Add SSO authorization code flow (Phase 1)
MCIAS now acts as an SSO provider for downstream services. Services redirect users to /sso/authorize, MCIAS handles login (password, TOTP, or passkey), then redirects back with an authorization code that the service exchanges for a JWT via POST /v1/sso/token. - Add SSO client registry to config (client_id, redirect_uri, service_name, tags) with validation - Add internal/sso package: authorization code and session stores using sync.Map with TTL, single-use LoadAndDelete, cleanup goroutines - Add GET /sso/authorize endpoint (validates client, creates session, redirects to /login?sso=<nonce>) - Add POST /v1/sso/token endpoint (exchanges code for JWT with policy evaluation using client's service_name/tags from config) - Thread SSO nonce through password→TOTP and WebAuthn login flows - Update login.html, totp_step.html, and webauthn.js for SSO nonce passthrough Security: - Authorization codes are 256-bit random, single-use, 60-second TTL - redirect_uri validated as exact match against registered config - Policy context comes from MCIAS config, not the calling service - SSO sessions are server-side only; nonce is the sole client-visible value - WebAuthn SSO returns redirect URL as JSON (not HTTP redirect) for JS compat Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -110,18 +110,22 @@
|
||||
};
|
||||
|
||||
// mciasWebAuthnLogin initiates a passkey login.
|
||||
window.mciasWebAuthnLogin = function (username, onSuccess, onError) {
|
||||
// ssoNonce is optional — when non-empty, it is included in the begin/finish
|
||||
// requests so the server can redirect back to the SSO client after login.
|
||||
window.mciasWebAuthnLogin = function (username, ssoNonce, onSuccess, onError) {
|
||||
if (!window.PublicKeyCredential) {
|
||||
onError('WebAuthn is not supported in this browser.');
|
||||
return;
|
||||
}
|
||||
|
||||
var savedNonce = '';
|
||||
var beginBody = { username: username || '' };
|
||||
if (ssoNonce) { beginBody.sso_nonce = ssoNonce; }
|
||||
|
||||
fetch('/login/webauthn/begin', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ username: username || '' })
|
||||
body: JSON.stringify(beginBody)
|
||||
})
|
||||
.then(function (resp) {
|
||||
if (!resp.ok) return resp.text().then(function (t) { throw new Error(t || 'Login failed'); });
|
||||
@@ -163,7 +167,7 @@
|
||||
if (!resp.ok) return resp.text().then(function (t) { throw new Error(t || 'Login failed'); });
|
||||
return resp.json();
|
||||
})
|
||||
.then(function () { onSuccess(); })
|
||||
.then(function (data) { onSuccess(data); })
|
||||
.catch(function (err) { onError(err.message || 'Login failed'); });
|
||||
};
|
||||
|
||||
@@ -208,11 +212,14 @@
|
||||
hideError('webauthn-login-error');
|
||||
var usernameInput = document.getElementById('username');
|
||||
var username = usernameInput ? usernameInput.value.trim() : '';
|
||||
var ssoNonce = loginBtn.getAttribute('data-sso-nonce') || '';
|
||||
loginBtn.disabled = true;
|
||||
loginBtn.textContent = 'Waiting for authenticator...';
|
||||
|
||||
window.mciasWebAuthnLogin(username, function () {
|
||||
window.location.href = '/dashboard';
|
||||
window.mciasWebAuthnLogin(username, ssoNonce, function (data) {
|
||||
// The server returns a redirect URL — either /dashboard for direct
|
||||
// login, or the SSO client callback URL with code and state params.
|
||||
window.location.href = (data && data.redirect) || '/dashboard';
|
||||
}, function (err) {
|
||||
loginBtn.disabled = false;
|
||||
loginBtn.textContent = 'Sign in with passkey';
|
||||
|
||||
Reference in New Issue
Block a user