mc/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4ed2cecec54100d91382ac25d270478e560fb828
mcias/web/templates/fragments/totp_step.html
Kyle Isom e450ade988 Add SSO authorization code flow (Phase 1) 
MCIAS now acts as an SSO provider for downstream services. Services
redirect users to /sso/authorize, MCIAS handles login (password, TOTP,
or passkey), then redirects back with an authorization code that the
service exchanges for a JWT via POST /v1/sso/token.

- Add SSO client registry to config (client_id, redirect_uri,
  service_name, tags) with validation
- Add internal/sso package: authorization code and session stores
  using sync.Map with TTL, single-use LoadAndDelete, cleanup goroutines
- Add GET /sso/authorize endpoint (validates client, creates session,
  redirects to /login?sso=<nonce>)
- Add POST /v1/sso/token endpoint (exchanges code for JWT with policy
  evaluation using client's service_name/tags from config)
- Thread SSO nonce through password→TOTP and WebAuthn login flows
- Update login.html, totp_step.html, and webauthn.js for SSO nonce
  passthrough

Security:
- Authorization codes are 256-bit random, single-use, 60-second TTL
- redirect_uri validated as exact match against registered config
- Policy context comes from MCIAS config, not the calling service
- SSO sessions are server-side only; nonce is the sole client-visible value
- WebAuthn SSO returns redirect URL as JSON (not HTTP redirect) for JS compat

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-30 15:21:48 -07:00

20 lines
942 B
HTML
Raw Blame History

{{define "totp_step"}}
<form id="login-form" method="POST" action="/login"
hx-post="/login" hx-target="#login-form" hx-swap="outerHTML">
{{if .Error}}<div class="alert alert-error" role="alert">{{.Error}}</div>{{end}}
<input type="hidden" name="username" value="{{.Username}}">
<input type="hidden" name="totp_nonce" value="{{.Nonce}}">
<input type="hidden" name="totp_step" value="1">
{{if .SSONonce}}<input type="hidden" name="sso_nonce" value="{{.SSONonce}}">{{end}}
<div class="form-group">
<label for="totp_code">Authenticator Code</label>
<input class="form-control" type="text" id="totp_code" name="totp_code"
autocomplete="one-time-code" inputmode="numeric" pattern="[0-9]{6}"
maxlength="6" required autofocus placeholder="6-digit code">
</div>
<div class="form-actions">
<button class="btn btn-primary" type="submit" style="width:100%">Verify</button>
</div>
</form>
{{end}}
Reference in New Issue View Git Blame Copy Permalink