Authentication and security in Theia IDE

[slemeur]

Description

Communications between Theia integrated within Che and Che Server as well as workspace's containers should be secured.

Sub-tasks

• Study :Authentication with jwtproxy Study: Authentication with jwtproxy #9843
• Cover ws-agent/exec-agent/terminal with JWT proxy | Cover ws-agent/exec-agent/terminal with JWT proxy on K8s/OpenShift infrastuctures #10081
• Create CQ for jwtproxy | Create CQ for jwtproxy #10078
• Make a unique nonce as optional check in jwtproxy | Make a unique nonce as optional check in jwtproxy #10090
• Make it possible for Go agents to accept authentication tokens from header | Make it possible for Go agents to accept authentication tokens from header #10101
• Make aud claim optional StringOrURI in JWTProxy Make aud claim optional StringOrURI in JWTProxy #10308
• Create exclude rules for jwtproxy Create exclude rules for jwtproxy #10312
• Authentication cookie set up mechanism Authentication cookie set up mechanism #10349
• Add an ability to configure public accessible paths for Che secure servers Add an ability to configure public accessible paths for Che secure servers #10400
• A lot of failing Selelnium tests with jwtproxy auth enabled A lot of failing Selelnium tests with jwtproxy auth enabled #10490
• JwtProxy: initial authentification redirect JwtProxy: initial authentification redirect. #10493
• JwtProxy: authenticate method JwtProxy: authenticate method #10494
• Generic authentication/authorization components Generic authentication/authorization components eclipse-theia/theia#2126
• Make loader page URL configurable within property Make loader page URL configurable within property #10611
• Rework JwtProxyConfigBuilder to use Objects instead of formatting string config template Rework JwtProxyConfigBuilder to use Objects instead of formatting string config template #10402
• Add an ability to configure a jwtproxy image Authentication and security in Theia IDE #9383
• Make public/private signing keys pair per-workspace and synch with workspace runtime (renew pair on each workspace restart) Make public/private signing keys pair per-workspace and synch with workspace runtime (renew pair on each workspace restart) #10074
• Add an ability to configure if a secure server should supports authentication with a cookie or not Add an ability to configure if a secure server should supports authentication with a cookie or not #10725
• Add an ability to configure a jwtproxy image Add an ability to configure a jwtproxy image #10733
• Document "Authentication and security in Theia IDE" feature Document "Authentication and security in Theia IDE" feature #10762

[skabashnyuk]

I see such points here.

• we should have some sort of request factory that can add tokens to request headers
• we should add a component to get token in case if a header is not an option (example initial OAuth request, file upload, javadocs url)
• we should protect our infrastructure with some software that checks tokens. I would like to try https://github.com/coreos/jwtproxy in this role.

[garagatyi]

Note that we also need a guide for plugins/features/LSs developers.

[slemeur]

Thanks @skabashnyuk and @garagatyi ! Adding to the issue description.

[skabashnyuk]

This epic complete for OS/K8s infrastructure.
Docker infrastructure would be covered under this issue #10242