Add SSO authorization code flow (Phase 1)

MCIAS now acts as an SSO provider for downstream services. Services redirect users to /sso/authorize, MCIAS handles login (password, TOTP, or passkey), then redirects back with an authorization code that the service exchanges for a JWT via POST /v1/sso/token. - Add SSO client registry to config (client_id, redirect_uri, service_name, tags) with validation - Add internal/sso package: authorization code and session stores using sync.Map with TTL, single-use LoadAndDelete, cleanup goroutines - Add GET /sso/authorize endpoint (validates client, creates session, redirects to /login?sso=<nonce>) - Add POST /v1/sso/token endpoint (exchanges code for JWT with policy evaluation using client's service_name/tags from config) - Thread SSO nonce through password→TOTP and WebAuthn login flows - Update login.html, totp_step.html, and webauthn.js for SSO nonce passthrough Security: - Authorization codes are 256-bit random, single-use, 60-second TTL - redirect_uri validated as exact match against registered config - Policy context comes from MCIAS config, not the calling service - SSO sessions are server-side only; nonce is the sole client-visible value - WebAuthn SSO returns redirect URL as JSON (not HTTP redirect) for JS compat Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-30 15:21:48 -07:00
parent 5b5e1a7ed6
commit e450ade988
15 changed files with 809 additions and 13 deletions
--- a/web/static/webauthn.js
+++ b/web/static/webauthn.js
@@ -110,18 +110,22 @@
  };

  // mciasWebAuthnLogin initiates a passkey login.
-  window.mciasWebAuthnLogin = function (username, onSuccess, onError) {
+  // ssoNonce is optional — when non-empty, it is included in the begin/finish
+  // requests so the server can redirect back to the SSO client after login.
+  window.mciasWebAuthnLogin = function (username, ssoNonce, onSuccess, onError) {
    if (!window.PublicKeyCredential) {
      onError('WebAuthn is not supported in this browser.');
      return;
    }

    var savedNonce = '';
+    var beginBody = { username: username || '' };
+    if (ssoNonce) { beginBody.sso_nonce = ssoNonce; }

    fetch('/login/webauthn/begin', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ username: username || '' })
+      body: JSON.stringify(beginBody)
    })
    .then(function (resp) {
      if (!resp.ok) return resp.text().then(function (t) { throw new Error(t || 'Login failed'); });
@@ -163,7 +167,7 @@
      if (!resp.ok) return resp.text().then(function (t) { throw new Error(t || 'Login failed'); });
      return resp.json();
    })
-    .then(function () { onSuccess(); })
+    .then(function (data) { onSuccess(data); })
    .catch(function (err) { onError(err.message || 'Login failed'); });
  };

@@ -208,11 +212,14 @@
        hideError('webauthn-login-error');
        var usernameInput = document.getElementById('username');
        var username = usernameInput ? usernameInput.value.trim() : '';
+        var ssoNonce = loginBtn.getAttribute('data-sso-nonce') || '';
        loginBtn.disabled = true;
        loginBtn.textContent = 'Waiting for authenticator...';

-        window.mciasWebAuthnLogin(username, function () {
-          window.location.href = '/dashboard';
+        window.mciasWebAuthnLogin(username, ssoNonce, function (data) {
+          // The server returns a redirect URL — either /dashboard for direct
+          // login, or the SSO client callback URL with code and state params.
+          window.location.href = (data && data.redirect) || '/dashboard';
        }, function (err) {
          loginBtn.disabled = false;
          loginBtn.textContent = 'Sign in with passkey';
--- a/web/templates/fragments/totp_step.html
+++ b/web/templates/fragments/totp_step.html
@@ -5,6 +5,7 @@
  <input type="hidden" name="username" value="{{.Username}}">
  <input type="hidden" name="totp_nonce" value="{{.Nonce}}">
  <input type="hidden" name="totp_step" value="1">
+  {{if .SSONonce}}<input type="hidden" name="sso_nonce" value="{{.SSONonce}}">{{end}}
  <div class="form-group">
    <label for="totp_code">Authenticator Code</label>
    <input class="form-control" type="text" id="totp_code" name="totp_code"
--- a/web/templates/login.html
+++ b/web/templates/login.html
@@ -15,6 +15,7 @@
      {{if .Error}}<div class="alert alert-error" role="alert">{{.Error}}</div>{{end}}
      <form id="login-form" method="POST" action="/login"
            hx-post="/login" hx-target="#login-card" hx-swap="outerHTML" hx-select="#login-card">
+        {{if .SSONonce}}<input type="hidden" name="sso_nonce" value="{{.SSONonce}}">{{end}}
        <div class="form-group">
          <label for="username">Username</label>
          <input class="form-control" type="text" id="username" name="username"
@@ -37,7 +38,8 @@
          <hr style="flex:1;border:0;border-top:1px solid #ddd">
        </div>
        <div id="webauthn-login-error" class="alert alert-error" style="display:none" role="alert"></div>
-        <button class="btn btn-secondary" type="button" id="webauthn-login-btn" style="width:100%">
+        <button class="btn btn-secondary" type="button" id="webauthn-login-btn" style="width:100%"
+                {{if .SSONonce}}data-sso-nonce="{{.SSONonce}}"{{end}}>
          Sign in with passkey
        </button>
      </div>