Description

Throughout the frontend React.js-based codebase inline functions are used and passed to components, which causes some unnecessary re-renders. This can be easily improved by leveraging the library function useCallback with the proper dependecies parameter. Also, some use of the useMemo can be leveraged to improve components where possible.
In general, this issue is to push for the UI code to follow the basic guidelines of React base application development.

In docker compose, i added
hostname: hydra.localhost
to hydra so that i could access it with my browser when running docker compose.

This required a change in hydra.yaml to urls.self.public - had to set it to
http://hydra.localhost:4444

Hydra and Kratos dependencies will eventually be hosted behind HTTPS and Login UI will need to be able to communicate securely with these API

to get this working we should aim at implementing canonical/identity-platform-login-ui-operator#109 as soon as possible but as a stop gap solution we could exploit the same way we are doing for kratos rock https://github.com/canonical/kratos-rock/blob/main/rockcraft.yaml#L38-L57

this would cover the case where we are using publicly trusted CAs which have their CA bundle packaged in the ca-certificates debian package

support for self-signed certificates would still require canonical/identity-platform-login-ui-operator#109 to be implemented

With docker compose the hydra DB migration does not appear to work.
I had to use the hydra CLI (in the hydra container) to run the migrations, then it started working.

If you try to access the login page with a wrong flow parameter, you will see a white page, e.g. try to go to https://iam.dev.canonical.com/stg-identity-jaas-dev-login-ui/ui/login?flow=57660e6b-fd54-491a-9dda-02d76641.

This can happen if flow expires as well. IMHO the page should load and show an error to the user.

Some kratos flows return json when succeeding but raw html when failing, we should switch to use json all the time.
Ref: #269 (comment)

Currently the backend proxies all of the headers that it gets from hydra/kratos to the UI, except for a few of them.
We need be more explicit about what we proxy to the UI, we need to specify exactly which headers we want to proxy. I think that only the cookies need to be proxied, but we should investigate it further.

We should consider the local kratos IdP as an additional provider and filter it based on openfga:

• add a default name for the local idp provider
• update the FilterFlowProviderList so that the password method is not enabled for certain applications

Maybe out or scope for this PR: This is growing too long, we should consider moving it to a map

Originally posted by @nsklikas in #280 (comment)

The login logic is currently tied to hydra. If you try to go to /ui/reset_password without a session, you'll get redirected to sign in but the page will be shown as loading:

This is due to missing login_challenge parameter value. Similar bug can be observed when going directly to http://localhost:4455/ui/login.

When an error message occurs the browser displays a verbose json error message. It should be trimmed to only contain relevant information for the end user.

With the addition of token lifespans to the client configuration, hydra 2.3.0(fork) does not work with with kratos 1.1.0. The reason is that when Kratos tries to fetch the hydra login flow using the login_challenge, the flow that hydra returns includes the client. The client metadata contain the new lifespan fields and kratos throws an error because it does not allow extra fields when parsing the hydra responses. This issue does not occur with kratos v1.0.0

To overcome this we could remove the hydra configuration from kratos and handle the flow from the login UI.

To reproduce this you can:

• fetch https://github.com/canonical/identity-platform-login-ui/tree/bug-demo
• assuming you have github credentials set on .env, run docker compose up --build --remove-orphans
• initiate a device flow by running:

code_client=$(hydra create client \
  --endpoint http://localhost:4445 \
  --grant-type authorization_code,refresh_token,urn:ietf:params:oauth:grant-type:device_code \
  --response-type code \
  --format json \
  --scope openid,offline_access,email,profile \
  --redirect-uri http://127.0.0.1:4446/callback \
  --audience app_client \
)
curl -X POST localhost:4444/oauth2/device/auth \
  -d "scope=openid email offline_access" \
  -d client_id=`echo "$code_client" | yq .client_id` \
  -u `echo "$code_client" | yq .client_id`:`echo "$code_client" | yq .client_secret`

