phish108 / authomator Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
License: MIT License
The checker should have scope policies to provide fine grained access to the different methods and URLs
Currently the user scopes are part of the configuration. This makes things extremely inflexible.
Allow for storage backends for user scopes. authomator needs only read access to these backends. Management of user scopes can be entirely externalised.
A storage backend should return for a provided ( login | backend ) pair the corresponding scope.
Scope Management can be located:
others?
In order to have maximum flexibility for customization, the UI should be separate from the service. The service should provide only data endpoints
checker
to run against all URLs and use internal configs rather then server configs.admin/*
endpoints are checker
protected.checker
protectedThis separation gives more flexibility to integrate auth functions into a more complex application. An application can ask the endpoints to receive or update certain functions of the UI.
The user management must not be part of authomator but provided by a separate backend/subsystem.
the new fetch API is better suited for this task
the resolve
function of config/index.mjs
needs to be context aware. If a reference is made, it should be treated in the context of the containing file.
This makes the logic more complex, but also more user friendly.
If we have two sites with different CNAMEs, then authomator works only for one of them.
The service needs to register, which request URL has been posted.
This needs a bit of adaptation for different sites. The only common element across sites are the ports of the services.
Our configuration may change to:
common:
frontend:
port: 8080
checker:
port: 8081
sites:
- common:
base_url: "https://site1" // some host url for the baseline for all requests
entrypoint: /auth/ // the entrypoint for the authomator
success_target: "/home/" // where to point users after successfull authentication
backend:
backendname:
name: Display Name
icon: FontAwesomeIcon
type: github
baseurl: https://github.com
client_id: githubs client_id
client_secret: githubs client_secret
user:
- login: username
scope: internal user scope for acl
- common:
base_url: "https://site2" // some host url for the baseline for all requests
entrypoint: /auth/ // the entrypoint for the authomator
success_target: "/success/" // where to point users after successfull authentication
backend:
backendname:
name: Display Name
icon: FontAwesomeIcon
type: github
baseurl: https://github.enterprise.com
client_id: githubs client_id
client_secret: githubs client_secret
user:
- login: otherusername
scope: internal user scope for acl
Instead of having locally stored session id to validate against, we should issue JWT with the session information.
This would allow to store information about the user, scope and the authorised site.
This token should be a JWS+JWE, so it is signed by us and encrypted for us.
use the modern mjs capabilities of nodejs for future compliance and better code isolation
Scope handling needs to be more flexible.
It should be possible to allow all users with certain IT claims to receive a scope without being explicitly configured.
Examples:
Give access to all users with a zhaw.ch address, while excluding students (who would have a @students.zhaw.ch address).
- match: @zhaw.ch
target: eduid
claim: email
scope: user
Give access to all users who belong to an organization:
- match: ZHAW
target: eduid
claim: homeorg
scope: user
Load the configuration from backend.
The configuration includes
basic settings
auth services
yaml api
Json api
Gql api
Rest api
Ldap api
Add endpoints via configuration.
Test with
If an IDP did not provide a refresh_token
we must initiate an interactive refresh instead of failing.
Towards the bottom of the documentation for the
reverse_proxy
directive there is a remark on intercepting responses from the upstream.
This should allow us to send status codes instead of redirections. This would allow us to simplify the code and move parts of the configuration to caddy.
forward_auth /api/* autho_autho:8081 {
uri /
@401-403response {
status 401,403
}
handle_response @401-403response {
redir * /auth/
}
}
reverse_proxy /auth/* autho_autho:8080 {
# handles redirects when needed
# autho will only send status codes
@401-403response {
status 204,401,403
}
handle_response @401-403response {
redir * /auth/
}
}
It seems that the aud_method option for endpoints never arrives with the designated target handler.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.