feat: adds OIDC support

[becelot]

Closes #3001

Description

The PR adds the option to configure your own OIDC client in the self-hosted version. It expands on top of the conditional auth provider implementations added in #3225 and #3204. To enable the OIDC sign in, you need to fill in the OIDC configuration options (client id, secret, and issuer endpoints) in .env and additionally enable the OIDC auth provider in VITE_ALLOWED_AUTH_PROVIDERS.

You can also configure the login button text if you want to, e.g. Login with COMPANY SSO.

Checks

• My pull request adheres to the code style of this project
• My code requires changes to the documentation
• I have updated the documentation as required
• All the tests have passed

Additional Information

The implementation is tested with KeyCloak. I will provide setup documentation for both hoppscotch and different Identity providers in a second PR after this is merged.

[wirbe1]

Hi @becelot! I tried out to run this branch as a self-hosted. The OIDC part with Keycloak works perfectly, but I see some troubles with "Authorization" tab in a request editor - fields for configuration of token or OAuth2.0 are just hidden for some reason.
Is it a known issue?

[becelot]

@wirbe1 The problem should be solved now. I synced my PR with the latest main branch and the problem disappeared, so it was probably already fixed by someone else and was present in the version I forked from.

[raymondgp]

I can confirm this works well with RedHat SSO (Keycloack). I hope it eventually gets merged to main, this is a must for on-prem implementations.

[zeddD1abl0]

+1 for this please. It would be nice to use OIDC without having to build from source.

[fbuchmeier-abi]

Thank you very much for the great work. I just tested your branch (merged into the latest upstream) and it is working fine with Auth0 and the following settings:

hoppscotch

VITE_ALLOWED_AUTH_PROVIDERS=OIDC

# Authentication
VITE_OIDC_TEXT="MSI IDP"

# OIDC Auth Config
OIDC_CLIENT_ID=xxx
OIDC_CALLBACK_URL="https://localhost:3170/v1/auth/oidc/callback"
OIDC_SCOPE="openid,profile,email,offline_access"
OIDC_ISSUER=https://yourTenant.eu.auth0.com/
OIDC_AUTH_URL=https://yourTenant.eu.auth0.com/authorize
OIDC_TOKEN_URL=https://yourTenant.eu.auth0.com/oauth/token
OIDC_USERINFO_URL=https://yourTenant.eu.auth0.com/userinfo
OIDC_CLIENT_SECRET=xxxx

Auth0

Client Type: Native
Allowed Callback URLs: https://localhost:3170/v1/auth/oidc/callback
Allowed Web Origins: https://localhost:3170/v1/auth/oidc/callback

I still need to test if all scopes are required (openid and email are at least) and wether the "Allowed Callback URL" or "Allowed Web Origins" must be set in Auth0.

Best regards,
Florian.

[zeddD1abl0]

@fbuchmeier-abi I know this is a horrible place for "How do I" type questions, but I've tried building this as separate containers using the prod.Dockerfile, and it can't get through the app build. Did you have to do anything special to get it to work? I'd love to test and start with this while it gets merged into the main.

[fbuchmeier-abi]

@fbuchmeier-abi I know this is a horrible place for "How do I" type questions, but I've tried building this as separate containers using the prod.Dockerfile, and it can't get through the app build. Did you have to do anything special to get it to work? I'd love to test and start with this while it gets merged into the main.

Maybe you could open a separate issue for this? In general I've built only the aio target but I am also trying to build the app right now.

[zeddD1abl0]

I was fairly sure it was something on my end. Turns out the system I was building on was too old. Newer system fixed the issue.

[atefhaloui]

Working perfectly using a self-hosted gitlab CE instance:

OIDC_CALLBACK_URL: "https://hoppscotch.example.com/v1/auth/oidc/callback"
OIDC_SCOPE: "openid,profile,email"
OIDC_ISSUER: "https://gitlab.example.com"
OIDC_AUTH_URL: "https://gitlab.example.com/oauth/authorize"
OIDC_TOKEN_URL: "https://gitlab.example.com/oauth/token"
OIDC_USERINFO_URL: "https://gitlab.example.com/oauth/userinfo"
OIDC_CLIENT_ID: "xxxxxxxxxxxxxxxxx"
OIDC_CLIENT_SECRET: "yyyyyyyyyyyyyyyyyyyy"
```

[raymondgp]

@nivedin Hello, would you have any high-level idea
when this PR will be approved? It's a significant improvement for on-premises deployments and very good work done by @becelot

[Arkhenys]

Hello @nivedin @liyasthomas

Any plan to review/approve this PR ?
@becelot did a really good job on it, and the feature is eagerly awaited.
Thanks a lot :)

[DerDummePunkt]

Hey @liyasthomas, any update on this?

Is there something we can do to pitch in?

[Arkhenys]

Hello @AndrewBastin @liyasthomas @balub @anwarulislam @ankitsridhar16 @nivedin @amk-dev @JoelJacobStephen

Hope you are all doing well.
This feature is opened since last august and was directly acclaimed by a lot of people (just have a look at the reactions on the OP).
And yet, we still have no reaction from you, reviewers side (except a self-assigned two months ago now).

Is it possible for one of you to finally have a look at this feature and tell us if yes or no it will be implemented ?
We are all waiting for this very good job from @becelot to be implemented.

Thanks a lot, and have a great day !

[rfpludwick]

Adding my voice to the folks above - this feature would be really nice to have and would enable my team and I to start using Hoppscotch in earnest.

[enlight3d]

adding my voice too ! Currently searching for a good alternative to postman and discovered this project ! I'm really eager to deploy this for my team... We're using an AzureAD so this would be perfect for our collaborative needs 😄

[DerDummePunkt]

Well, its been 4 months without a word from anyone of the maintainers, so it's obvious this doesn't have priority.

Unfortunately, i can't say I'm surprised, running a project like this is difficult, resources and time are limited, targeting a hybrid model of offering SaaS as well as self-hosting only compounds the problems, ask gitlab -_-

Still, @liyasthomas or anyone else, some form of communication would be appreciated.
Is there any kind of time frame for this PR or do we have to start looking to alternatives?

[alastair-drong-wd]

I'm noting this morning that the $19/user/month Enterprise plan offers SAML login support. If the maintainers merged this PR then they'd find their free tier in nearly direct competition with their enterprise tier.

At this point, I see them as doing us a favor by keeping the PR open because that enables us to easily find this code which we can then use to bake our own Docker images.

[liyasthomas]

Hi everyone,

Firstly, we want to thank @becelot for dedicating time to this PR. We truly appreciate the effort and time you invested in implementing this feature.

However, for the time being, we only intend to introduce the ability to configure a custom OIDC provider as a Hoppscotch Self-Host Enterprise only feature, as this feature better aligns with our vision for our Enterprise roadmap. We understand that this decision might be disappointing for you, but certain difficult decisions like this will help us offer better and continued support for our free cloud and self-host community edition.

We will include the custom OIDC provider with our Hoppscotch Self-Host Enterprise v2024.3.0 release happening this March. Since we won't be leveraging the community PR, we are closing this issue for now.