Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(idtoken-auth): add auth validator using google idtoken #349

Merged
merged 27 commits into from
Feb 16, 2023
Merged

feat(idtoken-auth): add auth validator using google idtoken #349

merged 27 commits into from
Feb 16, 2023

Conversation

swallowstalker
Copy link
Contributor

@swallowstalker swallowstalker commented Jan 17, 2023
edited
Loading

Add google idtoken (OIDC) auth validator on grpc interceptor, to provide login via google SSO

How to use it

Just add this line to config.yaml (sample is on internal/server/config.yaml)

AUTH:
  PROVIDER: default   # can be "default" or "oidc"
  DEFAULT:
    # AUTHENTICATED_USER_HEADER_KEY takes priority for backward-compatibility
    HEADER_KEY: X-Auth-Email   
  OIDC:
    # add google client audience
    AUDIENCE: "some-kind-of-audience.com"  
    # add eligible email domains for your organization, empty string means that no checking will be done
    ELIGIBLE_EMAIL_DOMAINS: "emaildomain1.com,emaildomain2.com"

Tests

Without any request header

curl --location --request GET 'http://localhost:3000/api/v1beta1/appeals'

Response: 401 Unauthorized

{
    "code": 16,
    "message": "invalid authentication credentials"
}

With Authorization header containing idtoken from google SSO

curl --location --request GET 'http://localhost:3000/api/v1beta1/appeals' \
--header 'Authorization: Bearer <idtoken>'

Response: 200 OK (no list of appeals yet because it's empty)

{}

@swallowstalker swallowstalker changed the title draft: feat(idtoken-auth): add auth validator using google idtoken feat(idtoken-auth): add auth validator using google idtoken Jan 18, 2023
@swallowstalker swallowstalker marked this pull request as ready for review January 18, 2023 10:15
@bsushmith
Copy link
Member

@swallowstalker can you create an issue along with details what this feature is about and what it will solve, and link it with this PR ?

@swallowstalker
Copy link
Contributor Author

@swallowstalker can you create an issue along with details what this feature is about and what it will solve, and link it with this PR ?

sure, will create it shortly. sorry if there's only very short description and background about this PR

@swallowstalker swallowstalker mentioned this pull request Jan 18, 2023
Closed
@swallowstalker
Copy link
Contributor Author

@bsushmith here is the issue #350

@ravisuhag ravisuhag linked an issue Jan 19, 2023 that may be closed by this pull request
Add authentication to guardian using google idtoken (from google SSO login) #350
Closed
@swallowstalker swallowstalker force-pushed the feat/idtoken-auth-validator branch from b45d454 to 2e9c4a1 Compare January 24, 2023 14:05
mabdh
mabdh reviewed Jan 26, 2023
View reviewed changes
mabdh
mabdh reviewed Jan 26, 2023
View reviewed changes
@swallowstalker
Copy link
Contributor Author

@swallowstalker one more thing i noticed, we can move the mocks in the same package for which it is used. You can refer to other mocks implementations and placement.

I have moved OIDCValidator mock to pkg/auth/mocks directory 👍

rahmatrhd
rahmatrhd requested changes Jan 31, 2023
View reviewed changes
@ravisuhag
Copy link
Member

@swallowstalker Please see if you can find some time to fix test and the above mentioned comment. We can go ahead and merge it then

@swallowstalker
Copy link
Contributor Author

@swallowstalker Please see if you can find some time to fix test and the above mentioned comment. We can go ahead and merge it then

sorry i was oncall last week. will fix that in few days

rahmatrhd
rahmatrhd requested changes Feb 10, 2023
View reviewed changes
@rahmatrhd rahmatrhd changed the base branch from main to 0.6.x February 14, 2023 06:30
@rahmatrhd rahmatrhd requested a review from ravisuhag February 14, 2023 07:15
@swallowstalker swallowstalker requested review from rahmatrhd and ravisuhag and removed request for ravisuhag, AkarshSatija, mabdh, bsushmith and rahmatrhd February 15, 2023 03:57
rahmatrhd
rahmatrhd approved these changes Feb 15, 2023
View reviewed changes
Copy link
Member

@rahmatrhd rahmatrhd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mabdh mabdh merged commit a4b0c5d into raystack:0.6.x Feb 16, 2023
@rahmatrhd
Copy link
Member

@swallowstalker I've created v0.6.0-alpha.1 release, you can use this to test from your side 🙂

@ravisuhag
Copy link
Member

@swallowstalker Thanks a lot for your contribution :)

@rahmatrhd rahmatrhd mentioned this pull request Feb 20, 2023
Merged
rahmatrhd added a commit that referenced this pull request Feb 20, 2023
@rahmatrhd @swallowstalker
feat: v0.6.0 (#366)
a4052f4 
* feat(idtoken-auth): add auth validator using google idtoken (#349)

* docs: add idtoken validation on sample config.yaml

* feat: add auth config to replace idtoken validator config, and refactor default auth header key

* refactor: move auth interceptor to pkg/auth

* chore: delete idtoken validator mock

* feat: keep config.AuthenticatedUserHeaderKey for backward-compatibility

* chore: re-order import

* refactor: change sample config.yaml for auth config

* chore: make auth user header key sample and default config consistent

* chore: re-order import on oidc test

* fix: change oidc initialism

* fix: oidc validator mocks renaming

* fix: avoid using params with pointer, as it will lead to panic if params is nil

* fix: detect old auth user header key using empty string instead of default tag

* refactor: move OIDCAuth to pkg/auth

* refactor: move oidc validator mocks into pkg/auth/mocks

* chore: add deprecation notes on AuthenticatedUserHeaderKey

* refactor: make default auth email context key back to unexported, use different context key for oidc email

* refactor: do not use default header key on oidc auth, use its own header (it's only used for logrus)

* refactor: move logrus context custom fields to new interceptor and retrieve its value from context

* refactor: auth email context key mapping for default and oidc used for grpc server

* test: change ways of getting user email from request header to context

* refactor: use auth.OIDCAuth instead of OIDCValidatorParams

* feat(gcs): support import grants for gcs provider (#360)

* feat(gcs): support import grants for gcs provider

* refactor(gcs): use projectID value from struct field and remove from GetBuckets' param

* refactor(gcs): refactor repeated logic to retrieve gcs client

* refactor(gcs): improve code readability

* fix(gcs): exclude deleted principals (#364)

* refactor(gcs): use account type whitelisting

* fix(gcs): exclude deleted principals

* fix(gcs): fix timeout by running getPolicy in parallel (#365)

---------

Co-authored-by: Pulung Ragil <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mabdh mabdh mabdh left review comments

@rahmatrhd rahmatrhd rahmatrhd approved these changes

@ravisuhag ravisuhag Awaiting requested review from ravisuhag

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add authentication to guardian using google idtoken (from google SSO login)
5 participants
@swallowstalker @bsushmith @ravisuhag @rahmatrhd @mabdh