Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: enable provisioning a OIDC auth provider via MPCONFIG #9268

Closed
poikilotherm opened this issue Jan 9, 2023 · 0 comments · Fixed by #9273
Closed

Feature Request: enable provisioning a OIDC auth provider via MPCONFIG #9268

poikilotherm opened this issue Jan 9, 2023 · 0 comments · Fixed by #9273
Assignees
@poikilotherm
Labels
Component: Containers Anything related to cloudy Dataverse, shipped in containers. Feature: Account & User Info Feature: Installation Guide Feature: Permissions User Role: Sysadmin Installs, upgrades, and configures the system, connects via ssh
Milestone
6.1

Comments

@poikilotherm
Copy link
Contributor

Overview of the Feature Request

With an Open ID Connect Provider becoming an integral part of future Dataverse installations, it should be possible to deploy its configuration not just via API but also from a mixture of MPCONFIG sources.

An example how this looks like in other applications might be found in the Quarkus OIDC support: https://quarkus.io/guides/security-openid-connect#configuring-the-application

We should provide something similar, also to enable the new planned security filter to have access to this configuration without needing access to a database.

What kind of user is the feature intended for?
Sysadmin, Developers

What inspired the request?
The recent authn/authz efforts around the SPA.

What existing behavior do you want changed?
Currently you need to deploy an OIDC auth provider with a JSON file sent to an API endpoint, see https://guides.dataverse.org/en/latest/installation/oidc.html

This is cumbersome for testing with containers and containerized production environments.

Any brand new behavior do you want to add to Dataverse?
Nope. This is simply adding an additional config way for an auth provider.

Any related open or closed issues to this feature request?
#9227 / #9234 & #9229 / #9230
@poikilotherm poikilotherm self-assigned this Jan 9, 2023
@poikilotherm poikilotherm added Component: Containers Anything related to cloudy Dataverse, shipped in containers. Feature: Permissions Feature: Account & User Info Feature: Installation Guide User Role: Sysadmin Installs, upgrades, and configures the system, connects via ssh labels Jan 9, 2023
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Jan 10, 2023
@poikilotherm
chore(deps): upgrade Nimbus OIDC SDK to latest 10.4 release IQSS#9268
d870e20
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Jan 10, 2023
@poikilotherm
feat(settings): add authentication settings for OIDC to JvmSettings I…
ebd8eed 
…QSS#9268
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Jan 10, 2023
@poikilotherm
feat(auth): add OIDC provider provisioning via MPCONFIG IQSS#9268
1bff1be 
Only one provider can be configured via MPCONFIG for now.
The provider is configured with an appropriate ID to distinguish
it from other providers configured via the API.
It can be configured in addition to other OIDC providers when desired.
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Jan 10, 2023
@poikilotherm
style(auth): slight reformat of OIDC provider factory IQSS#9268
fb11096
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Jan 10, 2023
@poikilotherm
test(auth): add integration test for OIDC provisioning via MPCONFIG I…
1fb0f58 
…QSS#9268

Using Testcontainers to start a Keycloak instance with our default development realm,
the provider is created using MPCONFIG settings.
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Jan 10, 2023
@poikilotherm
build(auth): make resources in /conf avail to tests IQSS#9268
e31dba3 
To use data in /conf for tests, adding the folder in Maven to copy them to the test classpath as resources helps to use them in tests very easily.
All dirs under /conf will be copied to the /target/test-classes directory recursively. This also works when running tests in IDEs like IntelliJ.
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Jan 10, 2023
@poikilotherm
doc(auth): describe provisioning of OIDC provider via MPCONFIG IQSS#9268
f9861dc
@poikilotherm poikilotherm mentioned this issue Jan 10, 2023
Merged
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Jan 10, 2023
@poikilotherm
build(tests): fix copying all test resources as default missing IQSS#…
c35133a 
…9268
@poikilotherm poikilotherm mentioned this issue Jan 18, 2023
Closed
@pdurbin pdurbin moved this to Re-arch: Auth MVP (Phil) in IQSS Dataverse Project Aug 15, 2023
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Oct 2, 2023
@poikilotherm @pdurbin
style(oidc): apply language fixes by @pdurbin from review IQSS#9268
d1d5eed 
Co-authored-by: Philip Durbin <philipdurbin@gmail.com>
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Oct 2, 2023
@poikilotherm
build(oidc): upgrade to Keycloak 22 in OIDC integration test IQSS#9268
42d1812
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Oct 2, 2023
@poikilotherm
doc(oidc): move example JSON to downloadable file IQSS#9268
bb0ba9a
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Oct 2, 2023
@poikilotherm
doc(oidc): extend a little on when to use which provisioning way IQSS…
ce01176 
…#9268

Following a suggestion by @pdurbin here from code review.
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Oct 3, 2023
@poikilotherm
style(oidc): apply title case to docs as requested by @pdurbin IQSS#9268
274f0e9
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Oct 3, 2023
@poikilotherm @pdurbin
doc(oidc): specify explanation of PKCE method parameter IQSS#9268
cee91f3 
Co-authored-by: Philip Durbin <philipdurbin@gmail.com>
@poikilotherm poikilotherm mentioned this issue Oct 3, 2023
Open
pdurbin added a commit to poikilotherm/dataverse that referenced this issue Oct 3, 2023
@pdurbin
document new location for jacoco unit test file IQSS#9268
e9833e8
@pdurbin pdurbin added this to the 6.1 milestone Oct 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@poikilotherm poikilotherm

Labels
Component: Containers Anything related to cloudy Dataverse, shipped in containers. Feature: Account & User Info Feature: Installation Guide Feature: Permissions User Role: Sysadmin Installs, upgrades, and configures the system, connects via ssh
Projects
None yet
Milestone
6.1
Development

Successfully merging a pull request may close this issue.

OIDC auth: MPCONFIG provisioning, PKCE support and integration tests poikilotherm/dataverse
2 participants
@pdurbin @poikilotherm