• If you go to the returned verification_uri and enter the user_code, you will get the following Kratos error:

kratos                        | time=2024-05-01T11:08:02Z level=info msg=An error occurred while handling a request func=github.com/ory/x/logrusx.(*Logger).ReportError file=/go/pkg/mod/github.com/ory/[email protected]/logrusx/logrus.go:230 audience=application error=map[debug:json: unknown field "device_authorization_grant_id_token_lifespan" details:map[status_code:200] message:The request was malformed or contained invalid parameters reason:Unable to get OAuth 2.0 Login Challenge. stack_trace:
kratos                        | github.com/ory/kratos/hydra.(*DefaultHydra).GetLoginRequest
kratos                        |         /project/hydra/hydra.go:169
kratos                        | github.com/ory/kratos/selfservice/flow/login.(*Handler).createBrowserLoginFlow
kratos                        |         /project/selfservice/flow/login/handler.go:456
kratos                        | github.com/ory/kratos/x.(*RouterPublic).GET.NoCacheHandle.func1
kratos                        |         /project/x/nocache.go:21
kratos                        | github.com/ory/kratos/x.(*RouterPublic).Handle.NoCacheHandle.func1
kratos                        |         /project/x/nocache.go:21
kratos                        | github.com/julienschmidt/httprouter.(*Router).ServeHTTP
kratos                        |         /go/pkg/mod/github.com/julienschmidt/[email protected]/router.go:387
kratos                        | github.com/ory/nosurf.(*CSRFHandler).handleSuccess
kratos                        |         /go/pkg/mod/github.com/ory/[email protected]/handler.go:234
kratos                        | github.com/ory/nosurf.(*CSRFHandler).ServeHTTP
kratos                        |         /go/pkg/mod/github.com/ory/[email protected]/handler.go:191
kratos                        | github.com/urfave/negroni.(*Negroni).UseHandler.Wrap.func1
kratos                        |         /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46
kratos                        | github.com/urfave/negroni.HandlerFunc.ServeHTTP
kratos                        |         /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
kratos                        | github.com/urfave/negroni.middleware.ServeHTTP
kratos                        |         /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
kratos                        | github.com/ory/kratos/x.glob..func1
kratos                        |         /project/x/clean_url.go:15
kratos                        | github.com/urfave/negroni.HandlerFunc.ServeHTTP
kratos                        |         /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
kratos                        | github.com/urfave/negroni.middleware.ServeHTTP
kratos                        |         /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
kratos                        | github.com/rs/cors.(*Cors).ServeHTTP
kratos                        |         /go/pkg/mod/github.com/rs/[email protected]/cors.go:266
kratos                        | github.com/ory/kratos/cmd/daemon.servePublic.func1
kratos                        |         /project/cmd/daemon/serve.go:114
kratos                        | github.com/urfave/negroni.HandlerFunc.ServeHTTP
kratos                        |         /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
kratos                        | github.com/urfave/negroni.middleware.ServeHTTP
kratos                        |         /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
kratos                        | net/http.HandlerFunc.ServeHTTP
kratos                        |         /usr/local/go/src/net/http/server.go:2136
kratos                        | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1
kratos                        |         /go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:284
kratos                        | net/http.HandlerFunc.ServeHTTP
kratos                        |         /usr/local/go/src/net/http/server.go:2136
kratos                        | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1
kratos                        |         /go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:142
kratos                        | net/http.HandlerFunc.ServeHTTP
kratos                        |         /usr/local/go/src/net/http/server.go:2136
kratos                        | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1
kratos                        |         /go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:92
kratos                        | net/http.HandlerFunc.ServeHTTP
kratos                        |         /usr/local/go/src/net/http/server.go:2136
kratos                        | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2
kratos                        |         /go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:104
kratos                        | net/http.HandlerFunc.ServeHTTP
kratos                        |         /usr/local/go/src/net/http/server.go:2136
kratos                        | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1
kratos                        |         /go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:234
kratos                        |         /usr/local/go/src/net/http/server.go:2136
kratos                        | github.com/ory/x/prometheusx.Metrics.Instrument.Metrics.instrumentHandlerStatusBucket.func1
kratos                        |         /go/pkg/mod/github.com/ory/[email protected]/prometheusx/metrics.go:115
kratos                        | net/http.HandlerFunc.ServeHTTP
kratos                        |         /usr/local/go/src/net/http/server.go:2136
kratos                        | github.com/ory/x/prometheusx.(*MetricsManager).ServeHTTP
kratos                        |         /go/pkg/mod/github.com/ory/[email protected]/prometheusx/middleware.go:41
kratos                        | github.com/urfave/negroni.middleware.ServeHTTP

