support oidc implicit flow

Author: bgerrity

package.json

@@ -99,6 +99,7 @@
     "json-bigint": "^1.0.0",
     "just-debounce": "^1.1.0",
     "just-throttle": "^4.2.0",
+    "jwt-decode": "^4.0.0",
     "lodash.groupby": "^4.6.0",
     "remark-stringify": "^10.0.3",
     "sanitize-html": "^2.12.1",

pnpm-lock.yaml

@@ -20,7 +20,7 @@ batchActionsDisabled: false
 hideWorkflowQueryErrors: false
 auth:
   enabled: false
-  providers:
+  providers:  # only the first is used. second is provided for reference
     - label: Auth0 oidc # for internal use; in future may expose as button text
       type: oidc # for futureproofing; only oidc is supported today
       providerUrl: https://myorg.us.auth0.com/
@@ -36,6 +36,17 @@ auth:
         audience: myorg-dev
         organization: org_xxxxxxxxxxxx
         invitation:
+    - label: oidc implicit flow
+      type: oidc
+      flow: implicit
+      # TODO: support optional issuer validation
+      authorizationUrl: https://accounts.google.com/o/oauth2/v2/auth  # discovery isn't supported for implicit flow. the endpoint must be provided directly
+      clientId: xxxxxxxxxxxxxxxxxxxx
+      scopes:
+        - openid
+        - profile
+        - email
+      callbackUrl: http://localhost:8080
 tls:
   caFile:
   certFile:

server/config/development.yaml

@@ -15,6 +15,7 @@ docker run \
     -e TEMPORAL_ADDRESS=127.0.0.1:7233 \
     -e TEMPORAL_UI_PORT=8080 \
     -e TEMPORAL_AUTH_ENABLED=true \
+    -e TEMPORAL_AUTH_FLOW_TYPE=authorization-code \
     -e TEMPORAL_AUTH_PROVIDER_URL=https://accounts.google.com \
     -e TEMPORAL_AUTH_CLIENT_ID=xxxxx-xxxx.apps.googleusercontent.com \
     -e TEMPORAL_AUTH_CLIENT_SECRET=xxxxxxxxxxxxxxx \

server/docker/README.md

@@ -40,8 +40,10 @@ auth:
   providers:
   - label: {{ default .Env.TEMPORAL_AUTH_LABEL "sso" }}
     type: {{ default .Env.TEMPORAL_AUTH_TYPE "oidc" }}
+    flow: {{ default .Env.TEMPORAL_AUTH_FLOW_TYPE "authorization-code" }}
     providerUrl: {{ .Env.TEMPORAL_AUTH_PROVIDER_URL }}
     issuerUrl: {{ default .Env.TEMPORAL_AUTH_ISSUER_URL "" }}
+    authorizationUrl:: {{ default .Env.TEMPORAL_AUTH_AUTHORIZATION_URL "" }}
     clientId: {{ .Env.TEMPORAL_AUTH_CLIENT_ID }}
     clientSecret: {{ .Env.TEMPORAL_AUTH_CLIENT_SECRET }}
     callbackUrl: {{ .Env.TEMPORAL_AUTH_CALLBACK_URL }}

server/docker/config-template.yaml

@@ -45,8 +45,15 @@ import (
 )
 
 type Auth struct {
-	Enabled bool
-	Options []string
+	Enabled          bool
+	Flow             string
+	ProviderURL      string
+	IssuerURL        string
+	AuthorizationURL string
+	ClientID         string
+	CallbackURL      string
+	Scopes           []string
+	Options          []string
 }
 
 type CodecResponse struct {
@@ -110,17 +117,25 @@ func GetSettings(cfgProvider *config.ConfigProviderWithRefresh) func(echo.Contex
 		}
 
 		var options []string
+		var authProviderCfg config.AuthProvider
 		if len(cfg.Auth.Providers) != 0 {
-			authProviderCfg := cfg.Auth.Providers[0].Options
-			for k := range authProviderCfg {
+			authProviderCfg = cfg.Auth.Providers[0]
+			for k := range authProviderCfg.Options {
 				options = append(options, k)
 			}
 		}
 
 		settings := &SettingsResponse{
 			Auth: &Auth{
-				Enabled: cfg.Auth.Enabled,
-				Options: options,
+				Enabled:          cfg.Auth.Enabled,
+				Flow:             authProviderCfg.Flow,
+				ProviderURL:      authProviderCfg.ProviderURL,
+				IssuerURL:        authProviderCfg.IssuerURL,
+				AuthorizationURL: authProviderCfg.AuthorizationURL,
+				ClientID:         authProviderCfg.ClientID,
+				CallbackURL:      authProviderCfg.CallbackURL,
+				Scopes:           authProviderCfg.Scopes,
+				Options:          options,
 			},
 			BannerText:                  cfg.BannerText,
 			DefaultNamespace:            cfg.DefaultNamespace,

server/server/api/handler.go

@@ -52,8 +52,28 @@ func (c *AuthProvider) validate() error {
 		return nil
 	}
 
-	if c.ProviderURL == "" {
-		return errors.New("auth provider url is not")
+	switch flowType := c.Flow; flowType {
+	case "authorization-code":
+		if c.ProviderURL == "" {
+			return errors.New("auth provider url is not set")
+		}
+		if c.AuthorizationURL != "" {
+			return errors.New("auth endpoint url is not used in auth code flow")
+		}
+	case "implicit":
+		// TODO: support oidc discovery in implicit flow
+		if c.ProviderURL != "" {
+			return errors.New("auth provider url is not used in implicit flow")
+		}
+		// TODO: support optional issuer validation
+		if c.AuthorizationURL == "" {
+			return errors.New("auth issuer url is not set")
+		}
+		if c.ClientSecret != "" {
+			return errors.New("no secrets in implicit flow")
+		}
+	default:
+		return errors.New("auth oidc flow is not valid")
 	}
 
