add oidc implicit flow support

Author: bgerrity

server/config/development.yaml

@@ -20,7 +20,7 @@ batchActionsDisabled: false
 hideWorkflowQueryErrors: false
 auth:
   enabled: false
-  providers:
+  providers:  # only the first is used. second is provided for reference
     - label: Auth0 oidc # for internal use; in future may expose as button text
       type: oidc # for futureproofing; only oidc is supported today
       providerUrl: https://myorg.us.auth0.com/
@@ -36,6 +36,17 @@ auth:
         audience: myorg-dev
         organization: org_xxxxxxxxxxxx
         invitation:
+    - label: oidc implicit flow
+      type: oidc
+      flow: implicit
+      # TODO: support optional issuer validation
+      authorizationUrl: https://accounts.google.com/o/oauth2/v2/auth  # discovery isn't supported for implicit flow. the endpoint must be provided directly
+      clientId: xxxxxxxxxxxxxxxxxxxx
+      scopes:
+        - openid
+        - profile
+        - email
+      callbackUrl: http://localhost:8080
 tls:
   caFile:
   certFile:

server/docker/README.md

@@ -15,6 +15,7 @@ docker run \
     -e TEMPORAL_ADDRESS=127.0.0.1:7233 \
     -e TEMPORAL_UI_PORT=8080 \
     -e TEMPORAL_AUTH_ENABLED=true \
+    -e TEMPORAL_AUTH_FLOW_TYPE=authorization-code \
     -e TEMPORAL_AUTH_PROVIDER_URL=https://accounts.google.com \
     -e TEMPORAL_AUTH_CLIENT_ID=xxxxx-xxxx.apps.googleusercontent.com \
     -e TEMPORAL_AUTH_CLIENT_SECRET=xxxxxxxxxxxxxxx \

server/docker/config-template.yaml

@@ -40,8 +40,10 @@ auth:
   providers:
   - label: {{ default .Env.TEMPORAL_AUTH_LABEL "sso" }}
     type: {{ default .Env.TEMPORAL_AUTH_TYPE "oidc" }}
+    flow: {{ default .Env.TEMPORAL_AUTH_FLOW_TYPE "authorization-code" }}
     providerUrl: {{ .Env.TEMPORAL_AUTH_PROVIDER_URL }}
     issuerUrl: {{ default .Env.TEMPORAL_AUTH_ISSUER_URL "" }}
+    authorizationUrl:: {{ default .Env.TEMPORAL_AUTH_AUTHORIZATION_URL "" }}
     clientId: {{ .Env.TEMPORAL_AUTH_CLIENT_ID }}
     clientSecret: {{ .Env.TEMPORAL_AUTH_CLIENT_SECRET }}
     callbackUrl: {{ .Env.TEMPORAL_AUTH_CALLBACK_URL }}

server/server/api/handler.go

@@ -45,8 +45,15 @@ import (
 )
 
 type Auth struct {
-	Enabled bool
-	Options []string
+	Enabled          bool
+	Flow             string
+	ProviderURL      string
+	IssuerURL        string
+	AuthorizationURL string
+	ClientID         string
+	CallbackURL      string
+	Scopes           []string
+	Options          []string
 }
 
 type CodecResponse struct {
@@ -110,17 +117,25 @@ func GetSettings(cfgProvider *config.ConfigProviderWithRefresh) func(echo.Contex
 		}
 
 		var options []string
+		var authProviderCfg config.AuthProvider
 		if len(cfg.Auth.Providers) != 0 {
-			authProviderCfg := cfg.Auth.Providers[0].Options
-			for k := range authProviderCfg {
+			authProviderCfg = cfg.Auth.Providers[0]
+			for k := range authProviderCfg.Options {
 				options = append(options, k)
 			}
 		}
 