Currently there's no error handling procedure if the hydra or kratos urls found in the environmental variables are not accessible endpoints.

We should add a tracer to all methods, like in this example.

Using the latest image, login ui requires openfga deployment in order to work, otherwise it fails to return the allowed identity providers even if AUTHORIZATION_ENABLED=false.

poc-kratos-selfservice-ui-node-1  | 2024-02-01T14:27:46.199Z [login-ui] github.com/canonical/identity-platform-login-ui/pkg/kratos.(*Service).CheckAllowedProvider(0xc000280720, {0xf98500?, 0x1599f00?}, 0xc000150000, 0xc00021aa80)
poc-kratos-selfservice-ui-node-1  | 2024-02-01T14:27:46.199Z [login-ui] 	/root/parts/go-build/build/pkg/kratos/service.go:173

To reproduce:
Set up a docker environment with kratos, hydra and login ui (for example https://github.com/natalian98/oathkeeper-poc/tree/test-with-httpbin) pinning the login ui version to latest

Description

Right now to enforce mfa #265 just redirects users to /ui/setup_secure (also considering any context path the app is configure with through the full URL env var called BASE_URL).

We need to align with the UI team to agree on a specific error to show the user with a call to action to go and setup MFA instead of directly redirecting the user.

References

• #265

When the user gets redirected to the login page, they are presented with a set of providers to choose from. When they click on a provider, an XHR request is done to the /self-service/login endpoint. The backend responds with a 422 code and a URL to redirect to (the authn endpoint).

This happens because the application type we send is application/json, if the application type is changed to application/x-www-form-urlencoded, the status code should change to 303. It is not enough to add that content type to the frontend headers, as the ory go client does not allow us to set the content type when making the request (at least I couldn't figure out how to do it).

We could handle this in the backend (ie convert the 422 to a 303 as long as the response body is valid).

If I try to input a otp that does not have the right length (6), then I get this error:

The client_id should be in the audiences of a JWT access tokens (just like ID Tokens).

We should always add it at https://github.com/canonical/identity-platform-login-ui/blob/jwt-at/pkg/extra/service.go#L68.

If you log in with email and password, login ui redirects to complete the 2fa. If instead of providing it you go back in the browser and attempt to sign in again, a Failed to get login flow error will be displayed:

In login ui logs:

"message":"Error when getting login flow: 403 Forbidden\n"

The solution is to 1) clear the browser cookies or 2) go again to the original url which will redirect to insert the password again (the email is cached).

If webauthn config is disabled and you attempt to sign in using a security key, UI displays a message "invalid password". This is because it sends an invalid payload (with password method), so kratos renders this error message as it doesn't recognize it.

If webauthn is enabled and you attempt to sign in with a user that doesn't have any webauthn credentials, it will display the correct message because the method in the payload is correct:

The shouldEnforceMfa checks are currently not covered by unit tests.

