Wave app with JWT authentication

[aranvir]

Since OpenID Connect is currently not working for me (h2oai/wave#1924) and I also disliked my reverse proxy solution (h2oai/wave#1940), I wanted to try and see if I can add JWT based authentication to a wave app.

I think I came up with a quite decent and easy to use implementation so I wanted to share it with others. Check the readme for more details.

There is at least one small "beauty issue" that I've not been able to solve. And tbh I don't know if this implementation can be considered safe (enough), or if there are some failure points that should be fixed or at least informed about.

Let me know what you think!

[mturoci]

Wow, great job @aranvir! Seems like a great topic for a blog post either.

• Let's add a link to the official OIDC wave docs to make it clear this is communnity-driven effort.
• The hash can be currently manipulated via custom JS only.
• What is the beauty issue you mentioned? Centering the login form? If so, you may give a justify / align attributes on ui.zone a try.

[aranvir]

@mturoci thanks!

• I started work on this before seeing the updates regarding OIDC and the keycloak tutorial. Keycloak seems to be an easy alternative when you want to spin up your own OIDC provider, so I'm not sure if the JWT authentication is still valuable. But it was a fun exercise
• I'm not sure what you mean with: "The hash can be currently manipulated via custom JS only."
• Ah, no beauty issue was maybe bad phrasing: My implementation "breaks" the routing in that sense that the address in the browser does not correspond the page you see if you log out and log back in, as explained here. (basically, missing a way of changing/resetting the address in the clients browser)

[mturoci]

Keycloak seems to be an easy alternative when you want to spin up your own OIDC provider, so I'm not sure if the JWT authentication is still valuable.

Agree that Keycloak is a better option here. However, your tutorial is also nice and straightforward so could be a good reference for people who still want to roll their own mechanism.

I'm not sure what you mean with: "The hash can be currently manipulated via custom JS only."

This means one needs to use https://wave.h2o.ai/docs/javascript/ to change the hash route programatically.

[aranvir]

@mturoci inline script did the trick for manipulating the path! Also updated the readme to recommend OpenID Connect over this solution.

Now it should be good to go :)

[mturoci]

Perfect, LGTM. Thanks @aranvir!

[HugoP]

Hi, Thank you so much for the example app.

I might have found a issue.

1. Create two users "user1" and "user2" in this case.
2. Login as "user1"
3. Login as "user2" on another computer
4. Logout any one of the users and refresh the alternate browser. Result both users are logged out?
5. Login with one of the browsers and refresh the page on the other browser. Result both users are logged in again?

My setup Ubuntu 22.04, Python 3.10.12, wave v1.0 and bcrypt v4.0.1

[aranvir]

Hi @HugoP thanks for the interest!
So, I developed this with wave v0.x and I have noticed that the implementation does not work as well with 1.0 as it did before. Another bug I found is that Firefox Incognito mode is no longer recognized as a separate session if you are logged in (this is how I tested separate users before). Now, if you are logged in in one window and then load the page in the incognito window you are logged in with the same user.

I think I did fix it in a private project but I have not yet come around to update the example code here as well. Maybe I find some time on a weekend soon ;) (or can at least provide snippets for you to fix it yourself)

[HugoP]

Hi @aranvir thanks for the quick reply.

Any help will be much appreciated.

Keep well :-)