Adding a skill to create a first class skill covering all of Form.io authentication and authorization.#7
Open
travist wants to merge 6 commits into
Open
Adding a skill to create a first class skill covering all of Form.io authentication and authorization.#7travist wants to merge 6 commits into
travist wants to merge 6 commits into
Conversation
…authentication and authorization.
blakekrammes
requested changes
May 26, 2026
Contributor
blakekrammes
left a comment
blakekrammes
left a comment
There was a problem hiding this comment.
It looks good overall! I think the OIDC comments should be addressed (also the SAML comment). Some of the other suggestions are more minor.
blakekrammes
requested changes
May 29, 2026
blakekrammes
requested changes
May 29, 2026
|
|
||
| Claim semantics: | ||
|
|
||
| - `user._id` — MongoDB ID of the user submission when the identity is backed by a `user` Resource row (Resource login). For SSO (Remote Authentication) and Custom JWTs there is no Resource row — the user is ephemeral and `user._id` is either an IDP id (for SSO), or the `"external"` sentinel for Custom JWTs. |
Contributor
There was a problem hiding this comment.
Suggested change
| - `user._id` — MongoDB ID of the user submission when the identity is backed by a `user` Resource row (Resource login). For SSO (Remote Authentication) and Custom JWTs there is no Resource row — the user is ephemeral and `user._id` is either an IDP id (for SSO), or the `"external"` sentinel for Custom JWTs. | |
| - `user._id` — MongoDB ID of the user submission when the identity is backed by a `user` Resource row (Resource login). For SSO (Remote Authentication) and Custom JWTs there is no Resource row — the user is ephemeral and `user._id` is either a literal IDP id (or derived from one) for SSO, or the `"external"` sentinel for Custom JWTs. |
maybe too much in the weeds, but we don't use the direct sub (or custom id path) claim for OIDC for instance, but instead encode a truncated form of it in a mongo id.
Member
Author
There was a problem hiding this comment.
I will change "id" to say "identifier" so we are purposefully vague on what we are using.
| - `settings.provider` = "openid" | ||
| - `settings.association` = "remote" | ||
| - `settings.button` = "oidcLogin" <== Must match the key for the OIDC login button component. | ||
| - `settings.redirectURI` = "..." <== The application url to navigate to after the OIDC handshake. |
Contributor
There was a problem hiding this comment.
Suggested change
| - `settings.redirectURI` = "..." <== The application url to navigate to after the OIDC handshake. | |
| - `settings.redirectURI` = "..." <== The application url to navigate to after the OIDC handshake (defaults to `window.location.origin` of the application). |
| - Issuing a Form.io JWT entirely from your own backend without an IdP at all → see [`custom-jwt.md`](./custom-jwt.md). | ||
|
|
||
| ## Configuration | ||
| In order to perform a token swap, the projects OpenID settings must be configured. See [`sso-oidc.md`](./sso-oidc.md) for instructions on these configurations. |
Contributor
There was a problem hiding this comment.
Suggested change
| In order to perform a token swap, the projects OpenID settings must be configured. See [`sso-oidc.md`](./sso-oidc.md) for instructions on these configurations. | |
| In order to perform a token swap, the project's OpenID settings must be configured. See [`sso-oidc.md`](./sso-oidc.md) for instructions on these configurations. |
| ## Configuration | ||
| In order to perform a token swap, the projects OpenID settings must be configured. See [`sso-oidc.md`](./sso-oidc.md) for instructions on these configurations. | ||
|
|
||
| **Import: You must also ensure you have the role mappings configured within the project settings to properly map the OIDC claims with the Form.io Roles.** |
Contributor
There was a problem hiding this comment.
Suggested change
| **Import: You must also ensure you have the role mappings configured within the project settings to properly map the OIDC claims with the Form.io Roles.** | |
| **Important: You must also ensure you have the role mappings configured within the project settings to properly map the OIDC claims with the Form.io Roles.** |
| With these settings in place, and saved within the OAuth Action, when a user is using the form (embedded within the application), and clicks on the button, the following occurs. | ||
|
|
||
| 1. User is redirected to IDP authentication page and logs in. | ||
| 2. IDP auth performs a redirect to the login form endpoint with access tokens in query params |
Contributor
There was a problem hiding this comment.
Suggested change
| 2. IDP auth performs a redirect to the login form endpoint with access tokens in query params | |
| 2. IDP auth performs a redirect to `settings.redirectURI` with the access and id tokens in query params |
I think saying redirect to the login form could lead the agent to assume that the login form's API endpoint is the callback/redirect uri.
Member
Author
There was a problem hiding this comment.
It is the login form endpoint that it redirects to... Correct me if I am wrong but I think the flow is the following.
- User clicks button
- Application opens up IDP authorize page.
- After the user logs in, the IDP auth page sends the browser to the 'server-side' callback url with token
- Server side processing occurs with the token, gets the user info
- Server then uses the 'redirectURI' to perform a 301 redirect to that url with jwt-token in header to set token.
- User sees the application go to the url and they have the token.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR separates out the Form.io authentication and authorization away from the
formio-resource-plannerskill into its own first class skill to describe the many methods of authentication and authorization within a Form.io application. It also incorporates a coordination between the formio-resource-planner since a big part of that skill is the setup of users and groups to achieve a certain application goal.