Description

Dependency PR update #150 triggered a failure in the tests

We have to figure out what changed as we want to move to the latest kratos library

linked to canonical/identity-platform-admin-ui#121

Defitinition of Done

• fix the PR
• tests are passing

Currently the Kratos and Hydra clients are always configured to print debug messages, we should make this configurable like in https://github.com/canonical/identity-platform-admin-ui/blob/main/internal/hydra/client.go#L23

go-mock has gone out of maintenance

we are deeply invsted in it and option of switching to testify is not on the table

https://github.com/uber-go/mock is a fork of go-mock and is maintained by uber

the URL pattern used in here tends to glob up anything that is not matched by any other register handler

this means that a POST /api/v0/version which should be served by the version handler adn return a 405 Method Not Allowed ends up insetad being server by the UI handler and return a 404 from the path /api/v0/version.html

need to pin it down to a more limited subset of URI, allegedly /login and /_next/* might be enough but got to validate that

We need to update to the latest version of the kratos sdk and see if we can use that to discard the custom logic that we have for parsing Kratos requests.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

• chore(deps): update github/codeql-action action to v2.21.5
• fix(deps): update module github.com/go-chi/chi/v5 to v5.0.10
• chore(deps): update actions/checkout action to v3.6.0
• chore(deps): update dependency @testing-library/jest-dom to v5.17.0
• chore(deps): update dependency eslint-config-prettier to v8.10.0
• chore(deps): update dependency eslint-plugin-react to v7.33.2
• fix(deps): update dependency @canonical/react-components to v0.47.0
• fix(deps): update dependency sass-embedded to v1.66.1
• fix(deps): update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.43.0
• fix(deps): update module go.opentelemetry.io/contrib/propagators/jaeger to v1.18.0
• fix(deps): update module go.uber.org/zap to v1.25.0
• fix(deps): update opentelemetry-go monorepo to v1.17.0 (go.opentelemetry.io/otel, go.opentelemetry.io/otel/exporters/otlp/otlptrace, go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc, go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp, go.opentelemetry.io/otel/exporters/stdout/stdouttrace, go.opentelemetry.io/otel/sdk, go.opentelemetry.io/otel/trace)
• chore(deps): update dependency @testing-library/jest-dom to v6
• chore(deps): update dependency @typescript-eslint/eslint-plugin to v6
• chore(deps): update dependency eslint-config-prettier to v9
• chore(deps): update dependency eslint-plugin-prettier to v5
• fix(deps): update dependency vanilla-framework to v4
• fix(deps): update module github.com/ory/kratos-client-go to v1
• 🔐 Create all rate-limited PRs at once 🔐

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update dependency autoprefixer to v10.4.15
• chore(deps): update dependency postcss to v8.4.29
• chore(deps): update nextjs monorepo to v13.4.19 (@next/eslint-plugin-next, next)
• fix(deps): update dependency @ory/client to v1.1.51
• fix(deps): update dependency @ory/integrations to v1.1.4
• chore(deps): update dependency @typescript-eslint/eslint-plugin to v5.62.0
• chore(deps): update dependency eslint to v8.48.0
• chore(deps): update dependency typescript to v5.2.2
• fix(deps): update dependency vanilla-framework to v3.15.1
• chore(deps): update dependency prettier to v3
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

We should enhance our traces with the error and the payloads of the http responses.

By deploying the bundle found on canonical/iam-bundle#273, if I create an admin account through the kratos juju cli (juju run kratos/0 create-admin-account [email protected] password=123a username=aba) and I try to login via Hydra, I will be asked to register my authenticator and then I will end up in the setup_complete page instead of being redirected back to Hydra.

Add functionality to display application version when called with an appropriate flag.

Add http endpoints that respond to health checks and readiness checks from Kubernetes platform.

The kratos' session currently lasts for too long, should we ask the users to provide OTP more often?

This would mean to have 2 lifetimes for the user session, one for 1st FA (username/password) and one for 2nd FA (totp). Not sure if this makes, but I think that this is common for IdPs.

With the upgrade to kratos sdk v1.0.0 the parsing of the LoginFlow objects returned from Kratos is broken. See relevant issue ory/sdk#291.

