Support OIDC for the SSO #5008
Support OIDC for the SSO #5008
Conversation
kumo-rn5s
requested review from
nghialv,
khanhtc1202,
kentakozuka,
ffjlabo,
t-kikuc and
Warashi
as code owners
kumo-rn5s
force-pushed
the
feature-oidc-support
branch
2 times, most recently
from
3655160
to
1862336
Compare
kumo-rn5s
force-pushed
the
feature-oidc-support
branch
2 times, most recently
from
126d268
to
0c85d07
Compare
kumo-rn5s
force-pushed
the
feature-oidc-support
branch
2 times, most recently
from
bc6e64a
to
44f2ee7
Compare
kumo-rn5s
force-pushed
the
feature-oidc-support
branch
4 times, most recently
from
1fe9366
to
50640ad
Compare
|
Thank you for your great contribution! |
pkg/oauth/oidc/oidc.go
Outdated
| var avatarUrlClaimKeys = []string{"picture", "avatar_url"} | ||
| var roleClaimKeys = []string{"groups", "roles", "cognito:groups", "custom:roles", "custom:groups"} | ||
|
|
||
| // OAuthClient is a oauth client for OIDC. |
There was a problem hiding this comment.
[nits]
| // OAuthClient is a oauth client for OIDC. | |
| // OAuthClient is an oauth client for OIDC. |
| @@ -348,6 +355,34 @@ func (p *ProjectSSOConfig_GitHub) GenerateAuthCodeURL(project, callbackURL, stat | |||
| return authURL, nil | |||
| } | |||
|
|
|||
| // GenerateAuthCodeURL generates an auth URL for the specified configuration. | |||
| func (p *ProjectSSOConfig_Oidc) GenerateAuthCodeURL(project, state string) (string, error) { | |||
There was a problem hiding this comment.
How about adding tests in project_test.go like this?
(although (p *ProjectSSOConfig_GitHub) GenerateAuthCodeURL does not have tests...)
func TestGenerateAuthCodeURL(t *testing.T) {
testcases := []struct {
title string
project string
state string
issuer string
scopes []string
expectedURL string
}{
{
title: "scopes are configured",
project: "test-project",
state: "test-state",
issuer: "https://accounts.google.com", // TODO: Is this proper? or use mock??
scopes: []string{"openid", "profile", "email"},
expectedURL: "https://accounts.google.com/o/oauth2/v2/auth?access_type=online&client_id=&prompt=consent&response_type=code&scope=openid+profile+email&state=test-state%3Atest-project",
},
{
title: "empty scopes",
project: "test-project",
state: "test-state",
issuer: "https://accounts.google.com",
scopes: []string{},
expectedURL: "https://accounts.google.com/o/oauth2/v2/auth?access_type=online&client_id=&prompt=consent&response_type=code&scope=openid&state=test-state%3Atest-project",
},
}
for _, tc := range testcases {
t.Run(tc.title, func(t *testing.T) {
p := &ProjectSSOConfig_Oidc{
Issuer: tc.issuer,
Scopes: tc.scopes,
}
url, err := p.GenerateAuthCodeURL(tc.project, tc.state)
assert.NoError(t, err)
assert.Equal(t, tc.expectedURL, url)
})
}
}
pkg/model/project.proto
Outdated
| string user_info_endpoint = 7; | ||
| // The address of the proxy used while communicating with the OpenID Connect service. | ||
| string proxy_url = 8; | ||
| // scopes to request from the OpenID Connect service. |
There was a problem hiding this comment.
[nits]
| // scopes to request from the OpenID Connect service. | |
| // Scopes to request from the OpenID Connect service. |
| @@ -41,6 +41,9 @@ const useStyles = makeStyles((theme) => ({ | |||
| githubLoginButton: { | |||
| background: "#24292E", | |||
| }, | |||
| oidcLoginButton: { | |||
| background: "#4A90E2", | |||
| }, | |||
There was a problem hiding this comment.
[nits] To make a space between GitHub and OIDC.
| }, | |
| marginTop: theme.spacing(1), | |
| }, |
| sharedSSOConfigs: | ||
| - name: oidc | ||
| provider: OIDC | ||
| oidc: |
There was a problem hiding this comment.
We need to add the configuration reference of oidc in this file like this:
Note: Before that, please make your branch up-to-date.
