GithubHelp home page GithubHelp logo

bcgov / sm-bridge-service Goto Github PK

View Code? Open in Web Editor NEW
5.0 5.0 9.0 77 KB

๐Ÿš€A SiteMinder to JWT authentication bridge micro service

License: Apache License 2.0

JavaScript 87.92% HTML 12.08%

sm-bridge-service's Introduction

๐Ÿš€ SiteMinder to JWT Authentication Bridge

A fancy title, simple service.

This microservice basics converts a SiteMinder SSO session to a JWT so you can secure your UI app and APIs. As you may know (because you're here), single page applications (Angular, React) or mobile app either cannot or with great difficult use proxy based authentication service like SiteMinder.

How it works

Image of Sequence Diagram

How it's secured

If you're running on an environment that can control the traffic, then just firewall this service to only listen to SiteMinder's reverse proxy service.

If you're running on OpenShift where all internet traffic is allow here's how it's secured:

  1. DNS A record resolves to SiteMinder Reverse Proxy
  2. SiteMinder engages and logins in the user etc
  3. HTTP request is forwarded to OpenShift's HA Proxy (technically it goes thru a load balancer buts its transparent for our concerns)
  4. OpenShift's HA Proxy read the HTTP host header and matches with our route
  5. HA Proxy also appends the IP address of SiteMinder Reverse Proxy to x-forwarded-for
  6. SM Bridge Service "trusts" HA Proxy to append x-forwarded-for correctly (which it does)
  7. SM Bridge Service will only allow the IP addresses of SiteMinder Reverse Proxy denying all other traffic

You must use HTTPS between the browser and SiteMinder Reverse Proxy AND between SiteMinder Reverse Proxy and OpenShift.
The route in OpenShift can edge terminate the TLS.

OAuth2/OIDC Similarities and Differences

This is intended as a stop-gap measure until an OpenID Connect service is offered. It's based on OAuth2 Implicit Grant but simplified for a single tenant (one key) and flow. Conceptually, a conversion to OpenID Connect or OAuth2 isn't great leap.

Terms:

  • SM Bridge Service = Authorization Server
  • UI App = Client Application
  • API App = Resource Service

Comparison:

  • Only Implicit Grant with JWT supported
  • Required request parameters: nonce=<large secure random value>
  • Ignored request parameters: response_type, client_id ,redirect_uri, scope
  • Only these parameters are returned: access_token (no refresh tokens provided), nonce in ID Token
  • Returned JWT is an ODIC ID Token
  • No refresh tokens provided
  • No revocation of tokens

How to Implement

You'll need the following, recommended order to get started but they can be parallel:

  1. Engage with IDIM to onboard to BCeID
  2. You'll need TWO domains, one like mydomain.com and another just for login purposes, login.mydomain.com. Both will require certficiates for HTTPS (TLS 1.1+).
  3. Order the SiteMinder Reverse Proxy service for the login.mydomain.com. Do NOT order mydomain.com SiteMinder reverse proxy service.
  4. Install on this service on OpenShift
  5. Integrate your UI app
  6. Integrate your API app

Installing SM Bridge Service on OpenShift

OpenShift is not required and you can deploy this to any host that supports NodeJS v4+. If you happen to use OpenShift we've given you some templates to get started quickly!

Browse to openshift directory for details on setup and deployments.

Configuration

The application does not have a configuration file, rather you provide configuration via the operating systems environments variables. This allows for easy configuration management in a container environment.

Environment Variable Name Description Default Value
ISSUER The name of the issuer of the token http://localhost:8080, value must be provided for production e.g., https://login.mydomain.com
REDIRECT_URI Normally provided by the client in OAuth2 implicit grant flow, however since we're single tenant you just configure the endpoint where you want this service to return to the browser to, e.g., https://mydomain.com http://localhost:9090, value must be provided for production e.g., https://mydomain.com
TOKEN_EXPIRY How long is the token considered valid in minutes 60 (minutes)
SECRET The secret key for signing and validating the token, must be base64 encoded, use node gensecret.js > secret.txt to securely generate a new key, use a different one per environment Defaults to a "hard-coded" key, value must be provided in production
SERVICE_IP Which IP address for this service to listen on the host 0.0.0.0 (all adaptors)
SERVICE_PORT Which port to listen on 8080 for running NodeJS as non-root
USE_TRUST_PROXY Enables security controls to determine which proxy can be trusted. For example, OpenShift's HA Proxy and WAM's Reverse Proxy. Defaults to true, you may disable ONLY IF you can ensure no traffic can hit this service without going thru the reverse proxy which is not the case in BC Governments deployment of OpenShift. true
TRUST_PROXY Which IP addresses or CIDR can be trusted. For multiple addresses, separate with a comma. More info 172.16.0.0/12
SITEMINDER_PROXY Which IP address or CIDR is the SiteMinder Reverse Proxy Servers, all other address will be denied none
SERVICE_PORT Which port to listen on 8080 for running NodeJS as non-root
LOG_LEVEL How chatty do you want to logging to be. Values can be (in order of chattyness) debug info error. debug