 		settings := &SettingsResponse{
 			Auth: &Auth{
-				Enabled: cfg.Auth.Enabled,
-				Options: options,
+				Enabled:          cfg.Auth.Enabled,
+				Flow:             authProviderCfg.Flow,
+				ProviderURL:      authProviderCfg.ProviderURL,
+				IssuerURL:        authProviderCfg.IssuerURL,
+				AuthorizationURL: authProviderCfg.AuthorizationURL,
+				ClientID:         authProviderCfg.ClientID,
+				CallbackURL:      authProviderCfg.CallbackURL,
+				Scopes:           authProviderCfg.Scopes,
+				Options:          options,
 			},
 			BannerText:                  cfg.BannerText,
 			DefaultNamespace:            cfg.DefaultNamespace,

server/server/config/auth.go

@@ -52,8 +52,27 @@ func (c *AuthProvider) validate() error {
 		return nil
 	}
 
-	if c.ProviderURL == "" {
-		return errors.New("auth provider url is not")
+	switch flowType := c.Flow; flowType {
+	case "authorization-code":
+		if c.ProviderURL == "" {
+			return errors.New("auth provider url is not set")
+		}
+		if c.AuthorizationURL == "" {
+			return errors.New("auth endpoint url is not used in auth code flow")
+		}
+	case "implicit":
+		if c.ProviderURL != "" {
+			return errors.New("auth provider url is not used in implicit flow")
+		}
+		// TODO: support optional issuer validation
+		if c.AuthorizationURL == "" {
+			return errors.New("auth issuer url is not set")
+		}
+		if c.ClientSecret != "" {
+			return errors.New("no secrets in implicit flow")
+		}
+	default:
+		return errors.New("auth oidc flow is not valid")
 	}
 
 	if c.ClientID == "" {

server/server/config/config.go

@@ -97,12 +97,16 @@ type (
 		Label string `yaml:"label"`
 		// Type of the auth provider. Only OIDC is supported today
 		Type string `yaml:"type"`
-		// OIDC .well-known/openid-configuration URL, ex. https://accounts.google.com/
+		// OIDC login flow type. The "authorization-code" and "implicit" flows are supported
+		Flow string `yaml:"flow"`
+		// OIDC .well-known/openid-configuration URL, e.g. https://accounts.google.com/. Discovery unsupported in implicit flow.
 		ProviderURL string `yaml:"providerUrl"`
-		// Optional. Needed only when differs from the auth provider URL
-		IssuerURL    string `yaml:"issuerUrl"`
-		ClientID     string `yaml:"clientId"`
-		ClientSecret string `yaml:"clientSecret"`
+		// Optional. Needed only when differs from the auth provider URL. In implicit flow, enables token issuer validation.
+		IssuerURL string `yaml:"issuerUrl"`
+		// Required for implicit flow. OIDC authorization endpoint URL, e.g. https://accounts.google.com/o/oauth2/v2/auth
+		AuthorizationURL string `yaml:"authorizationUrl"`
+		ClientID         string `yaml:"clientId"`
+		ClientSecret     string `yaml:"clientSecret"`
 		// Scopes for auth. Typically [openid, profile, email]
 		Scopes []string `yaml:"scopes"`
 		// URL for the callback, e.g. https://localhost:8080/sso/callback

server/server/route/auth.go

@@ -59,26 +59,37 @@ func SetAuthRoutes(e *echo.Echo, cfgProvider *config.ConfigProviderWithRefresh)
 
 	providerCfg := serverCfg.Auth.Providers[0] // only single provider is currently supported
 
-	if len(providerCfg.IssuerURL) > 0 {
-		ctx = oidc.InsecureIssuerURLContext(ctx, providerCfg.IssuerURL)
-	}
-	provider, err := oidc.NewProvider(ctx, providerCfg.ProviderURL)
-	if err != nil {
-		log.Fatal(err)
-	}
+	api := e.Group("/auth")
+	switch providerCfg.Flow {
+	case "authorization-code":
+		if len(providerCfg.IssuerURL) > 0 {
+			ctx = oidc.InsecureIssuerURLContext(ctx, providerCfg.IssuerURL)
+		}
 