 	if c.ClientID == "" {

server/server/config/auth.go

@@ -93,19 +93,23 @@ type (
 	}
 
 	AuthProvider struct {
-		// Label - optional label for the provider
+		// Optional. Label for the provider
 		Label string `yaml:"label"`
 		// Type of the auth provider. Only OIDC is supported today
 		Type string `yaml:"type"`
-		// OIDC .well-known/openid-configuration URL, ex. https://accounts.google.com/
+		// OIDC login flow type. The "authorization-code" and "implicit" flows are supported
+		Flow string `yaml:"flow"`
+		// OIDC .well-known/openid-configuration URL, e.g. https://accounts.google.com/. Discovery unsupported in implicit flow.
 		ProviderURL string `yaml:"providerUrl"`
-		// IssuerUrl - optional. Needed only when differs from the auth provider URL
-		IssuerUrl    string `yaml:"issuerUrl"`
-		ClientID     string `yaml:"clientId"`
-		ClientSecret string `yaml:"clientSecret"`
+		// Optional. Needed only when differs from the auth provider URL. In implicit flow, enables token issuer validation.
+		IssuerURL string `yaml:"issuerUrl"`
+		// Required for implicit flow. OIDC authorization endpoint URL, e.g. https://accounts.google.com/o/oauth2/v2/auth
+		AuthorizationURL string `yaml:"authorizationUrl"`
+		ClientID         string `yaml:"clientId"`
+		ClientSecret     string `yaml:"clientSecret"`
 		// Scopes for auth. Typically [openid, profile, email]
 		Scopes []string `yaml:"scopes"`
-		// CallbackURL - URL for the callback URL, ex. https://localhost:8080/sso/callback
+		// URL for the callback, e.g. https://localhost:8080/sso/callback
 		CallbackURL string `yaml:"callbackUrl"`
 		// Options added as URL query params when redirecting to auth provider. Can be used to configure custom auth flows such as Auth0 invitation flow.
 		Options map[string]interface{} `yaml:"options"`

server/server/config/config.go

@@ -59,26 +59,37 @@ func SetAuthRoutes(e *echo.Echo, cfgProvider *config.ConfigProviderWithRefresh)
 
 	providerCfg := serverCfg.Auth.Providers[0] // only single provider is currently supported
 
-	if len(providerCfg.IssuerUrl) > 0 {
-		ctx = oidc.InsecureIssuerURLContext(ctx, providerCfg.IssuerUrl)
-	}
-	provider, err := oidc.NewProvider(ctx, providerCfg.ProviderURL)
-	if err != nil {
-		log.Fatal(err)
-	}
+	api := e.Group("/auth")
+	switch providerCfg.Flow {
+	case "authorization-code":
+		if len(providerCfg.IssuerURL) > 0 {
+			ctx = oidc.InsecureIssuerURLContext(ctx, providerCfg.IssuerURL)
+		}
 
-	oauthCfg := oauth2.Config{
-		ClientID:     providerCfg.ClientID,
-		ClientSecret: providerCfg.ClientSecret,
-		Endpoint:     provider.Endpoint(),
-		RedirectURL:  providerCfg.CallbackURL,
-		Scopes:       providerCfg.Scopes,
-	}
+		if len(providerCfg.AuthorizationURL) > 0 {
+			log.Fatal(`authorization url should not be set for auth code flow`)
+		}
 
-	api := e.Group("/auth")
-	api.GET("/sso", authenticate(&oauthCfg, providerCfg.Options))
-	api.GET("/sso/callback", authenticateCb(ctx, &oauthCfg, provider))
-	api.GET("/sso_callback", authenticateCb(ctx, &oauthCfg, provider)) // compatibility with UI v1
+		provider, err := oidc.NewProvider(ctx, providerCfg.ProviderURL)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		oauthCfg := oauth2.Config{
+			ClientID:     providerCfg.ClientID,
+			ClientSecret: providerCfg.ClientSecret,
+			Endpoint:     provider.Endpoint(),
+			RedirectURL:  providerCfg.CallbackURL,
+			Scopes:       providerCfg.Scopes,
+		}
+
+		api.GET("/sso", authenticate(&oauthCfg, providerCfg.Options))
+		api.GET("/sso/callback", authenticateCb(ctx, &oauthCfg, provider))
+		api.GET("/sso_callback", authenticateCb(ctx, &oauthCfg, provider)) // compatibility with UI v1
+	case "implicit":
+		// The implicit flow is principally designed for single-page applications.
+		// Fully delegated to the client.
+	}
 }
 
 func authenticate(config *oauth2.Config, options map[string]interface{}) func(echo.Context) error {

server/server/route/auth.go

@@ -77,7 +77,7 @@
     {#if showNamespaceSpecificNav}
       <DataEncoderStatus />
     {/if}
-    {#if $authUser.accessToken}
+    {#if $authUser.idToken || $authUser.accessToken}
       <MenuContainer>
         <MenuButton variant="ghost" hasIndicator controls="user-menu">
           <img