Contrib.social

Support auth using a certificate key pair instead of client secret

Open on Drupal.org →
Created on 23 January 2023, almost 2 years ago
Updated 25 January 2023, almost 2 years ago

Problem/Motivation

Azure supports using a certificate key pair to authorize token generation for SMTP.

TheNetworg/oauth2-azure also supports this auth flow, however, not yet in a tagged release.
I have requested a release here:
https://github.com/TheNetworg/oauth2-azure/discussions/176

Proposed resolution

Make necessary changes to support this authorization flow.

Remaining tasks

How do we generate a new access token from a refresh token using the certificate pair flow?
I can't currently see support for this in PHPMailer/PHPMailer.

User interface changes

Adds two fields to the settings form: ms_public_key_thumbprint and ms_private_key_path.
Both plain text fields. Neither need to be secret.
ms_private_key_path is an absolute path PHP can access on the web server.

API changes

If both ms_public_key_thumbprint and ms_private_key_path are specified, pass these to the TheNetworg\OAuth2\Client\Provider\Azure constructor.

These are then used instead of the client secret to generate an access token.

Data model changes

ms_public_key_thumbprint and ms_private_key_path both stored in module config as plain text fields.

Documentation changes

Proposing similar usage instructions to that provided by TheNetworg/oauth2-azure:
https://github.com/TheNetworg/oauth2-azure#using-a-certificate-key-pair-...

Feature request
Status

Needs work

Version

1.0

Component

Code

Created by

joshhytr

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @joshhytr
  • Status changed to Needs work almost 2 years ago
  • Comment almost 2 years ago
    joshhytr

    I've pushed initial work to the fork's issue branch.

    Still needs thinking and further work to ensure a refresh token can be used to generate a new access token whilst using this authorization flow.

  • Comment almost 2 years ago
    🇦🇺Australia imclean Tasmania

    This looks like it would be a useful feature. How would the certificates be obtained and stored on the file system?

    To make it easier to add features and support for other providers, it might be good to tidy up the module a bit before implementing this.

    There's some discussion on what needs to be done in another issue. #3316295-2: No reply address is registered for the application

  • Comment almost 2 years ago
    joshhytr

    A cryptography library of choice can be used to generate an RSA private key and, using that key, a x509 certificate key pair can be generated.

    Whilst generating the certificate, the email address relevant to the OAuth should be included somewhere in the identity/subject certificate. When using openssl, I entered the OAuth email in the email address prompt.

    Using openssl:

    openssl genrsa -out private.key 2048
openssl req -new -x509 -key private.key -out publickey.cer -days 365

    The public key should be uploaded to Azure, to the SMTP OAuth app, in place of using the client secret. Azure should then provide a thumbprint of said certificate which should be made note of and added to this module's settings form as the ms_public_key_thumbprint.

    The private key should be stored somewhere secure on the Drupal web server. This should not be accessible from the web and is a secret. The key and certififcate should not be committed to source control. The absolute path to this key should be added to this module's settings form as the ms_private_key_path.

    I stored my private key in a dedicated OAuth directory outside of the docroot:
    /app/oauth/cert/private.key
    where
    /app/docroot
    is my Drupal docroot.

    Note: I do not have access to Azure so I cannot give more detailed descriptions/terminology relevant to the that part of the setup. Apologies for this.

    Thanks imclean, agreed there's some tidying that could be done. I shall take a look at the suggestions and implement if I get some time.

  • Comment almost 2 years ago
    🇦🇺Australia imclean Tasmania

    OK that makes sense and could be good to include in this module.

    I've created a new issue for the code clean up.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024