mc/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9385c3846d21118ae54f639d80d9bb6f768c94c7
mcias/web/templates/login.html
Kyle Isom e450ade988 Add SSO authorization code flow (Phase 1) 
MCIAS now acts as an SSO provider for downstream services. Services
redirect users to /sso/authorize, MCIAS handles login (password, TOTP,
or passkey), then redirects back with an authorization code that the
service exchanges for a JWT via POST /v1/sso/token.

- Add SSO client registry to config (client_id, redirect_uri,
  service_name, tags) with validation
- Add internal/sso package: authorization code and session stores
  using sync.Map with TTL, single-use LoadAndDelete, cleanup goroutines
- Add GET /sso/authorize endpoint (validates client, creates session,
  redirects to /login?sso=<nonce>)
- Add POST /v1/sso/token endpoint (exchanges code for JWT with policy
  evaluation using client's service_name/tags from config)
- Thread SSO nonce through password→TOTP and WebAuthn login flows
- Update login.html, totp_step.html, and webauthn.js for SSO nonce
  passthrough

Security:
- Authorization codes are 256-bit random, single-use, 60-second TTL
- redirect_uri validated as exact match against registered config
- Policy context comes from MCIAS config, not the calling service
- SSO sessions are server-side only; nonce is the sole client-visible value
- WebAuthn SSO returns redirect URL as JSON (not HTTP redirect) for JS compat

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-30 15:21:48 -07:00

55 lines
2.3 KiB
HTML
Raw Blame History

{{define "login"}}<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>Sign In — MCIAS</title>
<link rel="stylesheet" href="/static/style.css">
</head>
<body>
<div class="login-wrapper">
<div class="login-box">
<div class="brand-heading">MCIAS</div>
<div class="brand-subtitle">Metacircular Identity &amp; Access System</div>
<div class="card" id="login-card">
{{if .Error}}<div class="alert alert-error" role="alert">{{.Error}}</div>{{end}}
<form id="login-form" method="POST" action="/login"
hx-post="/login" hx-target="#login-card" hx-swap="outerHTML" hx-select="#login-card">
{{if .SSONonce}}<input type="hidden" name="sso_nonce" value="{{.SSONonce}}">{{end}}
<div class="form-group">
<label for="username">Username</label>
<input class="form-control" type="text" id="username" name="username"
autocomplete="username" required autofocus>
</div>
<div class="form-group">
<label for="password">Password</label>
<input class="form-control" type="password" id="password" name="password"
autocomplete="current-password" required>
</div>
<div class="form-actions">
<button class="btn btn-primary" type="submit" style="width:100%">Sign in</button>
</div>
</form>
{{if .WebAuthnEnabled}}
<div style="margin-top:1rem;text-align:center">
<div style="display:flex;align-items:center;gap:.75rem;margin-bottom:.75rem">
<hr style="flex:1;border:0;border-top:1px solid #ddd">
<span class="text-muted text-small">or</span>
<hr style="flex:1;border:0;border-top:1px solid #ddd">
</div>
<div id="webauthn-login-error" class="alert alert-error" style="display:none" role="alert"></div>
<button class="btn btn-secondary" type="button" id="webauthn-login-btn" style="width:100%"
{{if .SSONonce}}data-sso-nonce="{{.SSONonce}}"{{end}}>
Sign in with passkey
</button>
</div>
{{end}}
</div>
</div>
</div>
<script src="/static/htmx.min.js"></script>
{{if .WebAuthnEnabled}}<script src="/static/webauthn.js"></script>{{end}}
</body>
</html>
{{end}}
Reference in New Issue View Git Blame Copy Permalink