Comments (25)
I should add that I'm really excited about what you've put together and am excited to try it out!
from external-auth-server.
@ajbouh absolutely! Glad you're willing to try it out. The approach is pretty unique so I think it takes a minute to settle in, once it has though it's pretty easy to understand.
Can you share some details about your environment? Which reverse proxy? Kubernetes? etc.
There's a fairly complete example available here:
It's specifically focused on oauth2
plugin with github
as a provider using traefik
under kubernetes. Most the instructions translate pretty easy to other variations though.
from external-auth-server.
Environment is Kubernetes + Ambassador. Am currently using a custom built AuthService (an Ambassador concept). My existing AuthService works great for HTTP API requests, but I don't have a solution for browser-based traffic yet.
Thanks for the pointer to documentation, though I was hoping to see what the final UX looks like from the user standpoint.
from external-auth-server.
@ajbouh not sure I follow, there is no UX to the end-user (aside from oauth/openid provider). So do you have a service that you want to authenticate via API and browser-based stuff currently? If so this project will work perfectly. Do you have an identity provider that you want to use for oauth?
from external-auth-server.
Yes, I think you understand what I'm trying to do. I plan to start with GitHub and Google as oauth providers.
from external-auth-server.
@ajbouh ok perfect, and what do you intend to use for API style access? Static list of username/password? LDAP? Or did you have something else in mind altogether?
from external-auth-server.
For the API I already have a custom authserver implemented that works via bearer token or basic auth.
from external-auth-server.
Ok, not being familiar ambassador as much I may need some additional context. Typically external auth services can only have 1 URL configured in the reverse proxy so I'm not sure what the approach would be here.
With your existing service are they using jwt for the bearer tokens that you issue? How is basic auth handled? htpasswd file or ldap?
Sorry for all the questions just trying to see how this would best fit into your flow :)
from external-auth-server.
Bearer tokens are opaque random tokens, as I don't personally trust JWT. Basic auth is essentially the same as bearer tokens, with the same random token used as a username.
The spec for AuthService in Envoy/Ambassador is (roughly):
- send the HTTP headers of a request to the AuthService and buffer the request while waiting for a response from the AuthService
- If the AuthService returns a 200 response, copy any headers from the AuthService response to the header of the buffered request and route it accordingly
- If the AuthService returns a non-200 response, it sends that response back to the user/browser/http client
from external-auth-server.
@ajbouh ok that sounds sane. So does ambassador let you configure more than 1 authservice per host/path? If not how do you intend to continue to use your existing service and this project?
from external-auth-server.
from external-auth-server.
Well, good question. This project is meant to be the external auth provider. So, a couple options:
- Migrate your existing API clients to one of the plugins provided by this project
- I implement a new plugin which is http (2nd layer external auth). I really like this idea regardless so I'll implement it anyhow :)
What do you check your opaque tokens against? Something in a DB?
from external-auth-server.
I don't think migrating my existing clients to this package will work in the short term, so the second seems like a better option, although I'm worried about putting eas in the critical path of my API requests. Seems better to use eas as a fallback for browser-based authentication. Is that straightforward?
from external-auth-server.
Yes, tokens are resolved to internal customer IDs via a database lookup.
from external-auth-server.
Given the limitation of 1 external auth endpoint per service you're kinda stuck unless you have some way of applying finer grained rules at the proxy level. For example maybe all API requests are behind a specific route, or you serve up the app from 2 hosts and apply the auth urls to the respective services.
Totally understand apprehension around putting it into the critical path. I'd love to help however I can. Another perspective and set of eyes are great to have involved so thanks for the interest.
If you have control over the custom built auth service you currently use maybe you could implement #2 in reverse and make eas the 2nd layer based on browser agent strings or whatever.
Aside from implementing #2 if the DB lookups are fairly sane/simple for the opaque tokens I could implement a generic DB plugin as well. Now that infrastructure is all in place creating new plugins is generally 50-100 lines of code. So if it's a simple select
and check for existence that would be pretty easy (as in, 30 minutes or less of programming easy).
In essence, how difficult would it be to re-implement you existing auth service? There's quite a solid foundation to build from on my side with plugins and custom assertions etc that are all ready to go..
from external-auth-server.
from external-auth-server.
So as long as your auth service proxy ended up behaving the same as auth services do generally I don't see why that wouldn't work. Meaning, sends headers down appropriately and pushes responses back directly.
General idea would be ambassador is configured to talk to your custom auth service, if it fails or based off user agent sniffing or whatever would conditionally forward down to eas. Basically a mini pipeline idea like exists in this project.
