Authentication and Authorization
Certain requests to resources on CPub need to be authorized. CPub uses the The OAuth 2.0 Authorization Framework for handling authorization.
Following OAuth 2.0 flows are supported:
Authorization (in form of an OAuth 2.0 Access Token) is granted after a user has authenticated.
Authorization (OAuth 2.0)
The OAuth 2.0 endpoints are:
- Authorizatoin endpoint:
/oauth/authorize
- Token endpoint:
/oauth/token
Access tokens are valid for 60 days.
For the Authorization Code
and Resource Owner Password Credentials
flows a refresh token is issued which can be used to get a new access token. The refresh token can be used until the authorization is revoked by the user.
Client registration
The Authorization Code
flow requires a OAuth client to be registered.
Clients can be registered using OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591) at the endpoint /oauth/clients
.
See the Demonstration for an example.
Authentication
CPub support authentication via:
- an internally stored username and password
- an OpenID Connect provider
- a Pleroma/Mastodon compatible OAuth 2.0 server
The interactive authentication endpoint is at: /auth/login
.
Internal username and password
Users can sign up with a username and password at the endpoint: /auth/register
.
OpenID Connect
Users can authenticate with any OpenID Connect Core 1.0 provider.
An OAuth 2.0 client must be registered for CPub at the provider. The redirect uri used by CPub is /auth/oidc/callback
. The only scope required is openid
.
The client id and client secret (if provider requires) must be configured in CPub from the Elixir shell:
CPub.Web.Authentication.OAuthClient.create(%{
provider: :oidc,
site: "http://localhost:8080/auth/realms/cpub-test/",
client_id: "something-something-something",
client_secret: "secret-secret-secret-secret",
display_name: "Keycloak"
})
Where the fields are:
provider
: must be:oidc
to indicate that the client is an OpenID Connect client.site
: the URL to the OpenID Connect provider.client_id
: OAuth 2.0 client idclient_secret
: OAuth 2.0 client secret (optional). If defined it will be used when fetching the access/id token from the provider.display_name
: Name of the provider to display on login page (optional). If present the provider will be shown on the login page.
OpenID Connect has been tested with Keycloak, Gitlab and Azure Active Directory B2C.
TODO Implement a nice UI from which this can be setup.
Pleroma/Mastodon
To authenticate with an existing Pleroma/Mastodon server, enter the URL of the instance in the login field.
TODO Implement a WebFinger client so that users can simply enter their ActivityPub handle and be authenticated with the correct instance.