Fixes #25809 - JWT auth for external users

[rabajaj0509]

This pr enables Foreman to act as a consumer of the JWT token. It makes sure that an external user, authenticated via a third party application(in my case keycloak), can be created using the JWT token(without the need of a password).

[theforeman-bot]

Issues: #25809

[timogoebel]

@rahulbajaj0509: I checked out the code. I still believe you should not hook into the SSO::JWT workflow as this is unrelated to what you want to achieve. It both uses JWTs, that's the only similarity.
You do need money to buy a tree or a space station. But both a tree and a space station are totally unrelated. The JWT is just the technique used to transfer payload. I'd suggest to create a separate SSO implementation for Open Id Connect and try to use a gem that offers a proper implementation.

[timogoebel]

How about session.merge!(jwt_data)

[timogoebel]

Doesn't this store data in the session that was read from the session a couple of lines before? 😕

[rabajaj0509]

It should have, but since we have the reset_session on line no.79, it resets all the values and therefore I had to use this method to restore the value again.

[timogoebel]

Can we ask the SSO if it sets the expiry time instead of hardcoding stuff for JWT here?

def set_activity_time
  return if available_sso.sets_expiry_time?
  session[:expires_at] = Setting[:idle_timeout].minutes.from_now.to_i
end

[rabajaj0509]

Yes, I think I can achieve this, thanks!

[rabajaj0509]

@timogoebel I tried using available_sso.sets_expiry_time?.
It works fine when we first authenticate the user.
However, when we use sessions in subsequent calls the method fails.

That is if I run hammer auth login basic --username admin --password changeme it works correctly.
Immediately after when I run hammer os list (which will use session since we are already autheticated in the previous command), it fails because all the SSO methods (Basic, JWT, openIDConnect etc) return a false for {SSO::Method}.available?..

Hence we get available_sso value as nil when using session

[timogoebel]

You should be able to use get_sso_method to get the SSO object stored in the session.

[rabajaj0509]

@timogoebel let me explain a bit about what I am trying to achieve here, let me know if I am thinking in the correct direction here.

So at the hammer-cli-foreman side, I authenticate the user by keycloak using the OAuth out of bound implementation. In return to that, the Keycloak returns me with a JWT that has the authenticated users authorization information which I send to Foreman(here) and create a user in Foreman using that JWT.

This is the flow that I am trying to achieve.

[ares]

@rahulbajaj0509 could you please point us to respective part that actually issues the JWT token? I'm a bit confused here about the whole flow. I suppose something creates the JWT which is added to requests to Foreman. If that's the case, we download the public key from some URL and decode the token (which does the token signature verification) and then read information out of that token.

[ares]

what is this url? it does not resolve, IIUC we download the keycloak public key from here and then use it for signature verification, should this URL be part of JWT token?

[rabajaj0509]

I have added this to the settings, this URL is different for each user, so it may differ. To obtain the URL user can read the description of the field as seen here

[ares]

this is not a good idea, we need to trust the side that provides the public key, otherwise an attacker could give us wrong public key for verification

[rabajaj0509]

@ares thanks, makes sense, I have change the setting to :verify_ssl to true.

[ares]

was this code taken from some library? if not, can you describe what's going on in here, e.g. what format we're trying to build here, we don't use unpack('C*') every day :-)

[rabajaj0509]

yes, it was but as @tbrisker mentioned, it is not good to handle the encryption by ourself, so I am using the JWT gem to do all this for us.

[ares]

1.to_s(16).rjust(2, '0') is more straightforward

[ares]

is there a better way to detect what type of token this is? Can we get that information out of decoded_payload?

[timogoebel]

We should never rely on information in decoded_payload as it hasn't been verified (the signature wasn't validated).

[ares]

We verify the signature later, but we need to decide what is the purpose of this token here. We can decode and if that's for SSO, we proceed with verification. If it's not and we just decode like we did before.

I don't like this too much, hence I'm asking for a better way of differentiation. Is it possible to use other header or that breaks jwt conventions? Can we somehow detect the signature is present, meaning this is SSO token? If we detect there's signature, then perform verification (which JWT.decode does for us if we pass public key I believe)

[timogoebel]

We can use the Auth-Header. The RFC states to use two parts:
TYPE SECRET. The type can be an arbitrary string, e.g. Basic. I would suggest using Bearer for OIDC and JWT for JWT's issued by Foreman.

[rabajaj0509]

Done.

[rabajaj0509]

@ares thanks for reviewing the pull request :)

We receive the token from the hammer-cli-foreman which can be seen here.

Hammer uses the rest-client gem to authenticate the user from Keycloak and if the authentication is successful it receives a JWT token in return. Now we send this JWT here in Foreman and then create a user with external login.

When we send the JWT token in Foreman, we need to validate it and make sure it the same token as we had sent from Hammer.

There are two ways of validating a JWT token on the foreman side:

Method 1: We need to verify a few claims and check the signature:

• The important bits to check in the token:

  • typ - should be Bearer
  • aud - should include the client_id of the service
  • nbf - should be in the past (check against current time - 1 sec)
  • exp - should be in the future (check against current time + 1 sec)

• For this, I am using the JWT gem that basically does all the checks
  when we do JWT.decode with the token that we receive from Hammer and public key that we generate using the generate_key_from_jwks method.

Method 2: we can also invoke the token introspection endpoint on Keycloak, but that's then a remote call to Keycloak to validate the token.

• Basically, this can be done by invoking the introspection endpoint with the token. In return, we will recieve a valid and JSON of the token that can be future matched/validated with our token.

