External authentication for a user


#1

We need the ability to create new apps and then create client credentials within those from an API. Does anyone have any sort of direction we can take to make this as easy as possible without having to modify much of the source?

Ideal functionality:

  • Create new users
  • Create application
  • Create client credentials

#2

Hi, the following code shows where clients are defined:

I would create a client with almost the same settings as an app client, but in addition to that it should get a permission claim [1] with the admin role (`squidex.*) [2]

[1] https://github.com/Squidex/squidex/blob/master/src/Squidex.Shared/Identity/SquidexClaimTypes.cs#L22

[2] https://github.com/Squidex/squidex/blob/master/src/Squidex.Shared/Permissions.cs#L32

More about clients: http://docs.identityserver.io/en/latest/reference/client.html


#3

Configurable via an option, PR is welcome :wink:


#4

Great, will take a look and come up with something. :smiley:


#5

After looking more into the code and getting a better understanding of how it all works, I see what you mean with how I could attach the admin role.

Although I have a few questions:

  1. Can you create client credentials outside of an application? Right now it seems all of the credentials you create have to be tied to an application and not a users account. If this is the case, it doesn’t solve the initial problem we have where we need to be able to create new applications through the API.
  2. If we can create client credentials outside of an app, would we need to create a new client role? How is the client role interpreted upon request?

Thank you for the insight!


#6

Hi,

I just write a list of bullet points, because I am tired to think about how to structure my answer :wink:

  • Permissions are stored as claims and you can also assign them manually to an user. It is described in the docs [1]
  • When you create a role with permissions the user object gets enriched with these permissions in the request pipeline [2]
  • This means that the code does not care about where the permissions are coming from.
  • So you can just create a client and give this client the admin permissions.
  • I think you even do not have to give this client special permissions because every authenticated user or client should be able to create new apps, because you do not need any permissions. But honestly I have never tested it, but you can see it in the code [3]

[1] https://docs.squidex.io/concepts/permissions#administration
[2] https://github.com/Squidex/squidex/blob/master/src/Squidex/Pipeline/AppResolver.cs#L79
[3] https://github.com/Squidex/squidex/blob/master/src/Squidex/Areas/Api/Controllers/Apps/AppsController.cs#L90


#7

Btw: Have you tried to create an app with the client from another app? It could actually work, but I am not sure.


#8

So I have gotten the app creation to work, you can actually create apps from another apps client credentials just fine.

Now a point of discussion for which approach is more logical.

Approach One
Authenticate as an actual identity user, we would need a way to get just the auth token from the login so we could pass it to our requests.

Approach Two
Authenticate through the client credentials generated under an app. This works fine but then the app isn’t associated to an actual user, but to client credentials. So the app doesn’t show in the UI and doesn’t have an association to a user. We could create an additional method to handle linking the app to a specified user if we wanted.

Approach 1 seems to make the most sense, I am trying to wrap my head around how the UI gets the auth token to begin with. The POST to login to the site just returns a redirect, how does the UI get all of the authentication info that is stored in the local storage?

If I can just get access to the auth token that is generated upon login, that’s all I would need to create apps without having to use the UI, but still have them linked to my user in case I wanted to.


#9

I would just assign the right user as an owner to the app.