Add authentication from upstream providers (#107)
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
Let BasicOIDC delegate authentication to upstream providers (Google, GitHub, GitLab, Keycloak...) Reviewed-on: #107
This commit is contained in:
@ -7,9 +7,11 @@ use actix_identity::Identity;
|
||||
use actix_web::dev::Payload;
|
||||
use actix_web::{web, Error, FromRequest, HttpRequest};
|
||||
|
||||
use crate::actors::providers_states_actor::ProviderLoginState;
|
||||
use crate::actors::users_actor;
|
||||
use crate::actors::users_actor::UsersActor;
|
||||
use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersActor};
|
||||
use crate::data::client::Client;
|
||||
use crate::data::provider::{Provider, ProviderID};
|
||||
use crate::data::remote_ip::RemoteIP;
|
||||
use crate::data::session_identity::SessionIdentity;
|
||||
use crate::data::user::{FactorID, GrantedClients, TwoFactor, User, UserID};
|
||||
@ -20,22 +22,79 @@ pub enum Action<'a> {
|
||||
AdminDeleteUser(&'a User),
|
||||
AdminResetUserPassword(&'a User),
|
||||
AdminRemoveUserFactor(&'a User, &'a TwoFactor),
|
||||
AdminSetAuthorizedAuthenticationSources(&'a User, &'a AuthorizedAuthenticationSources),
|
||||
AdminSetNewGrantedClientsList(&'a User, &'a GrantedClients),
|
||||
AdminClear2FAHistory(&'a User),
|
||||
LoginWebauthnAttempt { success: bool, user_id: UserID },
|
||||
LoginWebauthnAttempt {
|
||||
success: bool,
|
||||
user_id: UserID,
|
||||
},
|
||||
StartLoginAttemptWithOpenIDProvider {
|
||||
provider_id: &'a ProviderID,
|
||||
state: &'a str,
|
||||
},
|
||||
ProviderError {
|
||||
message: &'a str,
|
||||
},
|
||||
ProviderCBInvalidState {
|
||||
state: &'a str,
|
||||
},
|
||||
ProviderRateLimited,
|
||||
ProviderFailedGetToken {
|
||||
state: &'a ProviderLoginState,
|
||||
code: &'a str,
|
||||
},
|
||||
ProviderFailedGetUserInfo {
|
||||
provider: &'a Provider,
|
||||
},
|
||||
ProviderEmailNotValidated {
|
||||
provider: &'a Provider,
|
||||
},
|
||||
ProviderMissingEmailInResponse {
|
||||
provider: &'a Provider,
|
||||
},
|
||||
ProviderAccountNotFound {
|
||||
provider: &'a Provider,
|
||||
email: &'a str,
|
||||
},
|
||||
ProviderAccountDisabled {
|
||||
provider: &'a Provider,
|
||||
email: &'a str,
|
||||
},
|
||||
|
||||
ProviderAccountNotAllowedToLoginWithProvider {
|
||||
provider: &'a Provider,
|
||||
email: &'a str,
|
||||
},
|
||||
ProviderLoginFailed {
|
||||
provider: &'a Provider,
|
||||
email: &'a str,
|
||||
},
|
||||
ProviderLoginSuccessful {
|
||||
provider: &'a Provider,
|
||||
user: &'a User,
|
||||
},
|
||||
Signout,
|
||||
UserNeed2FAOnLogin(&'a User),
|
||||
UserSuccessfullyAuthenticated(&'a User),
|
||||
UserNeedNewPasswordOnLogin(&'a User),
|
||||
TryLoginWithDisabledAccount(&'a str),
|
||||
TryLocalLoginFromUnauthorizedAccount(&'a str),
|
||||
FailedLoginWithBadCredentials(&'a str),
|
||||
UserChangedPasswordOnLogin(&'a UserID),
|
||||
OTPLoginAttempt { user: &'a User, success: bool },
|
||||
NewOpenIDSession { client: &'a Client },
|
||||
OTPLoginAttempt {
|
||||
user: &'a User,
|
||||
success: bool,
|
||||
},
|
||||
NewOpenIDSession {
|
||||
client: &'a Client,
|
||||
},
|
||||
ChangedHisPassword,
|
||||
ClearedHisLoginHistory,
|
||||
AddNewFactor(&'a TwoFactor),
|
||||
Removed2FAFactor { factor_id: &'a FactorID },
|
||||
Removed2FAFactor {
|
||||
factor_id: &'a FactorID,
|
||||
},
|
||||
}
|
||||
|
||||
impl<'a> Action<'a> {
|
||||
@ -64,6 +123,11 @@ impl<'a> Action<'a> {
|
||||
Action::AdminClear2FAHistory(user) => {
|
||||
format!("cleared 2FA history of {}", user.quick_identity())
|
||||
}
|
||||
Action::AdminSetAuthorizedAuthenticationSources(user, sources) => format!(