## SharedSSOConfig
...
| oidc | [SSOConfigOIDC](#ssoconfigoidc) | OIDC sso configuration. | No |## SSOConfigOIDC
| Field | Type | Description | Required |
|-|-|-|-|
| ClientId | string | The client id string of OpenID Connect oauth app. | Yes |
| ClientSecret | string | The client secret string of OpenID Connect oauth app. | Yes |
| Issuer | string | The address of OpenID Connect service. | Yes |
| RedirectUri | string | The address of the redirect URI. | Yes |
| AuthorizationEndpoint | string | The address of the authorization endpoint. | Yes |
| TokenEndpoint | string | The address of the token endpoint. | Yes |
| UserInfoEndpoint | string | The address of the user info endpoint. | Yes |
| ProxyUrl | string | The address of the proxy used while communicating with the OpenID Connect service. | Yes |
| Scopes | []string | Scopes to request from the OpenID Connect service. | No |
If the Required fields above are wrong, please correct them🙏
pkg/oauth/oidc/oidc.go
Outdated
|
|
||
| idTokenRAW, ok := c.Token.Extra("id_token").(string) | ||
| if !ok { | ||
| return nil, fmt.Errorf("no access_token in oauth2 token") |
There was a problem hiding this comment.
[nits]
| return nil, fmt.Errorf("no access_token in oauth2 token") | |
| return nil, fmt.Errorf("no id_token in oauth2 token") |
| default: | ||
| return nil, fmt.Errorf("not implemented") | ||
| } | ||
| } | ||
|
|
||
| func parseProjectAndState(r *http.Request) (string, string, error) { |
There was a problem hiding this comment.
Would you add unit tests of parseProjectAndState() in callback_test.go? (Sorry, the file is empty now...)
|
[TODO] I have 2 nits of UI we'll improve in other PRs. 1. Show username+role on the header.Currently, users can't see which account they logged in. 2. Hide the SSO button(s) in the login form when they are not configured in the project.Currently, both |
kumo-rn5s
force-pushed
the
feature-oidc-support
branch
2 times, most recently
from
9e30f02
to
4ce7f7b
Compare
Signed-off-by: kumo-rn5s <firosstuart@gmail.com>
kumo-rn5s
force-pushed
the
feature-oidc-support
branch
from
07fc480
to
2cce09b
Compare
Signed-off-by: kumo-rn5s <firosstuart@gmail.com>
kumo-rn5s
force-pushed
the
feature-oidc-support
branch
from
2cce09b
to
ef53065
Compare
|
|
||
| | Field | Type | Description | Required | | ||
| |-|-|-|-| | ||
| | ClientId | string | The client id string of OpenID Connect oauth app. | Yes | |
There was a problem hiding this comment.
We'll fix in later PRs.
Field names are actually lowerCamelCase.
| ) | ||
|
|
||
| func TestParseProjectAndState(t *testing.T) { | ||
| tests := []struct { |
There was a problem hiding this comment.
We'll add t.Parallel() in later PRs.
| @@ -853,3 +853,66 @@ func TestProject_DeleteRBACRole(t *testing.T) { | |||
| }) | |||
| } | |||
| } | |||
|
|
|||
| func TestGenerateAuthCodeURL(t *testing.T) { | |||
| tests := []struct { | |||
There was a problem hiding this comment.
We'll add 't.Parallel()' later.
Co-authored-by: Yoshiki Fujikane <40124947+ffjlabo@users.noreply.github.com> Signed-off-by: Kumo <35224826+kumo-rn5s@users.noreply.github.com>
|
@ffjlabo Sorry for the late response. I have signed off that suggestion to commit. |
|
@kumo-rn5s Sorry, would you resolve the conflict of (The faiied |
Signed-off-by: Kumo <35224826+kumo-rn5s@users.noreply.github.com>
Signed-off-by: kumo-rn5s <firosstuart@gmail.com>
kumo-rn5s
force-pushed
the
feature-oidc-support
branch
from
dd05789
to
35ad7e9
Compare
|
Reopen due to the flaky test... |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #5008 +/- ##
==========================================
+ Coverage 22.82% 22.96% +0.14%
==========================================
Files 412 413 +1
Lines 43838 44020 +182
==========================================
+ Hits 10005 10111 +106
- Misses 33042 33120 +78
+ Partials 791 789 -2 ☔ View full report in Codecov by Sentry. |
What this PR does / why we need it:
This PR introduces a new OIDC login method to enhance user authentication options by supporting the basic OIDC Authorization Code Flow. It also includes support for common OIDC providers like Keycloak, Okta, and Cognito.
Which issue(s) this PR fixes:
Fixes #4906
Does this PR introduce a user-facing change?:
TODO: