chore: support Auth0 client playing nicely with other OAuth2/OIDC providers

Sherif Fanous · Unix4ever · commit 2e015a994abe · 2024-04-12T12:12:13.000+03:00
Omni doesn't use a generic OAuth2/OIDC client/SDK instead it uses the Auth0 SDK for Vue and it's using a pretty old version, v1.0.2 as can be seen by inspecting the Omni package.json [here](https://github.com/siderolabs/omni/blob/7fb5d2b20a9372e1a0906b9384696daf93a45c51/frontend/package.json#L13). This SDK in turn uses [auth0-spa-js](https://github.com/auth0/auth0-spa-js) v1.22.1 which can be seen by inspecting its package.json [here](https://github.com/auth0/auth0-vue/blob/bb3bc817d18b8b6d68f3292fe6fadb31f28320db/package.json#L80). **This has significant implications as the v1 of the SDK is not compliant with OAuth2 in 1 critical area.** OAuth2 mandates the use of the `application/x-www-form-urlencoded` content type for grant messages sent to the token endpoint and that sending JSON request bodies will result in a 400 error. Unfortunately the v1 of the SDK sends the request payload as JSON which means that IdPs such as Authentik rightfully returns a 400 error and this results in an infinite loop of requests from Omni to Authentik. The behavior can be confirmed by looking at the comment in the Auth0 SDK code [here](https://github.com/auth0/auth0-spa-js/blob/371e5a82a6da3be24a2f89b7a3a4473f01156c02/src/global.ts#L251). Interestingly the default for the `useFormData` was changed to `true` in v1.22.6 of the SDK. This PR introduces a new Omni flag called `--auth-auth0-use-form-data`. By default the flag is set to `false` to maintain backwards compatibility. If the flag is set to `true` then the Auth0 client is created with the `useFormData` set to `true` Signed-off-by: Sherif Fanous <sherif.fanous+github@gmail.com> Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
diff --git a/client/api/omni/specs/auth.pb.go b/client/api/omni/specs/auth.pb.go
diff --git a/client/api/omni/specs/auth.proto b/client/api/omni/specs/auth.proto
@@ -12,6 +12,7 @@ message AuthConfigSpec {
     bool enabled = 1;
     string domain = 2;
     string client_id = 3;
+    bool useFormData = 4;
   }
 
   message Webauthn {
diff --git a/client/api/omni/specs/auth_vtproto.pb.go b/client/api/omni/specs/auth_vtproto.pb.go
diff --git a/cmd/omni/main.go b/cmd/omni/main.go
@@ -307,6 +307,8 @@ func init() {
 		"enable Auth0 authentication. Once set to true, it cannot be set back to false.")
 	rootCmd.Flags().StringVar(&config.Config.Auth.Auth0.ClientID, "auth-auth0-client-id", config.Config.Auth.Auth0.ClientID, "Auth0 application client ID.")
 	rootCmd.Flags().StringVar(&config.Config.Auth.Auth0.Domain, "auth-auth0-domain", config.Config.Auth.Auth0.Domain, "Auth0 application domain.")
+	rootCmd.Flags().BoolVar(&config.Config.Auth.Auth0.UseFormData, "auth-auth0-use-form-data", config.Config.Auth.Auth0.UseFormData,
+		"When true, data to the token endpoint is transmitted as x-www-form-urlencoded data instead of JSON. The default is false")
 
 	rootCmd.Flags().BoolVar(&config.Config.Auth.WebAuthn.Enabled, "auth-webauthn-enabled", config.Config.Auth.WebAuthn.Enabled,
 		"enable WebAuthn authentication. Once set to true, it cannot be set back to false.")
diff --git a/frontend/src/api/omni/specs/auth.pb.ts b/frontend/src/api/omni/specs/auth.pb.ts
@@ -9,6 +9,7 @@ export type AuthConfigSpecAuth0 = {
   enabled?: boolean
   domain?: string
   client_id?: string
+  useFormData?: boolean
 }
 
 export type AuthConfigSpecWebauthn = {
diff --git a/frontend/src/main.ts b/frontend/src/main.ts
@@ -53,13 +53,14 @@ const setupApp = async () => {
       appendToBody: true,
     })
 
-  if (authType.value === AuthType.Auth0) {
-    app = app.use(createAuth0({
-      domain: authConfigSpec!.auth0?.domain!,
-      client_id: authConfigSpec!.auth0?.client_id!,
-      redirect_uri: window.location.origin,
-    }))
-  }
+    if (authType.value === AuthType.Auth0) {
+      app = app.use(createAuth0({
+        domain: authConfigSpec!.auth0?.domain!,
+        client_id: authConfigSpec!.auth0?.client_id!,
+        redirect_uri: window.location.origin,
+        useFormData: !!authConfigSpec!.auth0?.useFormData,
+      }))
+    }
 
   app.use(vClickOutside);
   app.mount('#app');
diff --git a/internal/pkg/auth/config.go b/internal/pkg/auth/config.go
@@ -44,6 +44,7 @@ func EnsureAuthConfigResource(ctx context.Context, st state.State, logger *zap.L
 		res.TypedSpec().Value.Auth0.Enabled = authParams.Auth0.Enabled
 		res.TypedSpec().Value.Auth0.Domain = authParams.Auth0.Domain
 		res.TypedSpec().Value.Auth0.ClientId = authParams.Auth0.ClientID
+		res.TypedSpec().Value.Auth0.UseFormData = authParams.Auth0.UseFormData
 		res.TypedSpec().Value.Saml.Enabled = authParams.SAML.Enabled
 		res.TypedSpec().Value.Saml.Url = authParams.SAML.URL
 		res.TypedSpec().Value.Saml.Metadata = authParams.SAML.Metadata
diff --git a/internal/pkg/config/auth.go b/internal/pkg/config/auth.go
@@ -20,9 +20,10 @@ type AuthParams struct {
 
 // Auth0Params holds configuration parameters for Auth0.
 type Auth0Params struct {
-	Domain   string `yaml:"domain"`
-	ClientID string `yaml:"clientID"`
-	Enabled  bool   `yaml:"enabled"`
+	Domain      string `yaml:"domain"`
+	ClientID    string `yaml:"clientID"`
+	UseFormData bool   `yaml:"useFormData"`
+	Enabled     bool   `yaml:"enabled"`
 }
 
 // WebAuthnParams holds configuration parameters for WebAuthn.

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ message AuthConfigSpec {`
`12`	`12`	`bool enabled = 1;`
`13`	`13`	`string domain = 2;`
`14`	`14`	`string client_id = 3;`
	`15`	`+ bool useFormData = 4;`
`15`	`16`	`}`
`16`	`17`
`17`	`18`	`message Webauthn {`
Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ export type AuthConfigSpecAuth0 = {`
`9`	`9`	`enabled?: boolean`
`10`	`10`	`domain?: string`
`11`	`11`	`client_id?: string`
	`12`	`+ useFormData?: boolean`
`12`	`13`	`}`
`13`	`14`
`14`	`15`	`export type AuthConfigSpecWebauthn = {`