feat(auth): add support for oauth2 with openid connect discovery #4618
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
axiomofjoy
force-pushed
the
xander/oauth
branch
2 times, most recently
from
98b3b7e
to
5edbf5e
Compare
axiomofjoy
changed the title
axiomofjoy
force-pushed
the
xander/oauth
branch
from
4d063e6
to
b8729b5
Compare
dosubot
bot
added
the
size:XL
axiomofjoy
force-pushed
the
xander/oauth
branch
from
c143665
to
3783a4a
Compare
dosubot
bot
added
size:XXL
RogerHYang
reviewed
Sep 19, 2024
RogerHYang
approved these changes
Sep 19, 2024
axiomofjoy
force-pushed
the
xander/oauth
branch
from
d825938
to
69a5a91
Compare
RogerHYang
pushed a commit
that referenced
this pull request
Sep 21, 2024
Co-authored-by: Mikyo King <mikyo@arize.com> Co-authored-by: Dustin Ngo <dustin@arize.com>
This was referenced Sep 25, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds initial support for OAuth2 identity providers that support the OpenID Connect Discovery standard. From the standard:
OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer. The syntax and semantics of .well-known are defined in [RFC 5785](https://openid.net/specs/openid-connect-discovery-1_0.html#RFC5785) [RFC5785] and apply to the Issuer value when it contains no path component. openid-configuration MUST point to a JSON document compliant with this specification and MUST be returned using the application/json content type. The openid-configuration endpoint SHOULD support the use of [Cross-Origin Resource Sharing (CORS)](https://openid.net/specs/openid-connect-discovery-1_0.html#CORS) [CORS] and/or other methods as appropriate to enable JavaScript Clients and other Browser-Based Clients to access it.This means that we can use environment variables to point Phoenix to the configuration at
/.well-known/openid-configurationin order to know authorization server metadata such as the authorize and access token urls.The environment variables currently required are:
PHOENIX_OAUTH2_<idp>_CLIENT_IDPHOENIX_OAUTH2_<idp>_CLIENT_SECRETPHOENIX_OAUTH2_<idp>_SERVER_METADATA_URLFor the following IDPs, we provide logos on the login page:
GOOGLEMICROSOFT_ENTRA_ID(previously known as Azure Active Directory)AWS_COGNITOAs a follow-up, we can add IDP-specific environment variables to help construct the server metadata url (e.g., using a tenant ID for Microsoft Entra ID).
resolves #4649
resolves #4653
resolves #4657
resolves #4654