|
||||
"update authorized authentication sources ({:?}) for user ({})",
|
||||
sources,
|
||||
user.quick_identity()
|
||||
),
|
||||
Action::AdminSetNewGrantedClientsList(user, clients) => format!(
|
||||
"set new granted clients list ({:?}) for user ({})",
|
||||
clients,
|
||||
@ -73,6 +137,28 @@ impl<'a> Action<'a> {
|
||||
true => format!("successfully performed webauthn attempt for user {user_id:?}"),
|
||||
false => format!("performed FAILED webauthn attempt for user {user_id:?}"),
|
||||
},
|
||||
Action::StartLoginAttemptWithOpenIDProvider { provider_id, state } => format!(
|
||||
"started new authentication attempt through an OpenID provider (prov={} / state={state})", provider_id.0
|
||||
),
|
||||
Action::ProviderError { message } =>
|
||||
format!("failed provider authentication with message '{message}'"),
|
||||
Action::ProviderCBInvalidState { state } =>
|
||||
format!("provided invalid callback state after provider authentication: '{state}'"),
|
||||
Action::ProviderRateLimited => "could not complete OpenID login because it has reached failed attempts rate limit!".to_string(),
|
||||
Action::ProviderFailedGetToken {state, code} => format!("could not complete login from provider because the id_token could not be retrieved! (state={:?} code = {code})",state),
|
||||
Action::ProviderFailedGetUserInfo {provider} => format!("could not get user information from userinfo endpoint of provider {}!", provider.id.0),
|
||||
Action::ProviderEmailNotValidated {provider}=>format!("could not login using provider {} because its email was marked as not validated!", provider.id.0),
|
||||
Action::ProviderMissingEmailInResponse {provider}=>format!("could not login using provider {} because the email was not provided by userinfo endpoint!", provider.id.0),
|
||||
Action::ProviderAccountNotFound { provider, email } =>
|
||||
format!("could not login using provider {} because the email {email} could not be associated to any account!", &provider.id.0),
|
||||
Action::ProviderAccountDisabled { provider, email } =>
|
||||
format!("could not login using provider {} because the account associated to the email {email} is disabled!", &provider.id.0),
|
||||
Action::ProviderAccountNotAllowedToLoginWithProvider { provider, email } =>
|
||||
format!("could not login using provider {} because the account associated to the email {email} is not allowed to authenticate using this provider!", &provider.id.0),
|
||||
Action::ProviderLoginFailed { provider, email } =>
|
||||
format!("could not login using provider {} with the email {email} for an unknown reason!", &provider.id.0),
|
||||
Action::ProviderLoginSuccessful {provider, user} =>
|
||||
format!("successfully authenticated using provider {} as {}", provider.id.0, user.quick_identity()),
|
||||
Action::Signout => "signed out".to_string(),
|
||||
Action::UserNeed2FAOnLogin(user) => {
|
||||
format!(
|
||||
@ -90,6 +176,9 @@ impl<'a> Action<'a> {
|
||||
Action::TryLoginWithDisabledAccount(login) => {
|
||||
format!("successfully authenticated as {login}, but this is a DISABLED ACCOUNT")
|
||||
}
|
||||
Action::TryLocalLoginFromUnauthorizedAccount(login) => {
|
||||
format!("successfully locally authenticated as {login}, but this is a FORBIDDEN for this account!")
|
||||
}
|
||||
Action::FailedLoginWithBadCredentials(login) => {
|
||||
format!("attempted to authenticate as {login} but with a WRONG PASSWORD")
|
||||
}
|
||||
@ -116,6 +205,7 @@ impl<'a> Action<'a> {
|
||||
factor.quick_description(),
|
||||
),
|
||||
Action::Removed2FAFactor { factor_id } => format!("Removed his factor {factor_id:?}"),
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user