feat: add built-in OIDC authentication support#3607
Open
yaswanthkumar1995 wants to merge 2 commits intohatchet-dev:mainfrom
Open
feat: add built-in OIDC authentication support#3607yaswanthkumar1995 wants to merge 2 commits intohatchet-dev:mainfrom
yaswanthkumar1995 wants to merge 2 commits intohatchet-dev:mainfrom
Conversation
Add native OIDC support for self-hosted instances, enabling direct integration with providers like Keycloak, PocketID, and any OpenID Connect compliant identity provider. Changes: - Add OIDC OAuth2 start and callback handlers - Add OIDC config struct with env var bindings (SERVER_AUTH_OIDC_*) - Use OIDC discovery to resolve auth/token endpoints at startup - Cache oidc.Provider for ID token verification (no per-request discovery) - Add OIDC routes to OpenAPI spec and regenerate server code - Expose 'oidc' scheme via /api/v1/meta endpoint - Add SSO button to frontend auth page - Support domain restrictions for OIDC users - Default scopes: openid, profile, email Closes hatchet-dev#3052
|
@yaswanthkumar1995 is attempting to deploy a commit to the Hatchet Team on Vercel. A member of the Team first needs to authorize it. |
|
Promptless prepared a documentation update related to this change. Triggered by PR #3607 Documents the new OIDC SSO authentication feature for self-hosted instances, adding configuration environment variables ( Review at https://app.gopromptless.ai/suggestions/df488012-3df4-4f69-8942-265949397153 |
Author
|
Hi @abelanger5 @mnafees - this implements the oidc support from #3052 kindly review it |
- Add nil guards for OIDCOAuthConfig/OIDCProvider in both handlers to prevent nil pointer panic when OIDC is disabled - Move AllowSignup check from start handler to CreateUser path so existing OIDC users can still log in when signup is disabled - Require email_verified before authorizing or linking by email - Add UserInfo endpoint fallback when ID token lacks optional claims (email, name, email_verified) - Validate UserInfo sub claim matches ID token sub per OIDC spec - Normalize BaseURL with TrimRight to prevent double-slash redirect URIs - Add 30s timeout context for OIDC discovery at startup - Enforce 'openid' scope is always present in configured scopes - Add ScopesString field for reliable env var binding and parse it before building OIDCOAuthConfig so SERVER_AUTH_OIDC_SCOPES works
yaswanthkumar1995
force-pushed
the
feat/oidc-support
branch
from
d2c84ba to
4b81403
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add native OIDC authentication support for self-hosted Hatchet instances, enabling direct SSO integration with any OpenID Connect compliant provider (Keycloak, PocketID, Okta, Azure AD, etc.) without requiring external proxies like oauth2-proxy or Traefik forward auth.
Uses standard OIDC discovery (
.well-known/openid-configuration) to auto-resolve authorization and token endpoints at startup, and verifies ID tokens using the provider's JWKS.Closes #3052
Type of change
What's Changed
oidc_oauth_start.goandoidc_oauth_callback.gohandlers following the existing Google/GitHub OAuth patternConfigFileAuthOIDCconfig struct with env var bindings (SERVER_AUTH_OIDC_ENABLED,_CLIENT_ID,_CLIENT_SECRET,_ISSUER_URL,_SCOPES)oidc.Providerat startup for ID token verification (no per-request OIDC discovery)/api/v1/users/oidc/start,/api/v1/users/oidc/callback) and regenerate server codeoidcauth scheme via/api/v1/metaendpointopenid,profile,emailgithub.com/coreos/go-oidc/v3for discovery and token verification