OIDC Improvement: Auto redirecting #47
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit introduces OpenID Connect (OIDC) authentication support. Backend changes include new OIDC settings, migration, validation, and endpoints for OIDC login and callback, as well as utility functions for OIDC flows. The frontend adds OIDC login UI, settings management, and connection testing. Both backend and frontend enums, schemas, and services are updated to support OIDC configuration and integration.
Bug in the settings API where it assumes CRONTAB_EXPR is always included when saving settings. When saving only OIDC settings, this fails.
Error checking if OIDC was enabled, stopped the auth method from showing.
- fix an issue in the token exchange where I'm using the session outside its context - fix cookie domain logging and session context in the token exchange - added debug logging
Changed OIDC state cookie 'samesite' from 'strict' to 'lax' and 'secure' to False to facilitate HTTP testing and cross-origin redirects. Added debug print statements to log state and cookies during OIDC callback for easier troubleshooting.
Some notes to assist the user in setting up their OIDC config
Fix the CSS
Clarifies the OIDC provider setup instructions
Fix css as it didn't appear very well.
This commit introduces OpenID Connect (OIDC) authentication support. Backend changes include new OIDC settings, migration, validation, and endpoints for OIDC login and callback, as well as utility functions for OIDC flows. The frontend adds OIDC login UI, settings management, and connection testing. Both backend and frontend enums, schemas, and services are updated to support OIDC configuration and integration.
Bug in the settings API where it assumes CRONTAB_EXPR is always included when saving settings. When saving only OIDC settings, this fails.
Error checking if OIDC was enabled, stopped the auth method from showing.
- fix an issue in the token exchange where I'm using the session outside its context - fix cookie domain logging and session context in the token exchange - added debug logging
Changed OIDC state cookie 'samesite' from 'strict' to 'lax' and 'secure' to False to facilitate HTTP testing and cross-origin redirects. Added debug print statements to log state and cookies during OIDC callback for easier troubleshooting.
Some notes to assist the user in setting up their OIDC config
Fix the CSS
Clarifies the OIDC provider setup instructions
Fix css as it didn't appear very well.
+ removed migrations + remoted translations + removed fake observable result of initiateOidcLogin + removed values of oidc vars in .env.example, edited comments + fixed typing errors in auth_api + fixed errors in auth_core (settings now in config)
+ added auth providers classes + removed /backend/app folder + removed /backend/core/auth_core.py
+ added more universal endpoints + added exception for no auth provider enabled
+ removed docker-compose (was removed in main) + removed env from docker-compose.dev.yml (for dev purposes it is handy to use .env in workspace) + removed oidc settings from frontend enum + removed unused validators and schemas + removed DOCKER_TIMEOUT (was removed in main)
New API method to check if OIDC auto-redirect is enabled and updates the AuthPage to automatically redirect to OIDC
Quenary
requested changes
Nov 17, 2025
Owner
Quenary
left a comment
Quenary
left a comment
There was a problem hiding this comment.
Hello. Thanks for the PR. I looked at it and put forward my proposals.
Comment on lines
+73
to
+85
| public readonly isOidcAutoRedirectEnabled = resource({ | ||
| defaultValue: false, | ||
| loader: () => | ||
| firstValueFrom( | ||
| this.authApiService.isOidcAutoRedirectEnabled().pipe( | ||
| retry(1), | ||
| catchError((error) => { | ||
| this.toastService.error(error); | ||
| return throwError(() => error); | ||
| }), | ||
| ), | ||
| ), | ||
| }); |
Owner
There was a problem hiding this comment.
Using the resource pattern isn't justified sirce this value is not used in the template.
It is worth simply subscribe to authApiService method in the constructor.
Comment on lines
+94
to
+103
| @router.get( | ||
| path="/oidc_auto_redirect", | ||
| description="Check if OIDC auto redirect is enabled", | ||
| response_model=bool, | ||
| ) | ||
| async def oidc_auto_redirect() -> bool: | ||
| from backend.config import Config | ||
| return Config.OIDC_AUTO_REDIRECT | ||
|
|
||
|
|
Owner
There was a problem hiding this comment.
I don't think this is the right approach to implement it as separate exclusive method for the OIDC in auth_api.
I think should be in AuthProvider and child classes - something like existing /{provider}/login and /{provider}/callback
For password provider it is always false obviously, but other providers may be added in the future.
Comment on lines
+61
to
+67
| /** | ||
| * Check if OIDC auto redirect is enabled | ||
| * @returns | ||
| */ | ||
| isOidcAutoRedirectEnabled(): Observable<boolean> { | ||
| return this.httpClient.get<boolean>(`${this.basePath}/oidc_auto_redirect`); | ||
| } |
Owner
There was a problem hiding this comment.
Same here, it's need to be universal request for provider
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
To aid in streamlining OIDC authentication process, this proposed PR adds
OIDC_AUTO_REDIRECTto the env file. While the default isfalse, changing this totruewill enable a new endpoint automatically redirecting the user to the OIDC provider.This is a relatively small PR with only 5 file changes. Please review and let me know if you have any concerns or questions. For any other features, I will make sure I create an issue to discuss them first - I felt an issue to discuss this feature was not necessary, now that the OIDC support is in place.