-	oauthCfg := oauth2.Config{
-		ClientID:     providerCfg.ClientID,
-		ClientSecret: providerCfg.ClientSecret,
-		Endpoint:     provider.Endpoint(),
-		RedirectURL:  providerCfg.CallbackURL,
-		Scopes:       providerCfg.Scopes,
-	}
+		if len(providerCfg.AuthorizationURL) > 0 {
+			log.Fatal(`authorization url should not be set for auth code flow`)
+		}
 
-	api := e.Group("/auth")
-	api.GET("/sso", authenticate(&oauthCfg, providerCfg.Options))
-	api.GET("/sso/callback", authenticateCb(ctx, &oauthCfg, provider))
-	api.GET("/sso_callback", authenticateCb(ctx, &oauthCfg, provider)) // compatibility with UI v1
+		provider, err := oidc.NewProvider(ctx, providerCfg.ProviderURL)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		oauthCfg := oauth2.Config{
+			ClientID:     providerCfg.ClientID,
+			ClientSecret: providerCfg.ClientSecret,
+			Endpoint:     provider.Endpoint(),
+			RedirectURL:  providerCfg.CallbackURL,
+			Scopes:       providerCfg.Scopes,
+		}
+
+		api.GET("/sso", authenticate(&oauthCfg, providerCfg.Options))
+		api.GET("/sso/callback", authenticateCb(ctx, &oauthCfg, provider))
+		api.GET("/sso_callback", authenticateCb(ctx, &oauthCfg, provider)) // compatibility with UI v1
+	case "implicit":
+		// The implicit flow is principally designed for single-page applications.
+		// Fully delegated to the client.
+	}
 }
 
 func authenticate(config *oauth2.Config, options map[string]interface{}) func(echo.Context) error {

src/lib/services/settings-service.ts

@@ -20,6 +20,13 @@ export const fetchSettings = async (request = fetch): Promise<Settings> => {
   const settingsInformation = {
     auth: {
       enabled: !!settingsResponse?.Auth?.Enabled,
+      flow: settingsResponse?.Auth?.Flow,
+      providerUrl: settingsResponse?.Auth?.ProviderURL,
+      issuerUrl: settingsResponse?.Auth?.IssuerURL,
+      authorizationUrl: settingsResponse?.Auth?.AuthorizationURL,
+      clientId: settingsResponse?.Auth?.ClientID,
+      callbackUrl: settingsResponse?.Auth?.CallbackURL,
+      scopes: settingsResponse?.Auth?.Scopes,
       options: settingsResponse?.Auth?.Options,
     },
     bannerText: settingsResponse?.BannerText,

src/lib/stores/auth-user.ts

@@ -2,16 +2,26 @@ import { get } from 'svelte/store';
 
 import { persistStore } from '$lib/stores/persist-store';
 import type { User } from '$lib/types/global';
+import { OIDCFlow } from '$lib/types/global';
 
 export const authUser = persistStore<User>('AuthUser', {});
 
 export const getAuthUser = (): User => get(authUser);
 
-export const setAuthUser = (user: User) => {
+export const setAuthUser = (user: User, oidcFlow: OIDCFlow) => {
   const { accessToken, idToken, name, email, picture } = user;
 
-  if (!accessToken) {
-    throw new Error('No access token');
+  switch (oidcFlow) {
+    case OIDCFlow.AuthorizationCode:
+      if (!accessToken) {
+        throw new Error('No access token');
+      }
+      break;
+    case OIDCFlow.Implicit:
+      if (!idToken) {
+        throw new Error('No id token');
+      }
+      break;
   }
 
   authUser.set({

src/lib/types/global.ts

@@ -69,9 +69,21 @@ export interface NetworkError {
   message?: string;
 }
 
+export enum OIDCFlow {
+  AuthorizationCode = 'authorization-code',
+  Implicit = 'implicit',
+}
+
 export type Settings = {
   auth: {
     enabled: boolean;
+    flow: OIDCFlow;
+    providerUrl: string;
+    issuerUrl: string;
+    authorizationUrl: string;
+    clientId: string;
+    callbackUrl: string;
+    scopes: string[];
     options: string[];
   };
   bannerText: string;