In this project, we will attempt to implement an OIDC (Open ID Connect) Authentication/Authorization Server. The project consists of the following three repos:
- Auth Server The authorization server that tracks the users and clients that are protected by it.
- Admin React App The admin react app used to manage users and clients protected by the auth server.
- Resource Provider Example A resource provider example that demonstrates how to protect an API.
- Wiki Extensive documentation and explanations as well as tutorials on how OAuth 2.0 and OIDC works.
- Project Board The project board that tracks the progress of all projects.
- Well Known Config The current well known configuration of the OIDC server.
-
!!! Make sure your node version is above 12.0 !!!
-
npm install -
Inside the src/hosts.js file:
- If you are working on your own, localhost should be equal to "localhost"
- If you are working in a team, one person has to add their ip address to run the server (localhost = "xxx.xxx.xxx")
- Inside the src/config.js file:
- If you are in development mode, comment out the long awl url in STORES.DATABASE_URL and uncomment the local postgres url
- If you are pushing to heroku, comment out the local postgres url and uncomment the long aws url
- Inside src/stores.js:
- Add the IP addresses of your collaborators (see the examples that are already in there)
- These IP addresses need to registered in the back-end while the team is developing; otherwise, nothing will work. The final version -- auth-admin-client.herokuapp.com -- does not require any IP addresses registered other than the first one already in there.
In order to properly implement the server, we will have to follow a plan.
- Implement Auth Server and Publish it to Heroku.
- Create an API (Resource Server) that need protection.
- Decide on the supported flows
More details TBA...
- OAuth 2.0 & OpenID Connect Lecture/Seminar
- Getting start with oidc-provider
- Oidc-Provider docs
- Default OIDC Configurations
- Add your own...
When using the implicit flow, oidc-provider has a hardcoded check against the use of http & localhost. We must also ensure that the token endpoint is disabled for the client. Whilst this is a good security feature, it makes demos awkward. So, when integrating with your client application, make sure you are using the https scheme and anything other than localhost (something configured via your hosts file works fine), and set the clients token_endpoint_auth_method property to none.
When using Forget password, we need to setup an email account in google. Disable 2-Step Verification on security settings. Allow less secure apps must be toggle on. After setting up the email, update the config file variable for the apps email.
- Create user database and configure endpoints to perform user manipulations to the database.
- Save user password hashed
- Include password salt
- Create endpoint where admins can edit user claims (Add/Remove)