Implement OIDC #1701
Implement OIDC #1701
Conversation
|
Thanks @m-baertschi! I'll review this over the weekend. |
|
Thanks for your work! Just want to advise that depending on the IDP you're using the guiding principle there might be that access control should be done on the application level (Keycloak being a prominent example). That being said, I'd rather implement a workaround in those providers than not having OIDC at all |
|
I'm curious what the use case is for this? |
Lets say you setup listmonk for any kind of organization - whether its a company, a non-profit or anything else for that matter - they usually have their identities (user accounts) managed in one central place (usually called an Identify Provider). Could be Azure AD, could be Keycloak, could be any IdP really. Instead of having local user accounts (which need to be properly managed, e.g. deactivated if a user leaves the org) and also for the user to have one account / password only, OIDC allows to delegate authentication (WHO is the user) to the external system. Authorisation (WHAT this user can do, e.g. permission management) can then rely on this identity. |
|
@m-baertschi how does the API work when OIDC is implemented? |
|
OIDC just replaces the BasicAuth middleware if configured. I have not tested the API separately, but i will look into it. It is probably possible to check if the authorization header is present and perform basic auth. |
This is a simple OIDC implementation. It's very basic and just logs the user in. Access control needs to be done on the IDP side.
|
The API now works with the admin credentials, even if oidc is configured. The Application now checks if the basic auth header is present and then validates it. But this also means that if the docker container is configured with environment variables the default admin login still work. To fix this, the config file should not include any credentials at all. |
|
Could you add readme? I'd like to test it |
|
@m-baertschi, apologies for the delay. The implementation looks good!
|
|
|
@kSzajo There are 3 options you need to set. The provider is the URL of your IDP for example: https://id.example.com Environment variable (Docker):
|
|
So have you also implemented multi-user ? In the sense that I log in to listmonk and start writing an email, and then someone else logs in as well, would they see the email I am writing ? or it would be a totally different session? |
|
@titansmc no, that's not possible without listmonk getting a built in user/permission system which it currently doesn't have. |
|
so no multi user, does it mean that everyone with login details will be able to see the email others have wrote ? So if someone writes a campain and saves it, would the rest see it? |
|
I've ended up extending this OIDC implementation towards multi-user support. Will see if we can have list-based ACLs on top of it in the upcoming version. |
|
@knadh are you aware of polar.sh for Open Source funding? I would like to contribute a few dollars for this PR as it will help me with my SSO-everywhere goal. |
|
Thank you for the kind offer @matmair, but I'm not looking for funding. We should have multi-user + SSO support in the next release. |
|
Closing this PR as the work in progress here #543 now supersedes it. Thank you for kick starting this @m-baertschi |
This is a simple OIDC implementation. It's very basic and just logs the user in. Access control needs to be done on the IDP side.