[ekohl]

Isn't the whole idea behind .well-known that software can rely on it and humans never need to care? As a user I don't know which of the two I should enter. If only the well-known one should be specified, I'd write something like:

Suggested change

	self.set('oidc_jwks_url', N_("OpenID Connect JSON Web Key Set(JWKS) URL. For example if you are using Keycloak this url(https://<your keycloak server>/auth/realms/<realm name>/protocol/openid-connect/certs) would be found as `jwk_uri` at https://<your keycloak server>/auth/realms/<realm name>/.well-known/openid-configuration."), nil, N_('OIDC JWKs URL')),
	self.set('oidc_jwks_url', N_("OpenID Connect JSON Web Key Set(JWKS) URL. Typically https://keycloak.example.com/auth/realms/<realm name>/.well-known/openid-configuration."), nil, N_('OIDC JWKs URL')),

[ekohl]

Is iss(issuer) a typo? Maybe IDP should also be written out since most users don't know what it stands for.

[rabajaj0509]

iss(issuer) is a very term in the JWT world. It is one of the most important claims and this line is directly taken from the spec(https://tools.ietf.org/html/rfc7519#section-4.1.1). I would like to stick to it, if you don't mind?

[ekohl]

I would add a space in between like the RFC did.

[ekohl]

Suggested change

	self.set('oidc_algorithm', N_("The algorithm with which JWT was encoded in the IDP."), nil, N_('OIDC Algorithm')),
	self.set('oidc_algorithm', N_("The algorithm used to encode the JWT in the IDP."), nil, N_('OIDC Algorithm')),

[ekohl]

If there are cached keys, does that mean you don't need to fetch a response in the first place and the method could return early?

[rabajaj0509]

As @tbrisker explained here: #6549 (comment).

[ekohl]

Is setup ran for every test or only for the class? The test would be a lot faster if you could reuse the key.

[tbrisker]

instead of raising here you can log and return an empty hash (but still keep the rescue below in case JSON.parse fails)

[ekohl]

This default is very different from the description since it's not a URL. If there is no sane default, should it be empty?

[ekohl]

Suggested change

	description: 'Name of the OpenID Connect Audience that is being used for Authentication. For exmaple in case of Keycloak this is the Client ID.'
	description: 'Name of the OpenID Connect Audience that is being used for Authentication. For example in case of Keycloak this is the Client ID.'

[ekohl]

Should this be synced to the Ruby code?

[timogoebel]

Code looks good to me. I'm good with merging this.

@tbrisker: Feel free to merge at your own discretion. Note, we still need the packaging to be done.

[tbrisker]

LGTM as well, pending packaging. Great job @rahulbajaj0509 on pushing this through the very long process!
@ekohl - unless you have any other comments feel free to merge once the packaging side is ready.

[ekohl]

Overall 👍 besides some small textual nits

[ekohl]

Nit: I think it's possible to avoid the personal pronoun which generally the preferred style. Maybe a native speaker has a better suggestion

Suggested change

	self.set('oidc_jwks_url', N_("OpenID Connect JSON Web Key Set(JWKS) URL. Typically https://keycloak.example.com/auth/realms/<realm name>/protocol/openid-connect/certs if you are using Keycloak as an IDP"), nil, N_('OIDC JWKs URL')),
	self.set('oidc_jwks_url', N_("OpenID Connect JSON Web Key Set(JWKS) URL. Typically https://keycloak.example.com/auth/realms/<realm name>/protocol/openid-connect/certs when using Keycloak as an IDP"), nil, N_('OIDC JWKs URL')),

[ekohl]

Nit: phrasing could be a bit more compact. For example and in case are redundant.

Suggested change

	self.set('oidc_audience', N_("Name of the OpenID Connect Audience that is being used for Authentication. For example in case of Keycloak this is the Client ID."), nil, N_('OIDC Audience')),
	self.set('oidc_audience', N_("Name of the OpenID Connect Audience used for Authentication. In case of Keycloak this is the Client ID."), nil, N_('OIDC Audience')),

[ekohl]

Suggested change

	test 'if audiance is not valid' do
	test 'if audience is not valid' do

[ekohl]

👍 from a packaging perspective.

[ekohl]

I'd still like to avoid this naming (https://en.wikipedia.org/wiki/RAS_syndrome) but I won't block on it.

[tbrisker]

I understand but we're already using that in multiple places and it seems pretty common in general (e.g. https://www.google.com/search?q=%22jwt+token%22).

[tbrisker]

Thanks @rahulbajaj0509 and @timogoebel, @ekohl and everyone else who took part in reviewing!

[tbrisker]

Please add this in the headline features for 1.24 and where it makes sense in the manual (e.g. after https://theforeman.org/manuals/nightly/index.html#5.1.9UsingOAuth or https://theforeman.org/manuals/nightly/index.html#5.7ExternalAuthentication)

[rabajaj0509]

Thanks a lot everyone! I think I made many mistakes and without your help I would have never learnt so many things.

Few points I want to add:

• I was really struggling with the session handling part, I had to read about how sessions actually worked and @timogoebel pointed me out to the code and how to handle that properly.
• There were many scenarios for test cases which I didn't think about and was not sure how to go about handling the JWT gem and its corresponding version handling. @tbrisker pointed me out to various links which finally helped me understand.
• I am always in two-minds while selecting names for a method, also while defining descriptions for settings and have never been involved in packaging, so thanks to @ekohl for helping me with that!
• Thanks to @ntkathole for testing the PR again and again as there were many changes made from time to time.
• Thanks @gnurag @ares, @kgaikwad, @ofedoren for reviewing as well :)

[ekohl]

Building a feature that touches the system at a deep level does expose you to a lot of details :)