The error that we get is:

2023-10-12T09:36:47.418Z [login-ui] {"severity":"error","@timestamp":"2023-10-12T09:36:47.418687728Z","message":"Error when marshalling Json: json: error calling MarshalJSON for type client.UiContainer: json: error calling MarshalJSON for type client.UiNode: json: error calling MarshalJSON for type client.UiNodeAttributes: unexpected end of JSON input\n"}

The payload is:

{"id":"26c72fd5-7abf-4752-bf08-7a19812f4ad4","oauth2_login_challenge":"28807b1825b042829aefc936196de0c6","oauth2_login_request":{"challenge":"28807b1825b042829aefc936196de0c6","client":{"allowed_cors_origins":[],"audience":[],"client_id":"32affc9c-24ae-4622-87a6-77ead7e34153","client_name":"grafana","client_secret_expires_at":0,"client_uri":"","contacts":[],"created_at":"2023-10-12T10:06:26Z","grant_types":["authorization_code","refresh_token"],"jwks":{},"logo_uri":"","metadata":{},"owner":"","policy_uri":"","redirect_uris":["http://localhost:2345/login/generic_oauth"],"request_object_signing_alg":"RS256","response_types":["code","id_token"],"scope":"openid offline_access email","subject_type":"public","token_endpoint_auth_method":"client_secret_basic","tos_uri":"","updated_at":"2023-10-12T10:06:25.984842Z","userinfo_signed_response_alg":"none"},"oidc_context":{},"request_url":"http://localhost:4444/oauth2/auth?client_id=32affc9c-24ae-4622-87a6-77ead7e34153\u0026redirect_uri=http%3A%2F%2Flocalhost%3A2345%2Flogin%2Fgeneric_oauth\u0026response_type=code\u0026scope=openid+offline_access+email\u0026state=R0iwnafytzqqRIqIjsNHmP9Y7RsJZTNtx0M69hNB1Ec%3D","requested_access_token_audience":[],"requested_scope":["openid","offline_access","email"],"session_id":"1f7f4e17-c73b-445b-8e81-b4b1cecd78d4","skip":false,"subject":""},"type":"browser","expires_at":"2023-10-12T12:04:19.819204252Z","issued_at":"2023-10-12T11:04:19.819204252Z","request_url":"http://localhost:4433/self-service/login/browser?aal=\u0026login_challenge=28807b1825b042829aefc936196de0c6\u0026refresh=true\u0026return_to=http%3A%2F%2Flocalhost%3A4455%2Fui%2Flogin%3Flogin_challenge%3D28807b1825b042829aefc936196de0c6","return_to":"http://localhost:4455/ui/login?login_challenge=28807b1825b042829aefc936196de0c6","ui":{"action":"http://localhost:4433/self-service/login?flow=26c72fd5-7abf-4752-bf08-7a19812f4ad4","method":"POST","nodes":[{"type":"input","group":"oidc","attributes":{"name":"provider","type":"submit","value":"microsoft_cccca7a7a3666c2bc336a09713596333b5d02fbc","disabled":false,"node_type":"input"},"messages":[],"meta":{"label":{"id":1010002,"text":"Sign in with microsoft_cccca7a7a3666c2bc336a09713596333b5d02fbc","type":"info","context":{"provider":"microsoft_cccca7a7a3666c2bc336a09713596333b5d02fbc"}}}},{"type":"input","group":"default","attributes":{"name":"csrf_token","type":"hidden","value":"wlTu4l6D5Frw0IVXqgwXpZXMlz/p7ub62JJCcbajaTIBkkzi/wQcOcsqdqEetZ8y1FZTZsJOVrIDVV6JSLTFLA==","required":true,"disabled":false,"node_type":"input"},"messages":[],"meta":{}}]},"created_at":"2023-10-12T11:04:19.824634Z","updated_at":"2023-10-12T11:04:19.824634Z","refresh":false,"requested_aal":"aal1"}

Quick summary of the issue:

The problem stems from the addition of this line. For some reason the Kratos sdk in the kratos repo does not have this line.

The reason for the error is that the attributes can't be unmarshalled into the go struct because all types of attributes match in this function.

Until this is fixed we should downgrade to v0.13.1.

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Location: renovate.json
Error type: Invalid JSON (parsing failed)
Message: Syntax error near ", ],