Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request external login via Authorization endpoint #327

Draft
wants to merge 58 commits into
base: main
Choose a base branch
from
Draft

Request external login via Authorization endpoint #327

wants to merge 58 commits into from

Conversation

byewokko
Copy link
Collaborator

@byewokko byewokko commented Dec 1, 2023
edited
Loading

solves #316

Summary

  • Clients can request external login at the authorization endpoint using the acr_values query parameter, e.g. acr_values=ext:google.
  • The original authorization request is preserved internally and resumed after a successful external login.
  • When a user logs in and they still have a valid root session+cookie with matching credentials ID, the session is updated, instead of a new one being created.

TODO

  • Revise standard Seacat login flow
    • It should be analogous and compatible to the external login flow
    • It should use the state parameter instead of redirect_uri (store it in the login session)
    • After successful login, backend should unwrap the state and send back redirect URI (of the authorize request)
  • External login callback endpoint must have a provider_id path parameter (as it did before).
  • Configurable fallback redirect URL for failed external login flow.
  • OPTIONAL: Add navigable endpoint GET /public/ext-login/{provider_id}?state={state} which merely redirects to the external authorization endpoint. This is just a shorthand so that the ugly deep links are not so exposed.
  • OPTIONAL: Add similar navigable endpoint for adding external login for existing users.
  • Webui
    • Login prologue should send state in payload
    • Fix URLs of external login buttons
    • Read redirect URI from PUT login response
    • Confirmation prompt before external credential is linked to seacat credentials

@byewokko byewokko added the enhancement New feature or request label Dec 1, 2023
@byewokko byewokko self-assigned this Dec 1, 2023
@byewokko byewokko marked this pull request as draft December 1, 2023 17:43
@byewokko byewokko added the breaking change This will introduce a breaking change label Dec 14, 2023
@byewokko
docstrings
a7f1854
@byewokko
Merge branch 'main' into feature/authorization-request-external-login
349cdef 
# Conflicts:
#	seacatauth/external_login/providers/generic.py
#	seacatauth/external_login/service.py
#	seacatauth/openidconnect/handler/discovery.py
#	seacatauth/openidconnect/service.py
@byewokko
Merge branch 'main' into feature/authorization-request-external-login
39dae16 
# Conflicts:
#	seacatauth/authn/service.py
#	seacatauth/openidconnect/handler/authorize.py
#	seacatauth/openidconnect/service.py
@byewokko
merge conflict fix
855fa55
@byewokko byewokko mentioned this pull request Jan 5, 2024
Merged
byewokko added 21 commits January 15, 2024 18:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@byewokko byewokko

Labels
breaking change This will introduce a breaking change enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@byewokko