Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Proposal] External authentication flow #163

Open
mochaaP opened this issue Jun 9, 2022 · 4 comments
Open

[Proposal] External authentication flow #163

mochaaP opened this issue Jun 9, 2022 · 4 comments
Labels
priority: high proposal: in-progress

Comments

@mochaaP
Copy link

mochaaP commented Jun 9, 2022
edited

As discussed in https://t.me/blessing_skin/176521

  • Add an optional field (externalLogin / oauth / etc.) to metadata and specify whether to force external authentication
  • If extra authentication is required, return an exception on plain login
  • Client opens a new browser window, navigate to https://site.com/yggdrasil/oauth?client={clientToken}&callback=launcher://authlib-injector/callback and wait for user interaction
  • a) Redirect to launcher://authlib-injector/callback?client={clientToken}&token={accessToken} / http://localhost:####/callback?client={clientToken}&token={accessToken}
    b) 1. Redirect to https://site.com/yggdrasil/oauth/complete?client={clientToken}&token={accessToken} (more semantic but one more request)
    2. Use a magic string for callback (e.g. oauth:{clientToken})
    Then client polls https://site.com/yggdrasil/oauth/status?client={clientToken} for callback
  • Client calls validate to and do remaining steps as usual

Scenario

  • External authentication provider integration (Social login, SSO)
  • 2FA

Issues

  • Not exactly OAuth
    No scope, no application id
  • Reimplementing it again in our specs
    e.g. Blessing Skin Server already have a great OAuth implementation
  • Possibly bad integration with software developed specifically for the official Yggdrasil implementation, won't be able to login if only external authenticator is supported

Workarounds

  • Use "App Passwords" aside returning accessToken
    Requires extra UI & logic
  • Return a "auth string" (to separate the name with tokens) for password field all the time
    Consider again exposing tokens to end users
@mochaaP mochaaP mentioned this issue Jun 9, 2022
Open
@tnqzh123
Copy link

tnqzh123 commented Jun 9, 2022
edited

Client calls refresh to validate token and do remaining steps as usual

Yggdrasil 有专门的 validate 接口,用来检查 accessToken 可用性的,doc

  • Reimplementing it again in our specs
    e.g. Blessing Skin Server already have a great OAuth implementation

BS 自带的那个 OAuth 实现可能不是很适用于这个 proposal:它仍然需要 OAuth 应用开发者在皮肤站内创建应用(填写应用名称和 callback URL),然而你不可能指望启动器作者能在所有皮肤站都创建一个应用;而且 BS 的 OAuth 也不会返回可以用于 Yggdrasil 登录的 accessToken,也没有实现多角色选择之类的操作(当然这步可以考虑丢给启动器)

@mochaaP
Copy link
Author

mochaaP commented Jun 10, 2022

edited

@FLYEMOJ1
Copy link

FLYEMOJ1 commented Mar 4, 2024
edited

Followed by Group: "LittleSkin Community Admins"
Content:


1. 启动器使用 WebView2 或打包一套cef(认真的吗?)打开验证界面,并通过注册一个 scheme 接受内置浏览器的回调
2. 启动器打开系统浏览器,通过本地开启 websocket server 并在 URL 中传入 ws port 的方式,让浏览器通过 ws 投递登录消息
3. 提案中方案,但考虑到启动器可能是 portable 的,所以需要在启动器每次开启时注册一次 scheme

@FLYEMOJ1
Copy link

FLYEMOJ1 commented Mar 4, 2024

Followed by Group: "LittleSkin Community Admins"
Content:


1. 启动器使用 WebView2 或打包一套cef(认真的吗?)打开验证界面,并通过注册一个 scheme 接受内置浏览器的回调
2. 启动器打开系统浏览器,通过本地开启 websocket server 并在 URL 中传入 ws port 的方式,让浏览器通过 ws 投递登录消息
3. 提案中方案,但考虑到启动器可能是 portable 的,所以需要在启动器每次开启时注册一次 scheme

个人觉得第二条启动系统浏览器这个方案可行
只因其他启动器验证Microsoft正版也为该方案。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: high proposal: in-progress
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yushijinhun @tnqzh123 @mochaaP @FLYEMOJ1