Fixes #20778: Add Oauth2/openid connect backend #451
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fanf
force-pushed
the
bug_20778/add_oauth2_openid_connect_backend
branch
from
8db7bda
to
7f99739
Compare
|
PR updated with a new commit |
|
PR updated with a new commit |
VinceMacBuche
approved these changes
Mar 23, 2022
VinceMacBuche
approved these changes
Apr 8, 2022
|
OK, squash merging this PR |
wip wip: user correctly retrieved milestone1: correct login of an user with openid connect trying to wire at runtime oauth Login working with the plugin mode some more cleaning Fixes #20778: Add Oauth2/openid connect backend
VinceMacBuche
force-pushed
the
bug_20778/add_oauth2_openid_connect_backend
branch
from
a0c0e1e
to
1a2c1c9
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://issues.rudder.io/issues/20778
Add the possibility to have an Oauthv2/OIDC (openid connect) SSO authentication in Rudder.
Under the hood, it uses spring-security module for Oauthv2 (https://docs.spring.io/spring-security/reference/5.7/reactive/oauth2/index.html).
The main difficulties is that contrary to other existing backend, Oauthv2 is a change in the list of security filter chain, not a new authentication "data base" for the web authentication filter.
So we need to hack existing chain (configured in main rudder) and hand-build missing filters for oauth/oidc and but them back at the correct place. This is complicated. It's done in
AuthBackendsConf.scalainAuthBackendsSpringConfiguration.In that class:
setApplicationContextmethod (spring method for "do stuff with spring stuff, even the goriest one that would not be allowed elsewhere")@Beanbelow are just the need plumbing to build by hand what spring would do with the<oauth>smart tag, that we can't use, because we can't "inject" xml config file once the main<http>chain is built (we can just add new<http>chain, which is useless)Even with that, we still need
applicationContext-security-auth-oidc.xmlandapplicationContext-security-auth-oauth2.xmlbecause it's these files that allows our licence system to know if the corresponding "auth backend" are enabled (so, ~ useless for the logic of authenticating users with oauth, needed for plumbing with license check).We also need to extends what is a
userDetailsbecause oauth has its own with specific infor related to the protocol (some info can be shared between the identity provider and an application like rudder).Oauth2Authentication.scalais just for parsing the complicated configuration needed for oauth and build an easy to deal with data structure. You can see an attempt to explain needed configuration properties in theREADME.adoc.Finally, when we have an Single Sign On solution, we likely don't want to show to standard rudder login form, since, well, you're supposed to log on the identity provider site. But perhaps you still want to show it for emergency (like "no more network with the identity provider"). So there's a new config option with the plugin to either
show,hide(ie hide but available with a toggle button), orremove(ie: don't sent the HTML at all) Rudder form.