Implement M2M authentication using ory hydra

[thesocialdev]

Description

• Introduce a new M2M guard that will check if the request comes from another machine using OAuth2 backed by Ory hydra
• Refactor Guard logic and use a base guard to share utilities across guards
• Introduce a new ability called "Integration" that will have the ability to create entities in the platform, in the future we want more granularity through a scope based authentication

Links #1801

Type of change

• New feature (non-breaking change which adds functionality)

Testing

You will need to setup Ory Hydra locally, use the docker-compose setup to enable such infrastructure:

Setup with Docker

docker compose up kratos kratos-migrate mongodb hydra hydra-migrate sqlite

You will need to manually create an OAuth2 client and generate the tokens through the hydra CLI:

docker exec aletheia-hydra-1 hydra create client --endpoint http://127.0.0.1:4445 --format json --grant-type client_credentials 

And to generate the tokens, get the client_id and client_secret that the command below provides:

docker exec aletheia-hydra-1 hydra perform client-credentials --endpoint http://127.0.0.1:4444/  --client-id "<CLIENT_ID>" --client-secret "<CLIENT_SECRET>"

Setup with Ory cloud

Create a new Client in the ory cloud console and follow the steps as following



Make sure you mark it to skip consent

Save your secret

With the info you can collect as demonstrated in the screenshots below, create a .env file inside ory_config/test/ and follow the steps in the README.md in the same folder. Your .env file should look like:

CLIENT_ID=the-client-id
CLIENT_SECRET=the-secret-id
ORY_PROJECT_DOMAIN=your-project.projects.oryapis.com # DON'T ADD THE FULL URL WITH HTTPS://

Run the script to get the token and use it for the authentication in the next step:

./get_token.sh
# Access Token: ory_at_ulRLGAH-7okU9pjrm-b_dD9goNsFyRGdVe3RaLtf3UM.NmuInIvut8yOGHV7JKlqbDTroDmL3NbaOaf5rh6CCGM

Authenticating with M2M tokens

In postman, pass the token as an authorization header:

# Should be redirected to the forbidden page due to role mismatch
curl --location 'http://localhost:3000/admin' \
--header 'Authorization: Bearer <TOKEN>'

# Any POST endpoint should now work with this authentication method
curl --location --request POST 'http://localhost:3000/api/claim' \
--header 'Authorization: Bearer <TOKEN>'
--data {}

Developer Checklist

General

• Code is appropriately commented, particularly in hard-to-understand areas
• Repository documentation has been updated (Readme.md) with additional steps required for a local environment setup.
• No console.log or related logging is added.
• No code is repeated/duplicated in violation of DRY. The exception to this is for new (MVP/Prototype) functionality where the abstraction layer may not be clear (comments should be added to explain the violation of DRY in these scenarios).
• Documented with TSDoc all library and controller new functions

Backend Changes

• All endpoints are appropriately secured with Middleware authentication
• All new endpoints have a interface schema defined

Tests

• All existing unit and end to end tests pass across all services
• Unit and end to end tests have been added to ensure backend APIs behave as expected

Merge Request Review Checklist

• An issue is linked to this PR and these changes meet the requirements outlined in the linked issue(s)
• High risk and core workflows have been tested and verified in a local environment.
• Enhancements or opportunities to improve performance, stability, security or code readability have been noted and documented in JIRA issues if not being addressed.
• Any dependent changes have been merged and published in downstream modules
• Changes to multiple services can be deployed in parallel and independently. If not, changes should be broken out into separate merge requests and deployed in order.

[sonarqubecloud]

Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
29.2% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Keikonichi]

the commands could not be carried out all at once

docker exec aletheia-hydra-1 \               
  hydra create client \               
  --endpoint http://127.0.0.1:4445 \   
  --format json \                                     
  --grant-type client_credentials 

I managed to do it this way
$ hydra create oauth2-client -e http://127.0.0.1:4445
but the json form wasn't working.
However, it manages to generate the necessary information