feat: add generic OIDC connect #2046
Conversation
muhlba91
requested review from
acasajus,
cquintana92 and
nguyenkims
as code owners
|
Hey, thanks for the contribution. As a general rule we'd like to have tests for new code that's merged into the repo to make sure that:
Would you mind adding tests to it? |
muhlba91
force-pushed
the
feat/generic-oidc
branch
from
283fed9 to
0943311
Compare
|
@acasajus @nguyenkims thank you for your review and comments! 😃 |
|
@nguyenkims @acasajus bumping this one again - would you be able to review again and get it into main? 😃 |
|
So happy to see this merged! I'm going to close my PR for external auth since this should cover it Would this be available in a docker container soon? |
|
Should be already in the v4.41.2 |
|
Hey I just wanted to leave some feedback that over all this works well To make it work with Google I did have to set the environment variable Also a lot of the environment variables can/should probably be read from the .well-known (https://accounts.google.com/.well-known/openid-configuration for example) rather than read manually |
|
@Queuecumber thank you for that feedback and info with the well-known endpoint! do you happen to know if all OIDC provider must implement that well-known endpoint, meaning it's part of the specification? |
|
Here's the spec for it: https://openid.net/specs/openid-connect-discovery-1_0.html It's unclear if this is mandatory for the provider to implement, it is certainly optional for the RP (see Sec. 2). Google, for example, says applications should use the well-known endpoint. The advantage is that if they change one of the underlying URLs it will be reflected in the well-known endpoint without needing to reconfigure the application. The well-known endpoint shouldn't (ideally) change. It's also a lot less typing to set up. The way I usually see this implemented is that the user can either fill out all the fields manually (i.e., what we have now) OR they can give just the well-known URL and have the application discover the endpoints. |
|
thank you! 👍🏻 i like your proposal of deciding it dynamically based on whether the well-known endpoint is given or not. currently, i'm on travel but i'll see how i can integrate that! 😃 |
|
Awesome thanks, I did poke around and I don't think requests_oauthlib has support for it, but that may be intentional since it's just a simple API call and JSON parse to get the info I'm also noticing an error when the callback URL has a query string on it, like |
|
FWIW (which isn't necessarily much), from quickly checking the docs, following Open Source OIDC providers (that I could think of) do expose the |
Looks like it may not, but from a quick search, authlib in their docs for OAuth2 say:
and this example suggests they do support discovery via |
|
#2077 should 1/ fix the redirect URL issue, and 2/ adds support for the OIDC well-known endpoint. as discussed, the endpoint takes precedence over all env variables but is an optional var. |
This PR adds support for a generic OIDC authentication. Users can login and also signup using a custom OIDC server.
Administrators can deploy this by setting
OIDC_CLIENT_ID, and the following environment variables are available to configure the OIDC flow:CONNECT_WITH_OIDC_ICON: the icon to be shown in the UIOIDC_AUTHORIZATION_URL: the OIDC auth endpointOIDC_USER_INFO_URL: the OIDC user info endpoint to retrieve the user's email and name (if signing up)OIDC_TOKEN_URL: the OIDC token endpoint to exchange the code for a valid tokenOIDC_SCOPES: the OIDC scopes to use for performing the requestOIDC_NAME_FIELD: the field containing the user's name (used for sign-up)OIDC_CLIENT_ID: the OIDC client idOIDC_CLIENT_SECRET: the OIDC client secretThis is based in the discussion in #1425 (comment).