[master issue] option to use custom IdP on browser extension #5311
Description
Today, the browser extension uses Google authentication / IdP for two purposes:
- authorizing use of Google APIs (gmail permissions) and then authenticating on those APIs
- authenticating oneself when communicating with backend / Enterprise Server
For the second usecase, it would be safer to use some other IdP if the customer has that option. That way, Google cannot forge authentication tokens and steal the keys from EKM. Today, to prevent the potential key theft from EKM by Google, customers have to either run EKM behind a firewall on internal network, or not run it at all.
Allowing a custom IdP for authenticating especially with EKM would allow us to run EKM for our customers, meaning easier deployment.
This will mean, on such deployments when custom IdP is configured, the user will have to authenticate twice during setup. Once with Google for Gmail API and permissions, and once again with the custom IdP. (there will be two authentication popups in sequence)
The steps would be:
- add
OAuthclass #5316 - add custom authentication config to local store #5317
- add skeleton of
ConfiguredIdpOAuthclass #5318 - rename
GoogleAuthtoGoogleOAuth#5319 - ConfiguredIdpOAuth should produce an oauth window + save JWT to storage #5444
- if special JWT is stored in local store, it should be used for Enterprise Server authentication instead of Google JWT #5799
- we should differentiate
GoogleAuthErrandEnterpriseServerAuthErr. When custom IdP is used and it isEnterpriseServerAuthErr, we should be showingConfiguredIdpOauthpopup instead ofGoogleOAuthpopup #5801 - Test adding/removing custom IdP configuration #5929