Description
Atomic Data introduces a new self-sovereign public key based authentication mechanism. This has its merits (users are in full control of their identity, instead of servers), but pretty much everyone out there already settled on a standard: Open ID Connect. Supporting this helps achieve a few goals:
- Sign in with your existing OIDC account (google, facebook, or your companies SSO server). No need to create a new account!
Thoughts
- We already have JWT support in the email branch Sudomain support, register endpoint #505
- We still need a private key to sign commits, which should still be created and stored by the client.
Libraries Rust
- openidconnect-rs
- actix_oidc_token (not a lot of maintenance)
Libraries JS
- @axa-fr/oidc-client. Seems good.
TODO
- endpoint for adding new Publickey to Agent
- JWT support
- ENVs for OIDC
- Setup LogTo account
- Store link between agent and user somewhere?
Flow
- On starting AtomicServer, check presence of OAuth client + secrets in .env
- (maybe) check if the Oauth server token is valid? Can also check this when signing in a user
- Front-end checks if server supports some Oauth provider (e.g. google)
- If true, show a button for this provider in the RegisterSignIn component
- When clicked, get a token from the OAuth provider.
- Store the token (I assume this is stored as cookie, so nothing we need to do)
- Client tells server to create user / sign in?
- Server checks cookie / HTTP headers for token
- Server validates token with OAuth provider
Commits & private key management
If we sign in using some external identity provider, we are redirected to some page. This could be an endpoint that registers a public key to an Agent, adding it to the Agent resource.
Link with email
We're probably not going to be an identity provider, so we can keep things simple. Still, it would make sense to have email support for things like notifications.
But what about signing in using a magic link? Should users be able to add new public keys using email without using OIDC / Oauth? #276