I have been thinking about ways to let 3rd parties inject their own plugins into the mix. While seasoned in programming, node
is not my forte by any stretch. I have some research to do to see how to make that sane and dynamic on the technical level.
from external-auth-server.
@ajbouh OK, I just committed a plugin
that allows for integration with another external/forward auth provider. It's literally (or should be) a proxy of the response from the upstream url.
https://github.com/travisghansen/external-auth-server/blob/master/PLUGINS.md#forward
I still see some challenges for your particular use-case with this as you really want to change the ultimate response based on user-agent (ie: machine to machine vs browser-based). Even before you brought this up I've been think about exactly that since I think it's a valid use-case.
The challenge is sanely determining what's considered "browser" vs not. I'll put some more thought on it but if you have any ideas let me know.
from external-auth-server.
from external-auth-server.
I have dreamed up a very powerful solution actually. I'll put some more thought on it and implement soon.
In essence what it will allow is early termination of the pipeline of plugins bases on arbitrary assertions. You could for example return the response from the forward
plugin when the request contains an Authorization
header. Otherwise let the oauth process kick in.
from external-auth-server.
@ajbouh ok, I've just landed pcb
support. Your use case should be fully supported based on some simple configuration now.
from external-auth-server.
Excellent, thanks!
Is there a live demo anywhere I can interact with?
I'm trying to evaluate eas against something like https://github.com/netlify/gotrue-js/blob/master/README.md
from external-auth-server.
@ajbouh from just a brief look it appears the 2 projects are trying to solve different things. gotrue
appears to be more close related to https://github.com/clems4ever/authelia
or something of that nature.
The purpose of this project is to implement a forward
authentication scheme using existing standards/tools rather than creating a new one. So instead of issuing tokens for example, I'm focused on simply validating them and leaving the issuing of them to oidc
providers, etc. I know it gets a little fuzzy.
So hypothetically, you could use gotrue
to issue tokens and then they could be validated by this project (if gotrue
didn't/doesn't support a forward auth component already).
Not sure if that makes much sense but as such, this platform has 0 UI at all. There is nothing for users/admins to interact with other than creating the config_token
from the cli and configuring their reverse proxy of choice with the appropriate URL.
from external-auth-server.
from external-auth-server.
@ajbouh if we're talking jwt
then currently the distinction I have is:
- Return a
401
if basic token verification fails (presuming options are set as desired) - https://www.npmjs.com/package/jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback - I just added custom assertions to
jwt
so if token verification passes but custom assertions fail I return a403
With that said, remember that this project queues all auth plugins into a pipeline of sorts. So you can auth the same service via jwt
and oidc
for example (perhaps from the same provider/issuer). With the work I did over the past few days you can:
forward
the request to your existing auth provider if and only if the request contains anAuthorization
header of either schemeBearer
orBasic
.- If the request gets
forward
ed to your existing auth service then respond directly with whatever it returns (ie: don't continue the auth pipeline if it fails). - If the request doesn't contain an
Authorization
header assume is a browser-based user and authenticate them via theoidc
oroauth2
plugin.
If you added authelia
or gotrue
to the mix hypothetically this project would allow you to mix and match services based on the needs of the particular endpoint (assuming plugins are created for those service or they natively support oauth2
or oidc
or something of that nature).
from external-auth-server.
Related Issues (20)
- eas fails to handle x-userinfo with non-ascii characters HOT 32
- Bump jsonwebtoken from 8.5.0+ to 9.0.0+ to patch several moderate security vulnerabilities HOT 5
- GitHub Oauth Permission Write? HOT 13
- Traefik + EAS + KeyCloak HOT 10
- [BUG] uncaughtException: Cannot read properties of undefined (reading 'match') HOT 37
- Oauth2 support for Azure provider HOT 1
- Semi colons are replaced by ampersands after logout HOT 10
- Crash due to ERR_UNHANDLED_REJECTION HOT 2
- Question about cookie lifetime? HOT 2
- custom_service_headers not being injected HOT 8
- /metrics end point still available to access after set disabled HOT 9
- Crash at startup due to "unable to determine boolean value" HOT 1
- Using variable in redirect_uri HOT 6
- Environment variables HOT 12
- using yaml for token config HOT 27
- Fetch config_token like a Kubernetes Secret from Vault HOT 1
- Architectural question: does Traefik receive the token issued by eas? HOT 2
- No OIDC frontchannel logout when session_state is missing in the ID token HOT 5
- Limit number of concurrent OIDC sessions per user HOT 11
- Image vulnerabilities HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from external-auth-server.