Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Oauth Implementation #416

Closed
yinho999 opened this issue Feb 4, 2024 · 23 comments
Closed

Oauth Implementation #416

yinho999 opened this issue Feb 4, 2024 · 23 comments
Assignees
Labels
enhancement New feature or request

Comments

@yinho999
Copy link
Contributor

yinho999 commented Feb 4, 2024

Feature Request

Hope we can add Oauth to the starter kit as an option for authorization. Might need to move auth into a separate crate
https://www.shuttle.rs/blog/2023/08/30/using-oauth-with-axum

@yinho999 yinho999 added the enhancement New feature or request label Feb 4, 2024
@arferreira
Copy link
Contributor

I really need this feature, that's because users have been complaining a bit during signup process....

@yinho999
Copy link
Contributor Author

yinho999 commented Feb 4, 2024

@kaplanelad I am thinking whether we should migrate the authentication process to a dedicated crate, such as Active Store for storage, to enhance the authorization/authentication management. Could you please share your thoughts on this issue?

@jondot
Copy link
Contributor

jondot commented Feb 4, 2024

The shuttle blog covers most bases for a generic oauth impl (need to add provider column). I believe the first person that implements such a mechanism will end up with:

  1. A controller that can handle multi provider callbacks (e.g. google/callback, facebook/callback etc.), registering new users with valid authentication, logging in, expiring provider sessions.
  2. [optional] A migration that adds an oauth token table (here called sessions) to user relation (not a must to actually wire it as a relation, this can be a standalone session table)
  3. A new table: oauth_provider_sessions, capturing: user id, provider token, provider type, metadata (expiration, etc)

All in all, this can be just 2 files: 1 controller, 1 migration, to copy to your project to have this functionality.

If anyone already has this "live" on their Loco project, we can take it and make it generalistic for the SaaS starter.

@yinho999
Copy link
Contributor Author

yinho999 commented Feb 4, 2024

@jondot I would like to work on this sample project.

@jondot
Copy link
Contributor

jondot commented Feb 4, 2024

@yinho999 sure thing! i will assign you, thanks!

@yinho999
Copy link
Contributor Author

yinho999 commented Feb 4, 2024

@jondot @arferreira I have successfully implemented a working example by following the Shuttle guide. All dependencies from Shuttle have been removed, and the code has been updated to Axum v0.7. I plan to start integrating Oauth2 into the SaaS starter tomorrow.
https://github.com/yinho999/loco-playground/blob/oauth/src/bin/oauth.rs

@kaplanelad
Copy link
Contributor

@yinho999 do you think we need to add this documentation in loco.rs website?

About your very nice, do you want to write a blog post on that?

@yinho999
Copy link
Contributor Author

yinho999 commented Feb 6, 2024

@kaplanelad Yes, I agree with the idea of adding the OAuth2 documentation to the site to guide developers on how to use the functionality. I can also write a blog post about OAuth2 after the code, tests, and documentation are completed.

@arferreira
Copy link
Contributor

@yinho999 do you think we need to add this documentation in loco.rs website?

About your very nice, do you want to write a blog post on that?

I think it is essential, after applying it here at the company I will create a blog post explaining its use.

@kaplanelad
Copy link
Contributor

thanks @arferreira

@yinho999
Copy link
Contributor Author

yinho999 commented Feb 8, 2024

@arferreira @kaplanelad @jondot Sorry for the late update. Over the last few days, I've been doing some research and found out that our shuttle implementation of the Authorized Code Granted might have a potential security issue, mainly because the CSRF token isn't being generated or verified.

I've gone ahead and made some revisions to address this issue in both my demo code and the code I'm currently working on. Could I ask for your feedback on the updates, especially regarding the code structure?

https://github.com/yinho999/loco-playground/blob/oauth/src/bin/oauth.rs

@kflk
Copy link

kflk commented Feb 21, 2024

What about WEBAUTHN and passkeys? Google, Apple, Microsoft etc have recently added support. You might take some inspiration from rusty Kanidm identity management. https://github.com/kanidm/webauthn-rs

@yinho999
Copy link
Contributor Author

yinho999 commented Feb 21, 2024

@kflk According to my knowledge the Webauthn and Passkeys are not related with the OAuth protocol. Would you mind creating a separate ticket for Webauthn and Passkeys and we can discuss there, please?

@yinho999
Copy link
Contributor Author

@arferreira Quick update about this issue. I have completed the coding for the library and the demo, including tests for the Authorization Code Grant. The documentation will be finished within the next two days, after which I will create a pull request for the Authorization Code Grant feature.

yinho999 added a commit to yinho999/loco that referenced this issue Feb 22, 2024
@yinho999
Copy link
Contributor Author

@jondot @kaplanelad @arferreira Would you guys provide me some feedback for improvment please? Thanks!👍

@arferreira
Copy link
Contributor

Hey @yinho999 can you help me to test it with loco?

@yinho999
Copy link
Contributor Author

yinho999 commented Mar 5, 2024

Hey @yinho999 can you help me to test it with loco?

What can I help?

@arferreira
Copy link
Contributor

Hey @yinho999 can you help me to test it with loco?

What can I help?

Actually you helped lol

@yinho999
Copy link
Contributor Author

@jondot @kaplanelad
https://docs.rs/axum-extra/latest/axum_extra/extract/cookie/struct.PrivateCookieJar.html

I am migrating the OAuth2 feature from the Loco library and converting it into an initializer. However, there is one problem that stops me from doing that. I am currently using the PrivateCookieJar to handle the user information between endpoints. The PrivateCookieJar requires AppState to implement the FromRef trait for Key to convert it. However since AppContext is located within the loco_rs crate, I cannot add the field into the AppContext and implement the FromRef trait into AppContext(violate orphan rule).

// this impl tells `SignedCookieJar` how to access the key from our state
impl FromRef<AppState> for Key {
    fn from_ref(state: &AppState) -> Self {
        state.key.clone()
    }
}

Screenshot from 2024-03-13 19-59-57

@yinho999
Copy link
Contributor Author

@jondot @kaplanelad I finished migrating and perfecting the code the previous week. Could you guys review the library and provide me with some feedback, please?
https://crates.io/crates/loco-oauth2

@dinosath
Copy link
Contributor

Is there any plan to merge or add some parts of the loco-oauth2 crate to the loco-extras?

@yinho999
Copy link
Contributor Author

Is there any plan to merge or add some parts of the loco-oauth2 crate to the loco-extras?

Currently I don't have any plan to merge/add the loco-oauth2 crate to loco-extras.

@kaplanelad
Copy link
Contributor

Thanks, @yinho999, for creating this crate! I'm sure it helps a lot of users with this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

6 participants