If NodeJS detects it's running in production and missing required configuration, NodeJS will terminate the process, exit 1.

Header Mapping

By default this service will map these properties, but you can change them via a Base64 Encoded string environment variable called HEADER_MAPPER so long as you follow the JSON syntax.

[
  {"incoming": "SMGOV_USERIDENTIFIER", "outgoing": "sub", "required": true},
  {"incoming": "SMGOV_USERTYPE", "outgoing": "userType", "required": true},
  {"incoming": "SMGOV_USERDISPLAYNAME", "outgoing": "name", "required": true},
  {"incoming": "SMGOV_EMAIL", "outgoing": "email", "required": false}
]

Integrate your UI app

  1. Redirect to /authorize?nonce=
  2. Redirect

URI encode your nonce

Integrate your API app

  1. HTTP Header Authorization the value Bearer <token>

Access Token

Example Required ID Token claims use for this bridge:

{
   "iss": "http://localhost:8080",
   "sub": "987987SKJSDKLJSKLDJKLM8907087987",
   "aud": "http://localhost:9090",
   "nonce": "654a654s8d7987320z",
   "exp": 1311281970,
   "iat": 1311280970,
   ... standard claims ...
   ... extension claims ... 
  }

Example additional Standard Claims provided by this service:

{
    ... required claims ...
    "name": "Greg Turner"
    ... extension claims ...
}

ID Token specification allows for extensions, here's an example of the extentions

{
    ... required claims ...
    ... standard claims ...
    "user_type": "BUSINESS"
    "email": "[email protected]"
}

Full Example

Raw Encoded Token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAiLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjkwOTAiLCJub25jZSI6Ii9xanhYS0FyV2I0ZDRJNXhYalRqdHdodzZBUFk2T3VTVHk3VjFNZjRwYUE9IiwiaWF0IjoxNTAyMzk4NzE2LCJzdWIiOiI4OTEyM2hqMWtqMjM4OWFzamtkaGFqa3NkIiwidXNlcl90eXBlIjoiQlVTSU5FU1MiLCJuYW1lIjoiR3JlZ1xcIFR1cm5lciciLCJlbWFpbCI6IiIsImV4cCI6MTUwMjQwMjMxNn0.oUJ9QOYo4gWn0T9jARAzy0Jk-huG70xoFqUj7zuD_yA

Decoded Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Decode Payload

{
  "iss":"http://localhost:8080",
  "aud":"http://localhost:9090",
  "nonce":"XhUE/AgOG5hrNnO0JpYI1lvDtonKvflnOwH1YLUukpw=",
  "iat":1502398546,
  "sub":"89123hj1kj2389asjkdhajksd",
  "user_type":"BUSINESS",
  "name":"Greg\\ Turner'",
  "email":"[email protected]",
  "exp":1502402146
}

Default Mapping from SiteMinder HTTP Headers

SiteMinder HTTP Header Description Mapped to ID Token Claim (JSON) Always Provided
SMGOV_USERIDENTIFIER A character string that uniquely identifies the user. This is typically a 32 character string consisting of hexadecimal characters but may be tailored to the requirements of the relying party. sub yes
SMGOV_USERTYPE The type of user that was authenticated. Will have one of the following values: BUSINESS, INDIVIDUAL, INTERNAL user_type yes
SMGOV_USERDISPLAYNAME The display name of the user that can be displayed on web pages name yes
SMGOV_EMAIL The display email address of the user email if available
SMGOV_BUSINESSGUID The GUID of the business business_guid true only if of type Business
SMGOV_BUSINESSLEGALNAME The legal name of the business that the user represents business_legal_name true only if of type Business

Developers

Most will just use this service out-of-the-box but if you wanted to contribute a feature, fix a bug or tweak for your needs, continue reading.

