Skip to content

feat(auth): add optional OIDC-based JWT validation for API routes #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 141 commits into from
Closed

feat(auth): add optional OIDC-based JWT validation for API routes #30

wants to merge 141 commits into from

Conversation

jescalada
Copy link
Collaborator

@jescalada jescalada commented Mar 1, 2025
edited
Loading

This PR adds optional JWT validation middleware for /repo, /user, and /push endpoints.

  • If jwt auth method is present and enabled in the proxy.config.json

    • When logging in through the UI, you can access data as usual
    • Direct API requests require a JWT bearer token to go through
      • The JWT token is validated through the configuration in the jwtConfig in proxy.config.json.
      • The user issues their own JWT using the clientID, authorityURL (and potentially, the expectedAudience) provided in the config

  • If jwt is not enabled, it works as it used to.

    • All API resources are accessible even to unlogged users
    • No JWT is required

To activate the JWT check, you must fill in the JWT details (proxy.config.json). The following will let you verify against my Google testing app:

{
  "type": "jwt",
  "enabled": true,
  "jwtConfig": {
    "clientID": "1009968223893-u92qq6itk7ej5008o4174gjubs5lhorg.apps.googleusercontent.com",
    "authorityURL": "https://accounts.google.com"
  }
}

You can manually generate a sample JWT by accessing the following link in your browser:

https://accounts.google.com/o/oauth2/auth?client_id=1009968223893-u92qq6itk7ej5008o4174gjubs5lhorg.apps.googleusercontent.com&redirect_uri=http://localhost:8080/api/auth/oidc/callback&response_type=code&scope=openid%20email%20profile

Upon successful login, it will redirect to the callback URL containing an auth code (code query param). Replace AUTHORIZATION_CODE below with the code, to issue a JWT:

curl -X POST "https://oauth2.googleapis.com/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=1009968223893-u92qq6itk7ej5008o4174gjubs5lhorg.apps.googleusercontent.com" \
     -d "client_secret=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" \
     -d "code=AUTHORIZATION_CODE" \
     -d "grant_type=authorization_code" \
     -d "redirect_uri=http://localhost:8080/api/auth/oidc/callback"

Note: Although my Google app secrets are exposed, only registered emails can use it. Let me know if you'd like to test it out, and I can add your email to the app!

Changelog

  • Add a jwtAuthHandler middleware for /repo, /user, and /push endpoints
    • JWT check is optional based on config
    • Descriptive 401 errors are returned if failed to verify
      • Missing token
      • Missing configuration
      • Invalid token format/algorithm
      • Expired token

@jescalada
feat(auth): add NotAuthorized and NotFound pages
f2c1182
@jescalada
feat(auth): add AuthProvider and PrivateRoute wrapper
256523f
@jescalada
chore(auth): rename userLoggedIn endpoint
516ed7f
@jescalada
chore(auth): refactor routes to use PrivateRoute guard
47e95d4
@jescalada
fix(auth): temporary fix for username edit redirect
893e0b1
@jescalada
fix(auth): access user admin status correctly
d049463
@jescalada
chore(auth): refactor /admin routes into /dashboard
db04af6
@jescalada
chore(auth): rename Admin files into Dashboard
9736801
@jescalada
test(auth): Add default login redirect E2E test
e7ec1f0
@jescalada
fix(auth): fix redirect on local login
3702acd
@jescalada
fix(auth): improve error handling on repos page
f2560ab
@jescalada
test(auth): fix failing test (login before accessing page)
24ca06f
@jescalada
test(auth): fix login command and simplify login flow
2146bc0
@jescalada
feat(auth): refactor and improve existing auth methods
884f0a6
@jescalada
feat(auth): configure passport with all enabled auth methods
ce6023b
@jescalada
test(auth): fix tests for multiple auth methods
68fa115
@jescalada
Merge branch 'oidc-implementation' into enable-multiple-auth-methods
0a74501
@jescalada
fix(auth): refactor how auth strategies are loaded into API route mid…
627c0ea 
…dleware
@jescalada
feat(auth): add JWT strategy and fix
534beeb
@jescalada
feat(auth): add dynamicAuthHandler middleware
8b1a173
@jescalada jescalada self-assigned this Mar 1, 2025
@jescalada jescalada force-pushed the add-oidc-auth-to-api-through-jwt branch from f2c5e5e to c5b45b2 Compare March 8, 2025 05:07
JamieSlome and others added 28 commits May 20, 2025 15:49
@JamieSlome
Merge pull request finos#935 from G-Research/denis-coric/remote-config
fcc5a4c 
feat: implements config loader to enable remote or external configs
@JamieSlome
chore: bump by minor to v1.14.0
0883127
@JamieSlome
Merge pull request finos#1021 from finos/release-1.14.0
fc6f166 
chore: bump by minor to v1.14.0
@jescalada
fix(auth): fix bug when calling createUser on admin creation
0ddd27b
@jescalada
Merge remote-tracking branch 'origin/main' into enable-multiple-auth-…
3484694 
…methods
@jescalada
chore(auth): add sample oidc config
e32408c
@jescalada
fix: admin to dashboard rename issues
c83421d
@jescalada
fix: failing Cypress test
bab0061
@jescalada
test(auth): add proxyquire for mocking
70dd346
@jescalada
test(auth): improve test coverage
71e7e52
@jescalada
test(auth): fix service close issue
678d932
@jescalada
test(auth): add extra tests and fix linter issues
ee8f2c1
@jescalada
fix: replaced loading text with actual spinner and removed debug lines
e96e876
@jescalada
feat: add snackbar for repo fetching errors
fd962d2
@jescalada
fix: revert react missing from PrivateRoute scope
304a2ec
@jescalada
Merge branch 'main' into layout-auth-decoupling
67d4155
@JamieSlome
Merge pull request finos#961 from jescalada/layout-auth-decoupling
a03b1e0 
fix: decouple UI layout from admin routes
@JamieSlome
chore: bump by minor to v1.15.0
e220699
@JamieSlome
Merge pull request finos#1034 from finos/release-1.15.0
4e77a0f 
chore: bump by minor to v1.15.0
@jescalada
Merge remote-tracking branch 'origin/main' into enable-multiple-auth-…
ddc20bf 
…methods
@jescalada
Merge branch 'enable-multiple-auth-methods' into add-oidc-auth-to-api…
32537ee 
…-through-jwt
@jescalada
chore: set default empty config
ec75f33
@jescalada
chore: clean up auth methods
048446f
@JamieSlome
Merge pull request finos#963 from jescalada/enable-multiple-auth-methods
dc69622 
feat: enable multiple auth methods
@JamieSlome
chore: bump by minor to v1.16.0
c760d14
@JamieSlome
Merge branch 'main' into add-oidc-auth-to-api-through-jwt
a287ab7
@JamieSlome
Merge pull request finos#1035 from finos/release-1.16.0
98f6db8 
chore: bump by minor to v1.16.0
@JamieSlome
Merge branch 'main' into add-oidc-auth-to-api-through-jwt
6912ba1
@jescalada
Copy link
Collaborator Author

Merged in finos#967.

@jescalada jescalada closed this Jun 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jescalada jescalada

Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement OIDC for accessing API routes
8 participants
@jescalada @codecov-commenter @JamieSlome @kriswest @06kellyjac @StingRayZA @TheJuanAndOnly99 @dcoric