External authentication for a user

blakecodes · January 23, 2019, 8:36pm

We need the ability to create new apps and then create client credentials within those from an API. Does anyone have any sort of direction we can take to make this as easy as possible without having to modify much of the source?

Ideal functionality:

Create new users
Create application
Create client credentials

Sebastian · January 23, 2019, 8:56pm

Hi, the following code shows where clients are defined:

github.com

Squidex/squidex/blob/master/src/Squidex/Areas/IdentityServer/Config/LazyClientStore.cs#L94


}


private void CreateStaticClients(IOptions<MyUrlsOptions> urlsOptions)
{
    foreach (var client in CreateStaticClients(urlsOptions.Value))
    {
        staticClients[client.ClientId] = client;
    }
}


private static IEnumerable<Client> CreateStaticClients(MyUrlsOptions urlsOptions)
{
    var frontendId = Constants.FrontendClient;


    yield return new Client
    {
        ClientId = frontendId,
        ClientName = frontendId,
        RedirectUris = new List<string>
        {
            urlsOptions.BuildUrl("login;"),

I would create a client with almost the same settings as an app client, but in addition to that it should get a permission claim [1] with the admin role (`squidex.*) [2]

[1] https://github.com/Squidex/squidex/blob/master/src/Squidex.Shared/Identity/SquidexClaimTypes.cs#L22

[2] https://github.com/Squidex/squidex/blob/master/src/Squidex.Shared/Permissions.cs#L32

More about clients: http://docs.identityserver.io/en/latest/reference/client.html

Sebastian · January 23, 2019, 8:57pm

Configurable via an option, PR is welcome

blakecodes · January 23, 2019, 8:59pm

Great, will take a look and come up with something.

blakecodes · January 24, 2019, 10:40pm

After looking more into the code and getting a better understanding of how it all works, I see what you mean with how I could attach the admin role.

Although I have a few questions:

Can you create client credentials outside of an application? Right now it seems all of the credentials you create have to be tied to an application and not a users account. If this is the case, it doesn’t solve the initial problem we have where we need to be able to create new applications through the API.
If we can create client credentials outside of an app, would we need to create a new client role? How is the client role interpreted upon request?

Thank you for the insight!

Sebastian · January 24, 2019, 11:01pm

Hi,

I just write a list of bullet points, because I am tired to think about how to structure my answer

Permissions are stored as claims and you can also assign them manually to an user. It is described in the docs [1]
When you create a role with permissions the user object gets enriched with these permissions in the request pipeline [2]
This means that the code does not care about where the permissions are coming from.
So you can just create a client and give this client the admin permissions.
I think you even do not have to give this client special permissions because every authenticated user or client should be able to create new apps, because you do not need any permissions. But honestly I have never tested it, but you can see it in the code [3]

[1] https://docs.squidex.io/concepts/permissions#administration
[2] https://github.com/Squidex/squidex/blob/master/src/Squidex/Pipeline/AppResolver.cs#L79
[3] https://github.com/Squidex/squidex/blob/master/src/Squidex/Areas/Api/Controllers/Apps/AppsController.cs#L90

Sebastian · January 24, 2019, 11:02pm

Btw: Have you tried to create an app with the client from another app? It could actually work, but I am not sure.

blakecodes · January 25, 2019, 10:07pm

So I have gotten the app creation to work, you can actually create apps from another apps client credentials just fine.

Now a point of discussion for which approach is more logical.

Approach One
Authenticate as an actual identity user, we would need a way to get just the auth token from the login so we could pass it to our requests.

Approach Two
Authenticate through the client credentials generated under an app. This works fine but then the app isn’t associated to an actual user, but to client credentials. So the app doesn’t show in the UI and doesn’t have an association to a user. We could create an additional method to handle linking the app to a specified user if we wanted.

Approach 1 seems to make the most sense, I am trying to wrap my head around how the UI gets the auth token to begin with. The POST to login to the site just returns a redirect, how does the UI get all of the authentication info that is stored in the local storage?

github.com

Squidex/squidex/blob/master/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs#L167




[HttpGet]
[Route("account/login/")]
public Task<IActionResult> Login(string returnUrl = null)
{
    return LoginViewAsync(returnUrl, true, false);
}


[HttpPost]
[Route("account/login/")]
public async Task<IActionResult> Login(LoginModel model, string returnUrl = null)
{
    if (!ModelState.IsValid)
    {
        return await LoginViewAsync(returnUrl, true, true);
    }


    var result = await signInManager.PasswordSignInAsync(model.Email, model.Password, true, true);


    if (!result.Succeeded)
    {

If I can just get access to the auth token that is generated upon login, that’s all I would need to create apps without having to use the UI, but still have them linked to my user in case I wanted to.

Sebastian · January 25, 2019, 10:19pm

I would just assign the right user as an owner to the app.