Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth works #207

Open
16 tasks
killua-eu opened this issue Mar 19, 2021 · 1 comment
Open
16 tasks

Auth works #207

killua-eu opened this issue Mar 19, 2021 · 1 comment
Assignees
@killua-eu @zelitomas

Comments

@killua-eu
Copy link
Contributor

killua-eu commented Mar 19, 2021
edited
Loading

  • implement refresh token and secure the shit out of it (phone: secure storage, http only cookie)
  • shorten jwt validity to minutes
  • implement /api/auth/logout-all (regen shared secret or something so that everything gets invalid)
  • implement refresh token blacklist, clean it on logout-all event
  • check jwt algs, alg none prevention must be hardcoded
  • check if we prevent rsa public key used hmac shared secret (dont allow algorithms use the wrong keys / with each key store what algo its for and what kind of key it is)
  • microservices running on different instances will need to know the public keys used for signing tokens. public keys need to be cycled. to ensure the right pubkey is used for jwt verification, add a kid claim to jwt and a /api/auth/jwt/keys endpoint where microservices can fetch keys periodically.
  • add /api/auth/jwt/exchange to exchange i.e. browser jwt for device jwt.
  • decouple auth completely from glued so that we dont have to proxy requests via php
  • break foreign key constraints on users
  • without fk, we can't cascade delete. so either all uS need a delete api accepting a user id (with gdpr maybe anonymize and hide) or we need a webhook (publish/subscribe thing).
  • /api/auth/jwt/revoke for user pressing logout button (store db what to kill?, put it into tokens? - maybe just have a webhook that will tell everybody to ignore all jwts issued from time_when_user_logged_out() - 3600 till time_when_user_logged_out() .. then each service will have a local cache of tokens to ignore ) ... maybe allow to revoke one refresh token or revoke all tokens for a user id.
  • remember all issued refresh tokens and devices they were issued for (so this is mostly like a session)
  • store all logins for all time
  • handle semi-logged in users (i.e. password change required, or email not verified, or 2fa, ... leave users without a jwt or with a jwt without roles).
  • decide where the fuck we stick in the sso and social logins shit and what shit it shall be :) @zelitomas
@killua-eu killua-eu mentioned this issue Mar 19, 2021
Open
9 tasks
@killua-eu
Copy link
Contributor Author

Run podman run -p 8080:8080 -e KEYCLOAK_USER=a -e KEYCLOAK_PASSWORD=a jboss/keycloak
or daemonize podman run -d --name keycloak -p 8080:8080 -e KEYCLOAK_USER=a -e KEYCLOAK_PASSWORD=a jboss/keycloak

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@killua-eu killua-eu

@zelitomas zelitomas

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@killua-eu @zelitomas