New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] SSO proof of concept #12404
base: 2.10
Are you sure you want to change the base?
[WIP] SSO proof of concept #12404
Conversation
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> Gbp-Pq: Topic collabora/sso Gbp-Pq: Name Parse-SSO-authentication-config-on-startup.patch
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> Gbp-Pq: Topic collabora/sso Gbp-Pq: Name Add-an-SSO-login-page-so-that-users-can-choose-between-pr.patch
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> Gbp-Pq: Topic collabora/sso Gbp-Pq: Name Rename-create_ldap_user-to-create_external_user.patch
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> Gbp-Pq: Topic collabora/sso Gbp-Pq: Name user-model-add-find_with_omniauth-create_with_omniauth.patch
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> Gbp-Pq: Topic collabora/sso Gbp-Pq: Name Add-SSO-callback-to-allow-existing-users-log-in-with-an-e.patch
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> Gbp-Pq: Topic collabora/sso Gbp-Pq: Name Implement-login-flow.patch
Some providers set username or nickname to an email address. For this reason, first collect the best possible user name we can find, and only then fix it to match our requirements. Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> Gbp-Pq: Topic collabora/sso Gbp-Pq: Name Try-harder-to-derive-the-username-from-email-addresses.patch
…ater Add a new "hash type" for invalid passwords, which is never equal to normal passwords, but nevertheless can be changed without being known by the user. This "invalid" password can only be set by directly setting the password hash type. When updating the password using update_password method, it will always be upgrade it to the strongest hash type, sha256crypt. To allow changing this "invalid" password to a normal one, stop requiring a non-empty current password in the password change dialog when changing a password from an "invalid" one. Don’t show the current password box either, as it is not used anyway in this case, making it better not to show it to avoid confusion. Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> Gbp-Pq: Topic collabora/sso Gbp-Pq: Name Mark-passwords-for-SSO-only-users-as-invalid-to-allow-cha.patch
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
The auth hash can be quite large, and with session storage in cookies, the cookie can easily reach the 4 KB limit. Work around this issue by only storing the part of the hash we currently use. Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
@andrewshadura Can you please remove the |
Sure, I was going to remove them in the next iteration of the pull request. |
.card | ||
.card-body#loginform | ||
.col-lg-6.pl-0 | ||
- if can_register |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While deploying this today on a new instance, we found out we actually want to disallow new registrations while allow new users log in with SSO.
The code doesn’t currently distinguish between these two different sign-ups (non-verified self-registration and a new user being created after confirmed by the SSO), so we ended up removing this condition here so that SSO can still allow new users in deny
mode.
Ultimately it needs to be a separate setting.
Which users can change in most idps, that's probably not the best idea. Maybe it would be possible to start off with introducing some way to support identities first before getting sso into the codebase? Alternatively allow admins to choose which field is static and base the match on that? SUSE Community Accounts have static usernames for example, so it would be best if that was the way the users were matched with accounts. |
Identities would be great. I didn't explore that option as it would be too big a change, and I wanted to minimise DB schema changes just in case we have to maintain the patchset for a long time.
We are actually moving away from emails as the only id since our customer wants usernames to be a key id (UPN more precisely), so I think we'll have to make it configurable.
|
gem 'omniauth' | ||
gem 'omniauth-gitlab' | ||
gem 'omniauth-github' | ||
gem 'omniauth_openid_connect', git: 'https://github.com/m0n9oose/omniauth_openid_connect', ref: '88ae46e968dec5e66d4f92773b52babbe72d41fe' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the reason for pinning this gem to a commit? Is it a lack of a recent release?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, at the time when this was written, there was no compatible release.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did some work with omniauth_openid_connect as a part of paste-o-o, and there is a compatible version now, so we should be good to use the latest version
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes — after I kicked a bunch of people who did omniauth development, they’ve all got together, moved omniauth_openid_connect under the OmniAuth umbrella and made a new release 🙂
@@ -0,0 +1,8 @@ | |||
fdo-gitlab: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should have example config for all the gems we have added here, as of now we have config just for gitlab. I'm also not sure if it's the best option to have a new config file for this, or if it wouldn't make sense to add into the existing one
@hellcp-work, right, it seems that both we (and our customer) and SUSE want this to move roughly in the same direction, so it’d probably make sense to co-ordinate the next steps. Implementing identities properly would both cover our and your use-case, while making the system more flexible and future-proof, so it probably makes sense to do just that — and we can probably invest some time to make it happen. We also need to decide on a way to represent passwordless (SSO-only) users, since this would be very typical in this workflow. |
On the other hand we could also think about making that a feature, allowing authenticating with tokens instead of passwords, so that there is not necessarily an expectation of a password from the api side for authentication |
A minimal working SSO based on OmniAuth.
To minimise the impact of this code being integrated with the rest of the codebase, it doesn’t support the identity concept, but instead matches the SSO users against those already known to OBS by their email addresses.
There are three issues that need to be solved properly:
This is currently implemented by setting the "hash type" to
invalid
, but since the hash type has been deprecated and will go away at some point, marking the user as not having a password needs to be done differently.Referer
header instead of some argument e.g.?redirect_to=
.I will rebase to the latest master branch shortly.
This will fix #7709 and #5957