missing /authorize endpoint ? #188
Comments
|
Our general idea here is that the login-ui only "proxies" the request to the api so that the login does not need to take care of the oidc specific stuff. I think the zitadel/typescript should already be able to proxy the authorize path. Have you checked what happens when you call |
|
Might relate to this #46 |
@fforootd thank you for making it clear. really appreciate it i ended up doing proxing similar to https://github.com/zitadel/typescript/blob/main/apps/login/src/middleware.ts export const config = {
matcher: [
"/.well-known/:path*",
"/oauth/:path*",
"/oidc/:path*",
"/idps/callback/:path*",
],
};but the ideal situation for me is to get rid of all proxying in favor of backend api calls i use this repo mainly as an inspiration what i'm trying to archive
i might be moving into a wrong direction and eventually will end up with lot of hacking or some compromises as for now i'm facing issues like on screenshot below - the enduser stack in zitadel ui, not inside my hosted app
and the point is that proxing is not really great user experience ... at least for me ... if you have well defined api and an example how to customize it and do something similar to func (h *Handler) RegisterConnections(api huma.API) {
huma.Register(api,
huma.Operation{
Path: "/oauth2/callback",
OperationID: "oauth2-client-callback",
Description: "Serve OAuth2 client callback",
Method: http.MethodPost,
Tags: []string{"oauth2-auth"},
DefaultStatus: http.StatusOK,
}, h.callback)
}
func (h *Handler) callback(ctx context.Context, in *CallbackIn) (out *CallbackOut, err error) {
tx := query.New(h.dbp)
stateUUID := uuid.FromStringOrNil(in.State)
if stateUUID.IsNil() {
h.log.Error("broken state parameter", "error", err)
return nil, huma.Error400BadRequest("broken state parameter")
}
state, err := tx.GetOauth2State(ctx, stateUUID)
if err != nil {
h.log.Error("query state object", "error", err)
return nil, huma.Error401Unauthorized("query state object")
}
...to bring the standard endpoints into hosted app by triggering apis calls |
|
Can you exapand what you mean with "but the ideal situation for me is to get rid of all proxying in favor of backend api calls" Generally speaking the proxy piece is only needed if you want to serve OIDC/OAuth from your login to your apps. With what stack are you building your login? |
i thought it would be possible to do embeded callbacks or customize endpoints similar to router on ui/login https://github.com/zitadel/zitadel/blob/main/internal/api/ui/login/router.go EndpointExternalLogin = "/login/externalidp" i'm a half way through reading external_provider_handler.go and LegacyServer: op.NewLegacyServer(provider, endpoints(config.CustomEndpoints)), and it's look like it's impossible to replicate by using SDK zitadel/zitadel-go sdk as well, cause not all methods which are used in external_provider_handler.go are exposed or mean to be used outside of ui/login the goal of all the above for now is to understand if i can
I'm looking for "api-first" solution for embeded login Here's an example of function I can't trigger using zitadel-go ... or might miss something https://github.com/zitadel/zitadel/blob/main/internal/api/oidc/auth_request.go#L92 https://github.com/zitadel/zitadel/blob/main/internal/api/grpc/oidc/v2/oidc.go Again i'm a half way through reading ... any hints are greatly appreciated |
|
I see. Let me try and explain our approach here. Our current mental model is to seperate the login from the api in a way that the login ui (whatever language it uses) only needs to implement the user facing flows. Like login, reset, register,.... At the same time we want to keep all the business logic for the OIDC/OAuth/SAML in the API and allow the UI to just call the API as a proxy. It is also possible to call that api without proxing through the login ui, but we thought in many cases you end up having all this on the same domain behind a proxy where you can directly send the traffic to the api so the proxy in the login becomes obsolete. |
|
I think im looking for the same setup as reactima. I want the frontend custom ui to ONLY use endpoints in my own backend. So the backend will act like a proxy for some of the requests So by API first you can actually do the whole registrationa and login by using API endpoints of your backend. Im currently reading up on the issue to check if others are using the same setup and how to handle security like PKCE and such. |
|
@larsbloch not sure if it will help. it's almost impossible to hide all routes without breaking things. i get a proof of concept by patching few ui/login routes at some point, and discovered it breaks too many things and puts you on the path of maintaining too many routes have a look here l.renderer.RenderTemplate or renderError - templates are hardcoded my own conclusion OIDC spec wasn't designed with API first mentality, and mostly serves IDP providers interest ... and i'm totally fine with it. zitadel team did awesome job - you can customize ui templates from admin ui. another drawback of deep customization - you will end reading the entire codebase source code ... i did it for pleasure but all my goland devs friends who saw it had their sole crashed especially in the eventstore p.s. happy to chat with whoever want to go the hard way with zitadel ... and hope one day zitadel's big customers will sponsor true "api first" functionality |
|
@fforootd thank you for the above explanation. it makes more sense for me now |
Preflight Checklist
Describe your problem
Read Support for the OpenID Connect(OIDC) Standard in a Custom Login UI
https://zitadel.com/docs/guides/integrate/login-ui/oidc-standard
zitadel/typescript repo seems missing /authorize endpoint
so you have to go through ${ZITADEL_URL}/oauth/v2/authorize endpoint
getting authRequestId is puzzling
Let's say I successful generated Zitadel Authorization URL:
http://localhost:8080/oauth/v2/authorize?client_id=285778005274460424%40rachel_rich_and_happy_&nonce=&prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A5173%2Fzitadel%2Floginname&response_type=code&scope=openid+profile+email&state=
It will put me through Zitadel UI anyway be forcing redirect
Couldnt find a straight forward way getting authRequestId
Is missing /authorize endpoint in this repo?
Describe your ideal solution
implement /authorize endpoint
Version
latest
Environment
Self-hosted
Additional Context
No response
The text was updated successfully, but these errors were encountered: