Interest in collaborating on OAuth2 features in CHT Core?

Background on SSO and CHT

Single Sign On (SSO) is often used when an organization manages many users and wants to centralize which credentials are used when logging into their IT systems. By centralizing, maintenance is reduced for on-boarding and off-boarding users and it’s trivial to audit usage data across multiple systems. Further, automatic provisioning, forgot password and two factor authentication become trivial to deploy.

A common solution to SSO is OIDC (OpenID Connect on Open Authorization v2.0 (OAuth2)). This is a technical specification for how the different parts of SSO should work and allows applications like the CHT Core to provide SSO knowing it can work with any OIDC compliant system (e.g. Keycloak or Azure AD).

Medic recently considered implementing SSO, but this current effort is to have the CHT authenticate via an OAuth2 provider over OIDC, whereas the original effort was making the CHT an OAuth2 provider.

What is a community squad?

The CHT is a strong and growing community all solving similar problems in their own way. This growing community presents a great opportunity to increase innovation and efficiency by forming squads of community members to collaborate on development of specific initiatives. Members could collaborate by helping design the solution, writing the code, testing, or by funding some of the development. These will be designed as short term agile teams to get the feature developed and released as quickly as possible. All work is done in the open and under open sources licenses, of course!

The collaboration request

We’d like to ask the larger community if anyone is interested in joining a squad in the coming week to work on SSO? Given the accelerated schedule - don’t wait to voice your interest! Medic teammates will be available for guidance, including inviting key stakeholders to a Slack channel and helping with any scheduling that might be needed. After a squad has been formed, we’re excited to see a technical design document published for the squad to review.

8 Likes

At Visortech solutions we are Interested to collaborate on this!

2 Likes

(ssollinc.com) Happy to be part of this!

2 Likes

@vchelule and @bernard - this is great news - thank you! Medic will be in touch about next steps.

cc @antony

Happy to be part of this effort

1 Like

@rukshan - welcome to the forums!

Thanks for expressing your interest - we’ll be sure to include you going forward.

Hi, I am interested in been part of the squad

1 Like

Hi all, we are so glad to collaborate with you to build the SSO feature. We will be having our kickoff call on Thursday Nov 7, 2024. Can you please select your preferred time for the kick off call (the proposed time slots have been shared on sso-work-community-squad slack channel).

1 Like

I asked perplexity (AI) for some direction, I got that answer, do you think it makes sense ?

https://www.perplexity.ai/search/ppy-how-could-i-add-oauth-to-t-Z6USN.c9QtGen_2DuOtwLw

Long story short:

  • Add JWT token support
  • add OAuth configuration
  • update client connection
  • update login controller
2 Likes

Thanks for the suggestions @delcroip ! I’ve invited you to join our Slack channel discussing the SSO effort. As well, you’re welcome to join the meeting we have once per week.

Both the meeting notes and design doc are available for comment.

Hello Community,

I hope you are well.

As part of the squad working on the SSO implementation for the CHT platform, I wanted to bring a few critical points to your attention and invite more contributors to join this effort.

Issue Summary

We’ve noticed that user credentials are not being encrypted during login to the CHT platform, which is raising concerns about compliance with ICRC security standards. While the data in the POST body is encrypted during transit via SSL, the browser can still access this data in an unencrypted format before SSL encryption takes effect.

This is not necessarily a security vulnerability per se, as authentication data must eventually be sent to the server for verification. However, implementing an SSO setup would mitigate this issue entirely by adding an extra layer of abstraction, ensuring the CHT server does not need direct access to user credentials.

Current Progress and Roadblocks

The SSO implementation is a critical component of meeting these security standards. However, the squad currently lacks sufficient development resources to move forward as quickly as we’d like. To ensure we can meet the security requirements, we need the community’s input and active participation.

Call to Action

I’m reaching out to the community to:

  1. Provide Input: If you’ve worked on similar implementations or have insights on best practices, please share them.
  2. Collaborate: We’d love for more developers to join the SSO development effort. Your contributions can make a significant difference in achieving a secure and compliant login system.
  3. Discuss: If there are other concerns or suggestions related to this issue, feel free to share them here for broader discussion.

Your collaboration is vital to help us meet the ICRC’s security standards and improve the platform for everyone. Please don’t hesitate to reply to this post with your thoughts or reach out directly if you’d like to get involved in the SSO development.

Thank you for your time and support!

3 Likes