Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add authorization code support #29

Open
EvilLord666 opened this issue Aug 2, 2023 · 5 comments
Open

Add authorization code support #29

EvilLord666 opened this issue Aug 2, 2023 · 5 comments
Assignees
Labels

Comments

@EvilLord666
Copy link
Member

EvilLord666 commented Aug 2, 2023

[authorization code mechanism ] (https://www.keycloak.org/docs/latest/securing_apps/#_oidc)

This task is not about full authorization code flow because it depends on User Agent, but we here develop backend only, however, this part is up to Ferrum backend:

The application then uses the authorization code along with its credentials to obtain an Access Token, Refresh Token and ID Token from Keycloak.

@awsoremod
Copy link
Contributor

The Authorization Code flow redirects the user agent to Keycloak. Once the user has successfully authenticated with Keycloak, an Authorization Code is created and the user agent is redirected back to the application. The application then uses the authorization code along with its credentials to obtain an Access Token, Refresh Token and ID Token from Keycloak.

The flow is targeted towards web applications, but is also recommended for native applications, including mobile applications, where it is possible to embed a user agent.

For more details refer to the Authorization Code Flow in the OpenID Connect specification.

@awsoremod
Copy link
Contributor

This section describes how to perform authentication using the Authorization Code Flow. When using the Authorization Code Flow, all tokens are returned from the Token Endpoint.

The Authorization Code Flow returns an Authorization Code to the Client, which can then exchange it for an ID Token and an Access Token directly. This provides the benefit of not exposing any tokens to the User Agent and possibly other malicious applications with access to the User Agent. The Authorization Server can also authenticate the Client before exchanging the Authorization Code for an Access Token. The Authorization Code flow is suitable for Clients that can securely maintain a Client Secret between themselves and the Authorization Server.

@awsoremod
Copy link
Contributor

The Authorization Code Flow goes through the following steps.

Client prepares an Authentication Request containing the desired request parameters.
Client sends the request to the Authorization Server.
Authorization Server Authenticates the End-User.
Authorization Server obtains End-User Consent/Authorization.
Authorization Server sends the End-User back to the Client with an Authorization Code.
Client requests a response using the Authorization Code at the Token Endpoint.
Client receives a response that contains an ID Token and Access Token in the response body.
Client validates the ID token and retrieves the End-User's Subject Identifier.

@awsoremod
Copy link
Contributor

awsoremod commented Oct 6, 2024

Pipeline in keycloak

  1. from agent: get
http://localhost:8080/realms/master/protocol/openid-connect/auth?response_type=code&client_id=test&state=state_value&scope=offline_access&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Ftest-callback

image
response: html with post form - login or email and password. Contains:

checkCookiesAndSetTimer(
            "/realms/master/login-actions/restart?client_id=test&tab_id=__1o7N2Hxno&client_data=eyJydSI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC90ZXN0LWNhbGxiYWNrIiwicnQiOiJjb2RlIiwic3QiOiJzdGF0ZV92YWx1ZSJ9&skip_logout=true"
        );
    
<form id="kc-form-login" class="pf-v5-c-form" onsubmit="login.disabled = true; return true;" action="http://localhost:8080/realms/master/login-actions/authenticate?session_code=TsJRi4n0YHMDfySRbmcOa3nhAs7sjtciT5PgTpak45s&amp;execution=e60bc341-9a67-4b29-b600-4f13d401985a&amp;client_id=test&amp;tab_id=__1o7N2Hxno&amp;client_data=eyJydSI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC90ZXN0LWNhbGxiYWNrIiwicnQiOiJjb2RlIiwic3QiOiJzdGF0ZV92YWx1ZSJ9" method="post" novalidate="novalidate">

image
2. from agent: send post from html form
image
response with code 302. header exists code:

Location: http://localhost:8080/test-callback?state=state_value&session_state=9a2c6510-33c8-415e-bc98-ee09b1bdfda4&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Fmaster&code=cb8cc342-5a03-4198-a501-5c52aacb7e3e.9a2c6510-33c8-415e-bc98-ee09b1bdfda4.295693c8-e13f-49e9-8f94-bcd1ad841963
  1. from agent: get token with using code
POST http://localhost:8080/realms/master/protocol/openid-connect/token
Authorization: Basic dGVzdDpVSmZGTVM3ejltd21rQXFBbXpsc2ZqMzh3RkdhdlNSVQ==

Request Body
grant_type: "authorization_code"
code: "cb8cc342-5a03-4198-a501-5c52aacb7e3e.9a2c6510-33c8-415e-bc98-ee09b1bdfda4.295693c8-e13f-49e9-8f94-bcd1ad841963"
redirect_uri: "http://localhost:8080/test-callback"

response:

{"access_token":"eyJ...g","expires_in":60,"refresh_expires_in":0,"refresh_token":"ey...Xg","token_type":"Bearer","not-before-policy":0,"session_state":"9a2c6510-33c8-415e-bc98-ee09b1bdfda4","scope":"email offline_access profile"}

@EvilLord666
Copy link
Member Author

seems that we have to add all these handlers, however we have to consider following:

  1. We should form html dynamically using pure.css
  2. We should consider dictionary of caption and titles for every html item (text box, password box and buttons)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Backlog
Development

No branches or pull requests

2 participants