pirogoeth / lsso Goto Github PK
View Code? Open in Web Editor NEWNginx SSO middleware for protecting your internets.
License: MIT License
Nginx SSO middleware for protecting your internets.
License: MIT License
This is something to keep in the mind for the future and partially take care of now.
The access token API call should be able to be toggled via a configuration switch for security measures.
The same goes for any future API calls that may expose access keys for protected resources.
There needs to be some way of testing various parts of the codebase.
Both functional and "production" tests need to be run. Maybe this warrants a small Docker-based build with nginx, Redis, etc with a Python test suite to make requests and hit pages?
Without HTTP Basic auth, things get a tad bit more difficult, but still manageable.
When creating a new session for a scoped location, ensure that we not only request a token for the location's specified scope, but also for the config.oauth_auth_scope
to keep the number of session upgrades that need to happen at a minimum.
Example:
current_scope = none
location -> /auth/test/scope-testing [scope: unix-wheel]
<session creation>
new_current_scope = sso unix-wheel
During a session upgrade, we should make sure to compound current scopes to reduce the number of session upgrades.
Example:
current_scope = sso unix-wheel
location -> /auth/test/scope-testing [scope: container-manage]
<session is killed and recreated>
new_current_scope = sso unix-wheel container-manage
Scoping needs to be added to the access token code so temporary tokens can be limited to a subsection of protected pages.
Now, tokens are created with the default config.oauth_auth_scope
scope. Scoped access tokens should only be created if the requested scope is in a whitelist/not in a blacklist.
On a bad username or password, the SSO should return msg_bad_credentials
through the ?error call back to the auth portal, but returns msg_upstream_error
.
Exactly as it sounds -- I want to support U2F registration and auth in the typically lsso workflow.
Around access.lua#L429, we should be able to add an ngx.req.set_header call to set a header (X-LSSO-Session
-- but configurable?) so that the upstream service can use that as an auth method.
This is particularly useful for web applications supporting proxy auth, such as Grafana. This is a good step toward making lsso more powerful.
From the way RFC 6749 reads, client credentials style grant is similar to resource owner password credentials grant, but provides more flexibility.
With the client credentials grant, the main differences are the lack of username and password in the authentication request, as they are provided as HTTP BASIC auth in the Authorization header.
POST /token HTTP/1.1
Host: auth.example.org
Authorization: Basic <base64-mime encoded payload>
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&scope=space separated scopes
In the case of pyled, authentication and authorization are taken care of in one step, so this request hits a single endpoint and is essentially finished. As for other OAuth systems, I am not sure.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.