Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch from token-based to OIDC-ish login #249

Open
nyiyui opened this issue Jan 8, 2024 · 6 comments
Open

Switch from token-based to OIDC-ish login #249

nyiyui opened this issue Jan 8, 2024 · 6 comments
Labels
enhancement New feature or request

Comments

@nyiyui
Copy link
Member

nyiyui commented Jan 8, 2024
edited
Loading

Currently, the app and React-based client uses the /api/auth/token endpoint with a username+password pair to login the user.
/api/auth/token relies on JWTs (pros/cons listed below), and

Pros to /api/auth/token

  • nothing that I can think of
    Cons to /api/auth/token:
  • extra RSA certificate to take care of
  • non-instant token expiry (might be wrong, but I'm not aware of such a feature in the Django backend code)
  • more attack surface (3 ways of logging in - /api/auth/token, Django (web+admin), OAuth/OIDC-ish)

Two ways to move forward:

Authentication Proxy Server

app and client uses a authentication proxy server (authproxy) (have to check if this is secure) with Resource-Owner Password (ROP) flow. authproxy is required to make OAuth client confidential.
Pros:

  • look-and-feel is preserved (especially app)
    Cons:
  • more code (but separate from Django backend code)

Migrate to OIDC

app and client migrates to OIDC (no ROP flow)
Pros:

  • less attack surface - 2 ways of logging in - Django (web+admin) and OAuth via Django
    Cons:
  • look-and-feel is disrupted (especially app)
@nyiyui nyiyui added the enhancement New feature or request label Jan 8, 2024
@JasonLovesDoggo
Copy link
Member

no authproxy. we do not need an extra service

@nyiyui
Copy link
Member Author

nyiyui commented Jan 8, 2024

Agreed... I would've loved writing security-critical code in RISC assembly, though! (just kidding)

@nyiyui
Copy link
Member Author

nyiyui commented Jan 8, 2024

/cc @Trentiumz @mars-flat as client and app leads

@JasonLovesDoggo
Copy link
Member

Agreed... I would've loved writing security-critical code in RISC assembly, though! (just kidding)

I don't trust your "secure" code.... you've printed passwords & allowed anyone to bypass all authentication on api 😨

@nyiyui
Copy link
Member Author

nyiyui commented Jan 8, 2024

That's true! I'm sure I've learned lessons from them, and 90% sure I won't make those mistakes again (by staying away from security code...)!

@JasonLovesDoggo
Copy link
Member

That's true! I'm sure I've learned lessons from them, and 90% sure I won't make those mistakes again (by staying away from security code...)!

to anyone reading this in the future... ken is a very trustworthy and cool person!!! HIRE THEM (and me too pls I'm probably struggling and jobless.....wow look at my cool contribution history)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nyiyui @JasonLovesDoggo