komga icon indicating copy to clipboard operation
komga copied to clipboard
verified publisher icon gotson

[oauth2] support custom signing algorithms and PKCE for social login

Open ToxicMushroom opened this issue 1 year ago • 4 comments

This pr would allow users to configure different oauth2 id_token signing algorithms And prevent against worst consequences of accidental client-secret leakage using PKCE.

Please let me know if I should do the configuration stuff differently or if things (beans) are in the wrong place :) Or if the defaults should stay pkce disabled and RS256 signing.

I currently tested these changes locally using komga [bootRun] dev,localdb,noclaim,oauth2 and my kanidm instance configured as custom oauth2 client/provider. I also tested with the github example, seems to also support ES256 and pkce.

ToxicMushroom avatar May 21 '24 04:05 ToxicMushroom

Hi, can you provide more context ? I have no idea what the problem is in the first place.

gotson avatar May 27 '24 03:05 gotson

Hi, can you provide more context ? I have no idea what the problem is in the first place.

I cannot use my IDM tool kanidm because of the spring security library only doing RS256 token signing out of the box. Spring also does not come with PKCE by default and disabling PKCE is also considered less secure as per https://kanidm.github.io/kanidm/master/frequently_asked_questions.html#why-is-disabling-pkce-considered-insecure.

These things can sadly not by enabled via the spring oauth provider config (with no interest from spring upstream to add it), thus the code changes here to allow for it.

Sorry for the lack of context, I had provided this in the discord and didn't think further about it after being told to create an issue/pr.

ToxicMushroom avatar May 27 '24 12:05 ToxicMushroom

Thanks. This should ideally be baked in Spring Boot, as mentioned here. I have not seen this raised in the Spring Boot repo though.

I am reluctant to merge this PR, as the setting would apply to all registered OAuth2 providers, and not just the one needed.

I think a better approach would be to raise this in the Spring Boot repo and see if they can add support for it in the auto configuration.

gotson avatar May 28 '24 02:05 gotson

It appears that pkce can now be done via a bean, idk if this is better or provides access to client config, will have to test that out: https://github.com/spring-projects/spring-security/issues/15236. I'm linking this here so I don't lose track of it.

ToxicMushroom avatar Nov 24 '24 12:11 ToxicMushroom