Development Environment

Install NodeJS and start hacking!

npm install <--- do this first

npm test <--- run unit tests

npm start <--- start server

sm-bridge-service's People

Contributors

gregturner avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

asanchezr laterolabs ironmoss purposefive aavi yuliaan bdwyertech umutshub rizwanbinzahir

sm-bridge-service's Issues

Add project lifecycle badge

No Project Lifecycle Badge found in your readme!

Hello! I scanned your readme and could not find a project lifecycle badge. A project lifecycle badge will provide contributors to your project as well as other stakeholders (platform services, executive) insight into the lifecycle of your repository.

What is a Project Lifecycle Badge?

It is a simple image that neatly describes your project's stage in its lifecycle. More information can be found in the project lifecycle badges documentation.

What do I need to do?

I suggest you make a PR into your README.md and add a project lifecycle badge near the top where it is easy for your users to pick it up :). Once it is merged feel free to close this issue. I will not open up a new one :)

Add missing topics

TL;DR

Topics greatly improve the discoverability of repos; please add the short code from the table below to the topics of your repo so that ministries can use GitHub's search to find out what repos belong to them and other visitors can find useful content (and reuse it!).

Why Topic

In short order we'll add our 800th repo. This large number clearly demonstrates the success of using GitHub and our Open Source initiative. This huge success means its critical that we work to make our content as discoverable as possible; Through discoverability, we promote code reuse across a large decentralized organization like the Government of British Columbia as well as allow ministries to find the repos they own.

What to do

Below is a table of abbreviation a.k.a short codes for each ministry; they're the ones used in all @gov.bc.ca email addresses. Please add the short codes of the ministry or organization that "owns" this repo as a topic.

add a topic

That's in, you're done!!!

How to use

Once topics are added, you can use them in GitHub's search. For example, enter something like org:bcgov topic:citz to find all the repos that belong to Citizens' Services. You can refine this search by adding key words specific to a subject you're interested in. To learn more about searching through repos check out GitHub's doc on searching.

Pro Tip ๐Ÿค“

  • If your org is not in the list below, or the table contains errors, please create an issue here.

  • While you're doing this, add additional topics that would help someone searching for "something". These can be the language used javascript or R; something like opendata or data for data only repos; or any other key words that are useful.

  • Add a meaningful description to your repo. This is hugely valuable to people looking through our repositories.

  • If your application is live, add the production URL.

Ministry Short Codes

Short Code Organization Name
AEST Advanced Education, Skills & Training
AGRI Agriculture
ALC Agriculture Land Commission
AG Attorney General
MCF Children & Family Development
CITZ Citizens' Services
DBC Destination BC
EMBC Emergency Management BC
EAO Environmental Assessment Office
EDUC Education
EMPR Energy, Mines & Petroleum Resources
ENV Environment & Climate Change Strategy
FIN Finance
FLNR Forests, Lands, Natural Resource Operations & Rural Development
HLTH Health
FLNR Indigenous Relations & Reconciliation
JEDC Jobs, Economic Development & Competitiveness
LBR Labour Policy & Legislation
LDB BC Liquor Distribution Branch
MMHA Mental Health & Addictions
MAH Municipal Affairs & Housing
BCPC Pension Corporation
PSA Public Safety & Solicitor General & Emergency B.C.
SDPR Social Development & Poverty Reduction
TCA Tourism, Arts & Culture
TRAN Transportation & Infrastructure

NOTE See an error or omission? Please create an issue here to get it remedied.

It's Been a While Since This Repository has Been Updated

This issue is a kind reminder that your repository has been inactive for 180 days. Some repositories are maintained in accordance with business requirements that infrequently change thus appearing inactive, and some repositories are inactive because they are unmaintained.

To help differentiate products that are unmaintained from products that do not require frequent maintenance, repomountie will open an issue whenever a repository has not been updated in 180 days.

  • If this product is being actively maintained, please close this issue.
  • If this repository isn't being actively maintained anymore, please archive this repository. Also, for bonus points, please add a dormant or retired life cycle badge.

Thank you for your help ensuring effective governance of our open-source ecosystem!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.