Fixes #20778: Add Oauth2/openid connect backend #451
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://issues.rudder.io/issues/20778
Add the possibility to have an Oauthv2/OIDC (openid connect) SSO authentication in Rudder.
Under the hood, it uses spring-security module for Oauthv2 (https://docs.spring.io/spring-security/reference/5.7/reactive/oauth2/index.html).
The main difficulties is that contrary to other existing backend, Oauthv2 is a change in the list of security filter chain, not a new authentication "data base" for the web authentication filter.
So we need to hack existing chain (configured in main rudder) and hand-build missing filters for oauth/oidc and but them back at the correct place. This is complicated. It's done in
AuthBackendsConf.scala
inAuthBackendsSpringConfiguration
.In that class:
setApplicationContext
method (spring method for "do stuff with spring stuff, even the goriest one that would not be allowed elsewhere")@Bean
below are just the need plumbing to build by hand what spring would do with the<oauth>
smart tag, that we can't use, because we can't "inject" xml config file once the main<http>
chain is built (we can just add new<http>
chain, which is useless)Even with that, we still need
applicationContext-security-auth-oidc.xml
andapplicationContext-security-auth-oauth2.xml
because it's these files that allows our licence system to know if the corresponding "auth backend" are enabled (so, ~ useless for the logic of authenticating users with oauth, needed for plumbing with license check).We also need to extends what is a
userDetails
because oauth has its own with specific infor related to the protocol (some info can be shared between the identity provider and an application like rudder).Oauth2Authentication.scala
is just for parsing the complicated configuration needed for oauth and build an easy to deal with data structure. You can see an attempt to explain needed configuration properties in theREADME.adoc
.Finally, when we have an Single Sign On solution, we likely don't want to show to standard rudder login form, since, well, you're supposed to log on the identity provider site. But perhaps you still want to show it for emergency (like "no more network with the identity provider"). So there's a new config option with the plugin to either
show
,hide
(ie hide but available with a toggle button), orremove
(ie: don't sent the HTML at all) Rudder form.