Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kerb validation #9

Open
gabrc52 opened this issue Sep 6, 2023 · 1 comment
Open

Kerb validation #9

gabrc52 opened this issue Sep 6, 2023 · 1 comment

Comments

@gabrc52
Copy link
Collaborator

gabrc52 commented Sep 6, 2023
edited
Loading

Possible implementation that does not require reinventing the kerb authentication wheel:

  1. Check if the user is signed into Element, and get the access token from local storage
  2. Otherwise, act as a Matrix client and implement single-sign-on
  3. Issue a more restrictive token via https://playground.matrix.org/#post-/_matrix/client/v3/user/-userId-/openid/request_token. (not a full access token, just for verifying identity)
  4. If we did #\2, sign out immediately (our custom SSO destination would extract the token, get a new OpenID token, and then shortly sign out)
  5. Keep the OpenID token in local storage, and use it as an auth token when doing requests.
  6. The backend should validate this token via https://spec.matrix.org/v1.8/server-server-api/#get_matrixfederationv1openiduserinfo (perhaps in SvelteKit via variables) and deny unauthorized requests
  7. Corollary: once all backend requests are authenticated, we can safely assume that it is the user themselves requesting to do actions, so we can add additional features or backend endpoints such as "what class group chats am I already in?" (not something I would add at the moment since I don't want people being able to query other people's list)

Notes on OpenID:

Third-party services can exchange an access token previously generated by the Client-Server API for information about a user. This can help verify that a user is who they say they are without granting full access to the user’s account.

(https://spec.matrix.org/v1.8/server-server-api/#openid)

Note that Matrix doesn't use OIDC for authentication yet and uses its own custom-built auth: https://areweoidcyet.com/

Some considerations:

  • Don't forget to namespace everything we store in local storage since we don't want to conflict with Element's.
  • Be extra sure that our code won't sign you out of Element. The sign out logic should be in a different route that only gets triggered via SSO.
@gabrc52
Copy link
Collaborator Author

gabrc52 commented Feb 8, 2024

This implementation has been done -- we are not giving it to the backend yet since we still want to support simply entering your kerb in the mobile case

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gabrc52