Why doesn't sentry support OIDC or OAuth 2.0?

[jiankunking]

Summary

Why doesn't sentry support OIDC or OAuth 2.0?

Motivation

We have deployed sentry ourselves and currently want to do single sign-on with sentry, but found that sentry does not support standard OAuth2.0 and OIDC. I am not sure why sentry does not support it?

Most system single sign-on requirements are for single sign-on with internal accounts, not single sign-on with github or Google accounts.

[mekza]

It does support OIDC using a 3rd party plugin: https://github.com/siemens/sentry-auth-oidc

[jiankunking]

It does support OIDC using a 3rd party plugin: https://github.com/siemens/sentry-auth-oidc

We would rather have the official support so that the page can be configured

[max-wittig]

We discussed this a bit here: #5650 (comment). I still think that it's a mistake to not offically support this, that's why we created the plugin.

[github-actions]

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Accepted, I will leave it alone ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

[jiankunking]

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Accepted, I will leave it alone ... forever!

"A weed is but an unloved flower." ― Ella Wheeler Wilcox

i love this words "A weed is but an unloved flower."

[reuwi]

I have same confusion about this, there is no reason why it is still not supported offically yet

[Bessonov]

Just in case someone is interested, sentry supports azure active directory. Works even with self-hosting instances.

[getsantry]

Routing to @getsentry/product-owners-sign-in for triage ⏲️

[chadwhitacre]

Seeing an oauth2.py file, which makes me think maybe we support it, but it dates from 2016, which makes me think I don't understand what it does.

sentry/src/sentry/identity/oauth2.py

Lines 25 to 32 in 13963c6

	class OAuth2Provider(Provider):
	"""
	The OAuth2Provider is a generic way to implement an identity provider that
	uses the OAuth 2.0 protocol as a means for authenticating a user.
	OAuth scopes are configured through the oauth_scopes class property,
	however may be overridden using the ``config['oauth_scopes']`` object.
	"""

[chadwhitacre]

Do we support OAuth 2.0 (or OIDC for that matter)?

[Dhrumil-Sentry]

@nhsiehgit @leedongwei can you please chime in

[bufferoverflow]

We would love to get rid of our fork https://github.com/siemens/sentry-auth-oidc#why-fork-instead-of-adapting-sentry-auth-google-to-work-with-every-openid-connect-provider and contribute back as we tried here getsentry/sentry-auth-google#29

[nhsiehgit]

Hey @chadwhitacre @Dhrumil-Sentry all

We definitely already support OAuth2 and i'm fairly certain we utilize oidc as a client 🤔
It looks like currently we're only connected with 2 oauth providers for SSO though (3 now with Fly)... and the whole sso pipeline is a complete mess to parse through.

Can i ask for more clarification on what we're asking for in this issue?

[Daniel15]

Can i ask for more clarification on what we're asking for in this issue?

@nhsiehgit - The ability to use any OIDC provider, not just the hard-coded providers. For example, I'd like to use my self-hosted Authentik server. This is available via https://github.com/siemens/sentry-auth-oidc, but given the growing popularity of OIDC (and SSO in general), it should really be a core feature.