-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support OIDC for the SSO #5008
Support OIDC for the SSO #5008
Conversation
3655160
to
1862336
Compare
126d268
to
0c85d07
Compare
bc6e64a
to
44f2ee7
Compare
1fe9366
to
50640ad
Compare
Thank you for your great contribution! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your great contributions.
Your code worked well! Pleaes let me share some comments.
pkg/oauth/oidc/oidc.go
Outdated
var avatarUrlClaimKeys = []string{"picture", "avatar_url"} | ||
var roleClaimKeys = []string{"groups", "roles", "cognito:groups", "custom:roles", "custom:groups"} | ||
|
||
// OAuthClient is a oauth client for OIDC. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[nits]
// OAuthClient is a oauth client for OIDC. | |
// OAuthClient is an oauth client for OIDC. |
@@ -348,6 +355,34 @@ func (p *ProjectSSOConfig_GitHub) GenerateAuthCodeURL(project, callbackURL, stat | |||
return authURL, nil | |||
} | |||
|
|||
// GenerateAuthCodeURL generates an auth URL for the specified configuration. | |||
func (p *ProjectSSOConfig_Oidc) GenerateAuthCodeURL(project, state string) (string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about adding tests in project_test.go
like this?
(although (p *ProjectSSOConfig_GitHub) GenerateAuthCodeURL
does not have tests...)
func TestGenerateAuthCodeURL(t *testing.T) {
testcases := []struct {
title string
project string
state string
issuer string
scopes []string
expectedURL string
}{
{
title: "scopes are configured",
project: "test-project",
state: "test-state",
issuer: "https://accounts.google.com", // TODO: Is this proper? or use mock??
scopes: []string{"openid", "profile", "email"},
expectedURL: "https://accounts.google.com/o/oauth2/v2/auth?access_type=online&client_id=&prompt=consent&response_type=code&scope=openid+profile+email&state=test-state%3Atest-project",
},
{
title: "empty scopes",
project: "test-project",
state: "test-state",
issuer: "https://accounts.google.com",
scopes: []string{},
expectedURL: "https://accounts.google.com/o/oauth2/v2/auth?access_type=online&client_id=&prompt=consent&response_type=code&scope=openid&state=test-state%3Atest-project",
},
}
for _, tc := range testcases {
t.Run(tc.title, func(t *testing.T) {
p := &ProjectSSOConfig_Oidc{
Issuer: tc.issuer,
Scopes: tc.scopes,
}
url, err := p.GenerateAuthCodeURL(tc.project, tc.state)
assert.NoError(t, err)
assert.Equal(t, tc.expectedURL, url)
})
}
}
pkg/model/project.proto
Outdated
string user_info_endpoint = 7; | ||
// The address of the proxy used while communicating with the OpenID Connect service. | ||
string proxy_url = 8; | ||
// scopes to request from the OpenID Connect service. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[nits]
// scopes to request from the OpenID Connect service. | |
// Scopes to request from the OpenID Connect service. |
@@ -41,6 +41,9 @@ const useStyles = makeStyles((theme) => ({ | |||
githubLoginButton: { | |||
background: "#24292E", | |||
}, | |||
oidcLoginButton: { | |||
background: "#4A90E2", | |||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sharedSSOConfigs: | ||
- name: oidc | ||
provider: OIDC | ||
oidc: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to add the configuration reference of oidc
in this file like this:
Note: Before that, please make your branch up-to-date.
## SharedSSOConfig
...
| oidc | [SSOConfigOIDC](#ssoconfigoidc) | OIDC sso configuration. | No |
## SSOConfigOIDC
| Field | Type | Description | Required |
|-|-|-|-|
| ClientId | string | The client id string of OpenID Connect oauth app. | Yes |
| ClientSecret | string | The client secret string of OpenID Connect oauth app. | Yes |
| Issuer | string | The address of OpenID Connect service. | Yes |
| RedirectUri | string | The address of the redirect URI. | Yes |
| AuthorizationEndpoint | string | The address of the authorization endpoint. | Yes |
| TokenEndpoint | string | The address of the token endpoint. | Yes |
| UserInfoEndpoint | string | The address of the user info endpoint. | Yes |
| ProxyUrl | string | The address of the proxy used while communicating with the OpenID Connect service. | Yes |
| Scopes | []string | Scopes to request from the OpenID Connect service. | No |
If the Required
fields above are wrong, please correct them🙏
pkg/oauth/oidc/oidc.go
Outdated
|
||
idTokenRAW, ok := c.Token.Extra("id_token").(string) | ||
if !ok { | ||
return nil, fmt.Errorf("no access_token in oauth2 token") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[nits]
return nil, fmt.Errorf("no access_token in oauth2 token") | |
return nil, fmt.Errorf("no id_token in oauth2 token") |
default: | ||
return nil, fmt.Errorf("not implemented") | ||
} | ||
} | ||
|
||
func parseProjectAndState(r *http.Request) (string, string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you add unit tests of parseProjectAndState()
in callback_test.go
? (Sorry, the file is empty now...)
9e30f02
to
4ce7f7b
Compare
Signed-off-by: kumo-rn5s <firosstuart@gmail.com>
07fc480
to
2cce09b
Compare
Signed-off-by: kumo-rn5s <firosstuart@gmail.com>
2cce09b
to
ef53065
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your great amazing contribution.
I commented some nits, but we'll fix in other PRs.
|
||
| Field | Type | Description | Required | | ||
|-|-|-|-| | ||
| ClientId | string | The client id string of OpenID Connect oauth app. | Yes | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll fix in later PRs.
Field names are actually lowerCamelCase.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
solved by #5173
) | ||
|
||
func TestParseProjectAndState(t *testing.T) { | ||
tests := []struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll add t.Parallel()
in later PRs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
solved by #5173
@@ -853,3 +853,66 @@ func TestProject_DeleteRBACRole(t *testing.T) { | |||
}) | |||
} | |||
} | |||
|
|||
func TestGenerateAuthCodeURL(t *testing.T) { | |||
tests := []struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll add 't.Parallel()' later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the great contribution! I left a comment 🙏
Co-authored-by: Yoshiki Fujikane <40124947+ffjlabo@users.noreply.github.com> Signed-off-by: Kumo <35224826+kumo-rn5s@users.noreply.github.com>
@ffjlabo Sorry for the late response. I have signed off that suggestion to commit. |
@kumo-rn5s Sorry, would you resolve the conflict of (The faiied |
Signed-off-by: Kumo <35224826+kumo-rn5s@users.noreply.github.com>
Signed-off-by: kumo-rn5s <firosstuart@gmail.com>
dd05789
to
35ad7e9
Compare
Reopen due to the flaky test... |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #5008 +/- ##
==========================================
+ Coverage 22.82% 22.96% +0.14%
==========================================
Files 412 413 +1
Lines 43838 44020 +182
==========================================
+ Hits 10005 10111 +106
- Misses 33042 33120 +78
+ Partials 791 789 -2 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Greatest Amazing Big Impact Contribution, Thank you!!! 🚀
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the great commit🚀
What this PR does / why we need it:
This PR introduces a new OIDC login method to enhance user authentication options by supporting the basic OIDC Authorization Code Flow. It also includes support for common OIDC providers like Keycloak, Okta, and Cognito.
Which issue(s) this PR fixes:
Fixes #4906
Does this PR introduce a user-facing change?:
TODO: