section-5.1
2023-10-19 14:39:21 +02:00
yield put(
fix: Add state parameter to OIDC authorization url Closes #558
2023-12-09 17:06:45 +01:00
actions.authenticateUsingOidc.failure(
new Error('Unable to process OIDC response: no nonce issued'),
),
feat: Improve OIDC SSO (#524) The OIDC implementation merged in https://github.com/plankanban/planka/pull/491 is flawed for multiple reasons. It assumes that the access_token returned by the IDP has to be a JWT parseable by the RP which is not the case [1]. Many major IDPs do issue tokens which are not JWTs and RPs should not rely on the contents of these at all. The only signed token which has a standardized format for direct RP consumption is the OIDC ID token (id_token), but this by default doesn't contain many claims, especially role claims are omitted from them by default for size reasons. To get these additional claims into the ID token, one needs an IDP with support for the "claims" parameter. It requires manual specification of the JWKS URL which is mandatory in any OIDC discovery document and thus never needs to be manually specified. It also makes the questionable decision to use a client-side code flow with PKCE where a normal code flow would be much more appropriate as all user data is processed in the backend which can securely hold a client secret (confidential client). This has far wider IDP support, is safer (due to direct involvement of the IDP in obtaining user information) and doesn't require working with ID tokens and claim parameters. By using a server-side code flow we can also offload most complexity to the server alone, no longer requiring an additional OIDC library on the web client. Also silent logout doesn't work on most IDPs for security reasons, one needs to actually redirect the user over to the IDP, which then prompts them once more if they actually want to log out. This implementation should work with any OIDC-compliant IDP and even OAuth 2.0-only IDPs as long as they serve and OIDC discovery document. [1] rfc-editor.org/rfc/rfc6749#section-5.1
2023-10-19 14:39:21 +02:00
);
return;
}
fix: Add state parameter to OIDC authorization url Closes #558
2023-12-09 17:06:45 +01:00
let accessToken;
try {
({ item: accessToken } = yield call(api.exchangeForAccessTokenUsingOidc, {
code,
nonce,
}));
} catch (error) {
yield put(actions.authenticateUsingOidc.failure(error));
return;
fix: OIDC finalization and refactoring
2023-10-17 19:18:19 +02:00
}
fix: Add state parameter to OIDC authorization url Closes #558
2023-12-09 17:06:45 +01:00
yield call(setAccessToken, accessToken);
yield put(actions.authenticateUsingOidc.success(accessToken));
fix: OIDC finalization and refactoring
2023-10-17 19:18:19 +02:00
}
ref: Refactoring
2022-08-04 13:31:14 +02:00
export function* clearAuthenticateError() {
yield put(actions.clearAuthenticateError());
Initial commit
2019-08-31 04:07:25 +05:00
}
ref: Refactoring
2022-08-04 13:31:14 +02:00
export default {
fix: OIDC finalization and refactoring
2023-10-17 19:18:19 +02:00
initializeLogin,
ref: Refactoring
2022-08-04 13:31:14 +02:00
authenticate,
ref: Refactoring
2023-10-19 16:05:34 +02:00
authenticateUsingOidc,
authenticateUsingOidcCallback,
ref: Refactoring
2022-08-04 13:31:14 +02:00
clearAuthenticateError,
};
Copy permalink