FEAT: Open ID Connect authentication #4010
Conversation
* add `oidc-config` setting allowing an admin user to configure parameters * modify login page to show another button when oidc is configured * add dependency `openid-client` `v5.4.0` * add backend route to process "OAuth2 Authorization Code" flow initialisation * add backend route to process callback of above flow * sign in the authenticated user with internal jwt token if internal user with email matching the one retrieved from oauth claims exists Note: Only Open ID Connect Discovery is supported which most modern Identity Providers offer. Tested with Authentik 2023.2.2 and Keycloak 18.0.2
…ct-authentication
oechsler
changed the title
|
It's probably worth adding those PRs: Seems like there are multiple PRs implementing the same feature, it's probably the best to wait for @jc21 to decide which one to merge. |
|
@CrazyWolf13 This is a continuation of the abandoned #2630 PR and #3952 was done as part of this PR it looks like. We just need @jc21 to take a look and merge if everything is good |
|
Any update on this? I would love to see it merged |
|
There are conflicts, and CI won't build you a docker image until they're resolved |
Thanks for clarifying, I will resolve them later today. |
|
I'm glad this PR will be finally merged! Thanks a lot for the effort of all the people involved @jc21 @oechsler @Shocktrooper |
|
Yes many thanks for the contribution but don't count your chickens just yet. This is a big PR and it will need thorough testing both with OIDC and without. I'd feel happier if there was some cypress tests for both scenarios as well. Besides Authentik, can we get this tested with other providers too? Also some documentation will need to be added around this |
backend/package.json
Outdated
| @@ -21,6 +21,8 @@ | |||
| "moment": "^2.29.4", | |||
| "mysql2": "^3.11.1", | |||
| "node-rsa": "^1.0.8", | |||
| "nodemon": "^2.0.2", | |||
There was a problem hiding this comment.
nodemon is already in devDependencies - adding it here is unnecessary and will add bloat to the final image
as it is already in devDependencies
@jc21 - Thank you very much for the review and your feedback on this topic! Could you possibly elaborate a bit more on what the tests should specifically cover? I don’t have much experience with the Cypress framework, but I’m more than willing to invest the time needed to bring this PR to completion. As for testing with other OIDC providers, I’d leave that to others in this thread for now, as I currently only have Authentik running. However, with the new Docker test image, it should be straightforward to set up an instance. I’m also happy to take on the documentation. Given that OIDC isn’t always the most straightforward topic, I agree it would be beneficial to provide clear guidance. Should we add a dedicated section to the documentation for this, or integrate it into an existing section? - Nonetheless I would also be happy if somebody else could lend a hand 😉 |
|
Docker Image for build 2 is available on Note: ensure you backup your NPM instance before testing this image! Especially if there are database changes |
Continuation of: #2630
developinto the feature branch, resolving conflictsoidc-configwould have the text of thedefault-siteTested with Authentik 2024.8.2
P.S.: I hope we can get this finally merged! 🤣