Add SSO authorization code flow (Phase 1)
MCIAS now acts as an SSO provider for downstream services. Services redirect users to /sso/authorize, MCIAS handles login (password, TOTP, or passkey), then redirects back with an authorization code that the service exchanges for a JWT via POST /v1/sso/token. - Add SSO client registry to config (client_id, redirect_uri, service_name, tags) with validation - Add internal/sso package: authorization code and session stores using sync.Map with TTL, single-use LoadAndDelete, cleanup goroutines - Add GET /sso/authorize endpoint (validates client, creates session, redirects to /login?sso=<nonce>) - Add POST /v1/sso/token endpoint (exchanges code for JWT with policy evaluation using client's service_name/tags from config) - Thread SSO nonce through password→TOTP and WebAuthn login flows - Update login.html, totp_step.html, and webauthn.js for SSO nonce passthrough Security: - Authorization codes are 256-bit random, single-use, 60-second TTL - redirect_uri validated as exact match against registered config - Policy context comes from MCIAS config, not the calling service - SSO sessions are server-side only; nonce is the sole client-visible value - WebAuthn SSO returns redirect URL as JSON (not HTTP redirect) for JS compat Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -5,6 +5,7 @@
|
||||
<input type="hidden" name="username" value="{{.Username}}">
|
||||
<input type="hidden" name="totp_nonce" value="{{.Nonce}}">
|
||||
<input type="hidden" name="totp_step" value="1">
|
||||
{{if .SSONonce}}<input type="hidden" name="sso_nonce" value="{{.SSONonce}}">{{end}}
|
||||
<div class="form-group">
|
||||
<label for="totp_code">Authenticator Code</label>
|
||||
<input class="form-control" type="text" id="totp_code" name="totp_code"
|
||||
|
||||
@@ -15,6 +15,7 @@
|
||||
{{if .Error}}<div class="alert alert-error" role="alert">{{.Error}}</div>{{end}}
|
||||
<form id="login-form" method="POST" action="/login"
|
||||
hx-post="/login" hx-target="#login-card" hx-swap="outerHTML" hx-select="#login-card">
|
||||
{{if .SSONonce}}<input type="hidden" name="sso_nonce" value="{{.SSONonce}}">{{end}}
|
||||
<div class="form-group">
|
||||
<label for="username">Username</label>
|
||||
<input class="form-control" type="text" id="username" name="username"
|
||||
@@ -37,7 +38,8 @@
|
||||
<hr style="flex:1;border:0;border-top:1px solid #ddd">
|
||||
</div>
|
||||
<div id="webauthn-login-error" class="alert alert-error" style="display:none" role="alert"></div>
|
||||
<button class="btn btn-secondary" type="button" id="webauthn-login-btn" style="width:100%">
|
||||
<button class="btn btn-secondary" type="button" id="webauthn-login-btn" style="width:100%"
|
||||
{{if .SSONonce}}data-sso-nonce="{{.SSONonce}}"{{end}}>
|
||||
Sign in with passkey
|
||||
</button>
|
||||
</div>
|
||||
|
||||
Reference in New Issue
Block a user