Skip to content
This repository has been archived by the owner on May 22, 2021. It is now read-only.

OAuth 2.0 / Keycloak suppot #1381

Open
SvenAbels opened this issue Aug 14, 2019 · 6 comments
Open

OAuth 2.0 / Keycloak suppot #1381

SvenAbels opened this issue Aug 14, 2019 · 6 comments

Comments

@SvenAbels
Copy link

We ar eusing Keycloak as an Open Source Identity and Access Management.

Is it possible to use something like Keycloak (via OAuth 2.0?) instead of a FXA server for user logins of Mozilla Send? As far as I can see in the config file, we can only specify a link to an FXA server together with a client id.

If an FXA server is required: Can we use the one from Mozilla and - if yes - how can we obtain a client id?

@rfk
Copy link

rfk commented Sep 10, 2019

Is it possible to use something like Keycloak (via OAuth 2.0?) instead of a FXA server
for user logins of Mozilla Send?

Send uses a fairly unique feature of FxA whereby the signin flow generates client-side encryption keys that the application can use to protect data stored on the server. Any replacement auth system would need to provide similar functionality.

Can we use the one from Mozilla and - if yes - how can we obtain a client id?

Sorry, we do not yet allow third-party services to use FxA as an OAuth provider. I'd like to see us allow it one day but it's not on the short-term roadmap.

@immanuelfodor
Copy link

Send uses a fairly unique feature of FxA whereby the signin flow generates client-side encryption keys that the application can use to protect data stored on the server. Any replacement auth system would need to provide similar functionality.

Hmm, wait, what? The FxA server generates the client-side encryption keys?

As FxA is used for e.g. Firefox Sync, this effectively means the server knows how to decrypt the data stored in a self-hosted sync server?

@immanuelfodor
Copy link

If an FXA server is required: Can we use the one from Mozilla and - if yes - how can we obtain a client id?

There is an open issue how to self-host the FxA server, you can follow it here: mozilla/fxa#3652 One day you might be able to host your own instance, so you'll be able to obtain yourself a client ID.

@rfk
Copy link

rfk commented Jan 2, 2020

Hmm, wait, what? The FxA server generates the client-side encryption keys?

Not quite; the FxA login protocol is designed to generate a client-side encryption key without revealing it to the server, you can read a bit about it in this blog post.

@immanuelfodor
Copy link

Oh, I see the separation now, thanks for the link. Now, I get why a simple Oauth provider can't replace the FxA server easily.

@neo-inuit
Copy link

For information i do use the mod_auth_openidc with apache in front reverse proxy

protect server behind apache2 avec openid

Doc : https://github.com/zmartzone/mod_auth_openidc

install

apt-get install apache2
apt-get install libapache2-mod-auth-openidc

config apache

a2enmod headers rewrite proxy_wstunnel proxy_http proxy auth_openidc

configure keycloak

https://github.com/zmartzone/mod_auth_openidc/wiki/Keycloak

I just change the apache regexp to allow download but not upload, the regexp is not perfect

<Location ~ "^((?!/download|/api|\.css|.\.js|\.svg|\.woff2|\.png).)*$">
        # desired configurations
           AuthType openid-connect
           Require valid-user
        </Location>

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants