Add OAUTH2 OIDC login support #1140
Conversation
src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java
Show resolved
Hide resolved
src/main/java/stirling/software/SPDF/model/ApplicationProperties.java
Outdated
Show resolved
Hide resolved
|
Love the changes by the way! greatly appreciated |
src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java
Outdated
Show resolved
Hide resolved
and replace with applicationProperties
Add OAUTH2 enabling template.
…into oauth2-login
|
@Frooodle I have made the suggested changes. Please check. |
| public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, | ||
| Authentication authentication) throws ServletException , IOException{ | ||
| OAuth2User oauthUser = (OAuth2User) authentication.getPrincipal(); | ||
| if (userService.processOAuth2PostLogin(oauthUser.getAttribute("email"), applicationProperties.getSecurity().getOAUTH2().getAutoCreateUser())) { |
There was a problem hiding this comment.
Will email always be the username key, are there not usecases were OAuth passes an actually userID?
There was a problem hiding this comment.
Googling it seems that 'sub' might be better since emails can change, Are you able to test with this? (please correct me if i am wrong or downsides)
Actually i changed mind, this seems fine
There was a problem hiding this comment.
Unfortunately, no there is no standard userid claim supported by providers. Some return id claim (which is an integer) , some return sub claim (which is a 128-bit UUID). But everyone always support and return the email claim.
There was a problem hiding this comment.
it seems that 'sub' might be better since emails can change,
Yes, that's true, unfortunately sub the newer version of the unique-id claim. And not all providers support it. Some still use the old id claim
|
LGTM, i adding a quick question about email being the username if you could answer but all seems good |
| public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, | ||
| Authentication authentication) throws ServletException , IOException{ | ||
| OAuth2User oauthUser = (OAuth2User) authentication.getPrincipal(); | ||
| if (userService.processOAuth2PostLogin(oauthUser.getAttribute("email"), applicationProperties.getSecurity().getOAUTH2().getAutoCreateUser())) { |
There was a problem hiding this comment.
Googling it seems that 'sub' might be better since emails can change, Are you able to test with this? (please correct me if i am wrong or downsides)
Actually i changed mind, this seems fine
Description
This PR adds support for Single Sign-On (SSO) using OAUTH2 OpenID Connect (OIDC). This also supports auto-creation of the users if they do not exist in the database. This functionality can also be disabled. An error message will be given in that case.
An example docker-compose file has also been added.
Closes #994
Related Discussions #781, #467
If the OAUTH2 login is enabled a new button shows up on the login page as per the screenshot below:
Checklist:
Contributor License Agreement
By submitting this pull request, I acknowledge and agree that my contributions will be included in Stirling-PDF and that they can be relicensed in the future under the MPL 2.0 (Mozilla Public License Version 2.0) license.
(This does not change the general open-source nature of Stirling-PDF, simply moving from one license to another license)