Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add built-in support for Oidc tokens #1282

Merged
merged 8 commits into from
Aug 5, 2024
Merged

Add built-in support for Oidc tokens #1282

merged 8 commits into from
Aug 5, 2024

Conversation

AlexF4Dev
Copy link
Contributor

@AlexF4Dev AlexF4Dev commented Jul 10, 2024
edited
Loading

The pull request adds support for OIDC access tokens. It uses PKCE flow to acquire tokens - no stored secrets required. The tokens are cached, and refresh token is used when the access token is expired. It can be used with any identity provider which supports PKCE OpenID Connect flow.

Example for Google:

GET https://openidconnect.googleapis.com/v1/userinfo
Authorization: Bearer {{$oidcAccessToken clientId:786371393912-ahu1p5p81n2pj4fa90bo33pirr1mroeu.apps.googleusercontent.com callbackPort:7777 authorizeEndpoint:https://accounts.google.com/o/oauth2/v2/auth tokenEndpoint:https://oauth2.googleapis.com/token}}
Accept: application/json

Example for Microsoft:

GET https://graph.microsoft.com/oidc/userinfo
Authorization: Bearer {{$oidcAccessToken clientId:336c0138-03e7-4183-a398-3e63445dd5f5 callbackPort:7777 authorizeEndpoint:https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize tokenEndpoint:https://login.microsoftonline.com/consumers/oauth2/v2.0/token}}
Accept: application/json

The example will call an API with google access token. For google the app should be registered as UWP to use PKCE without the client secret.

@AlexF4Dev AlexF4Dev force-pushed the master branch 4 times, most recently from e1e440a to e838bb6 Compare July 10, 2024 23:26
@AlexF4Dev AlexF4Dev mentioned this pull request Jul 10, 2024
Open
@AlexF4Dev AlexF4Dev force-pushed the master branch 14 times, most recently from f492236 to 2a7ef2f Compare July 11, 2024 22:35
@AlexF4Dev
Added support for google clientId and improved error handling
995dc91 
Added support for google clientId and improved error handling
@Huachao
Copy link
Owner

Huachao commented Jul 25, 2024

@AlexF4Dev please check these alerts

@AlexF4Dev
Copy link
Contributor Author

@AlexF4Dev please check these alerts

The first alert is probably false positive, because this is not a webapp. I have fixed regex warnings.

Huachao
Huachao requested changes Jul 31, 2024
View reviewed changes
src/common/constants.ts Outdated
@@ -24,6 +24,11 @@ export const AzureActiveDirectoryDescription = "Prompts to sign in to Azure AD a
export const AzureActiveDirectoryV2TokenVariableName = "$aadV2Token";
export const AzureActiveDirectoryV2TokenDescription = "Prompts to sign in to Azure AD V2 and adds the token to the request";

export const OidcVariableName = "$oidcAccessToken";
export const OidcDescription = "Prompts to sign in to an Oidc provider and adds the token to the request";
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove extra whitespace in description

src/utils/memoryCache.ts Outdated
this.cache.set(key, value);
}

public clear(): void {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove extra whitespace between access modifier public and method name in this file

src/utils/auth/oidcClient.ts Fixed Show resolved Hide resolved
@AlexF4Dev
Copy link
Contributor Author

Trust nobody even IDP :-). I have added sanitizeHTML to prevent the script injection. Do we need support for DPOP/MTLS? It could be used to access API's protected by FAPI.

@Huachao Huachao merged commit bed691a into Huachao:master Aug 5, 2024
2 of 5 checks passed
@Huachao
Copy link
Owner

Huachao commented Aug 5, 2024

@AlexF4Dev Merged, thanks

@DocMoebiuz DocMoebiuz mentioned this pull request Nov 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Huachao Huachao Huachao approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AlexF4Dev @Huachao