Phabricator OAuth 2.0 initiating SSO login from a Third Party website
Open, Needs TriagePublic


Problem description: Phabricator lacks a method to initiate OAuth 2.0 SSO from a third party website.

We have an "Intranet" portal, which has links to various web-based applications we use. Phabricator is one of the applications. Users can click the links on the portal, and they'll be redirected to the web application in question, with seamless Single Sign-On (SSO). SSO for the applications is often implemented by using OAuth 2.0 authentication or OpenID Connect against the Identity Provider (IDP) we use. Now the actual problem is that Phabricator does not provide a way to "initiate" the OAuth 2.0 SSO login from Third Party websites (such as our Intranet portal). Instead when users click the "Phabricator" -link on our intranet portal they'll be redirected to the Phabricator login page, where they need to click *again* to choose the authentication method or manually fill in their username/password. We want to make this easier.

OpenID Connect specification (based on OAuth 2.0) describes a method for "Initiating Login from a Third Party", which is exactly what's missing from Phabricator:

Basicly Phabricator needs to provide an URL, say, "https://phabricator.domain.tld/auth/initiate_login", so one can link to that URL from the Third Party website (our portal), which then allows initiating easy and automatic SSO login for users, using the existing external OAuth authentication providers available and configured in Phabricator server. This same method works for *all* of the existing external OAuth authentication providers (Google, Github, Amazon, Facebook, Azure, etc).

As you can see from the OpenID Connect Core Specification the proposed "initiate_login_uri" needs to accept "iss" (=Issuer Identifier) parameter, which basicly tells which OAuth authentication provider to use when initiating the SSO process. An example URL to link to from thirdparty website to initiate the SSO process from Phabricator would be:

(well, the parameter needs to obviously be URL encoded, but you get the idea).

I've implemented a proof-of-concept about this feature by hacking PhabricatorAuthStartController.php to provide the mentioned "initiate_login" uri, which then verifies if the "iss" parameter URL can be found from the configured OAuth authentication providers in Phabricator, and if found, makes a redirect to that OAuth authentication provider starting the SSO process, which then continues just like it normally does between Phabricator and the OAuth Identity Provider. The POC implemention seems to work OK.

Does this sound like something that Phabricator upstream wants to have integrated? Or is there already some existing way to accomplish this? Any feedback? Thoughts? :)

pasik created this task.Fri, Feb 17, 5:06 PM

I don't think this is worth bringing upstream. It very occasionally saves users one click on an otherwise straightforward workflow, but requires significant complexity and maintenance from the upstream.

If you only have one OAuth provider, you can "Allow Auto Login" for that provider to get this behavior in all cases.

Is the actual problem here that you have multiple providers (say, LDAP and also Google OAuth) and that users are confused about which they should use? If so, why do you have multiple providers?

pasik edited the task description. (Show Details)Fri, Feb 17, 5:53 PM
chad added a subscriber: chad.EditedFri, Feb 17, 7:09 PM

We generally don't consider a root problem of "Phabricator lacks feature" as a reason to accept a feature request. We still need to know the underlying problem.

chad added a project: Auth.Wed, Feb 22, 9:02 PM
pasik added a comment.Thu, Feb 23, 6:42 PM

@epriestley: Yes, we have multiple authentication providers configured and needed in phabricator, and thus "allow auto login" won't work.

@chad: Underlying problem is that we want to have seamless SSO for users coming from our internal portal. In that use case we want to send users to the "start authentication against specific oauth provider" -URL, which makes phabricator redirect the browser to the specified oauth IDP starting the authentication process automatically, and makes the whole SSO process seamless for the end user. This way we can make sure all the users coming from our portal always use the correct IDP, and won't have problems signing in to phabricator.

About "significant complexity and maintenance": this proposed feature is actually a single URL endpoint on phabricator, and it's common shared code for all of the oauth providers in phabricator, meaning it works with *all* of the existing oauth authentication providers.. and it uses the same oauth code that's used today for the enduser manually initiated oauth logins. So not sure about it being "significant complexity".. your viewpoint obviously might differ :)

Why do you have multiple authentication providers?