Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] SSO proof of concept #12404

Open
wants to merge 15 commits into
base: 2.10
Choose a base branch
from
Open

[WIP] SSO proof of concept #12404

wants to merge 15 commits into from

Conversation

andrewshadura
Copy link
Contributor

@andrewshadura andrewshadura commented Apr 5, 2022
edited

A minimal working SSO based on OmniAuth.

To minimise the impact of this code being integrated with the rest of the codebase, it doesn’t support the identity concept, but instead matches the SSO users against those already known to OBS by their email addresses.

There are three issues that need to be solved properly:

  • When a new user logs in with SSO, they are not asked to set up a password upfront. This is to improve the user experience, since the user may never need to use the password if they don’t use the command-line client, so they’re allowed to configure it later when they choose to; if they instead opt to only ever log in with SSO, they won’t need to set up a password at all.
    This is currently implemented by setting the "hash type" to invalid, but since the hash type has been deprecated and will go away at some point, marking the user as not having a password needs to be done differently.
  • Redirection of anonymous users needs to be smarter. For security reasons, some setups configure the lifetime of a session to a minimal value and force users to re-authenticate with the SSO to confirm their access has not been revoked. This is currently difficult to implement in a user-friendly way, as the user with an expired session is not automatically redirected to the SSO, which would confirm their session and transparently redirect back. Even further, it’s difficult to keep the original URL as it’s only stored in the Referer header instead of some argument e.g. ?redirect_to=.
  • During the initial login flow, the authentication hash is stored in the session between individual flow steps. For some reason when used e.g. with GitHub, it overflows the session (even though it’s not supposed to be stored in a cookie). The current code works around it by only storing a part of the hash, but this seriously limits what can be learned about the user during the registration process.

I will rebase to the latest master branch shortly.

This will fix #7709 and #5957

@andrewshadura
Add omniauth dependency
8e0bc17
@andrewshadura
Add dependency on omniauth-gitlab
87ab1fb
@andrewshadura
Add omniauth-rails_csrf_protection
a0fa5cf
@andrewshadura
Parse SSO authentication config on startup
dd65c4c 
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Parse-SSO-authentication-config-on-startup.patch
@andrewshadura
Add an SSO login page so that users can choose between providers
a226ccb 
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Add-an-SSO-login-page-so-that-users-can-choose-between-pr.patch
@andrewshadura
Rename create_ldap_user to create_external_user
38cd6ff 
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Rename-create_ldap_user-to-create_external_user.patch
@andrewshadura
user model: add find_with_omniauth/create_with_omniauth
d1eaa4d 
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name user-model-add-find_with_omniauth-create_with_omniauth.patch
@andrewshadura
Add SSO callback to allow existing users log in with an external source
cec4685 
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Add-SSO-callback-to-allow-existing-users-log-in-with-an-e.patch
@andrewshadura
Implement first login flow
f9d73c3 
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Implement-login-flow.patch
@andrewshadura
Try harder to derive the username from email addresses
f82221c 
Some providers set username or nickname to an email address.
For this reason, first collect the best possible user name we can find,
and only then fix it to match our requirements.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Try-harder-to-derive-the-username-from-email-addresses.patch
@andrewshadura
REWORD: Redirect correctly: secure and take SSO into account
deae750
@andrewshadura
Mark passwords for SSO-only users as invalid to allow changing them l…
9283355 
…ater

Add a new "hash type" for invalid passwords, which is never equal to
normal passwords, but nevertheless can be changed without being known by
the user.

This "invalid" password can only be set by directly setting the password
hash type. When updating the password using update_password method, it will
always be upgrade it to the strongest hash type, sha256crypt.

To allow changing this "invalid" password to a normal one, stop
requiring a non-empty current password in the password change dialog
when changing a password from an "invalid" one. Don’t show the current
password box either, as it is not used anyway in this case, making
it better not to show it to avoid confusion.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Mark-passwords-for-SSO-only-users-as-invalid-to-allow-cha.patch
@andrewshadura
Add dependency on a Git snapshot of omniauth_openid_connect
1e2e590 
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
@andrewshadura
Add omniauth-github
4cdfc39 
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
@andrewshadura
Only store the 'info' part of the auth hash in the session
a4572a0 
The auth hash can be quite large, and with session storage in cookies,
the cookie can easily reach the 4 KB limit. Work around this issue
by only storing the part of the hash we currently use.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
@github-actions github-actions bot added Backend Things regarding the OBS backend Documentation 📖 Things regarding our documentation Frontend Things related to the OBS RoR app Test Suite / CI 💉 Things related to our tests/CI labels Apr 5, 2022
@andrewshadura andrewshadura changed the base branch from master to 2.10 April 5, 2022 08:29
@Conan-Kudo
Copy link
Member

Conan-Kudo commented Apr 20, 2022
edited

@andrewshadura Can you please remove the Gbp-Pq goop from the commits? Also, how will osc work with SSO accounts?

@andrewshadura
Copy link
Contributor Author

@andrewshadura Can you please remove the Gbp-Pq goop from the commits?

Sure, I was going to remove them in the next iteration of the pull request.

andrewshadura
andrewshadura commented May 4, 2022
View reviewed changes
src/api/app/views/webui2/webui/session/sso_confirm.html.haml
.card
.card-body#loginform
.col-lg-6.pl-0
- if can_register
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While deploying this today on a new instance, we found out we actually want to disallow new registrations while allow new users log in with SSO.
The code doesn’t currently distinguish between these two different sign-ups (non-verified self-registration and a new user being created after confirmed by the SSO), so we ended up removing this condition here so that SSO can still allow new users in deny mode.
Ultimately it needs to be a separate setting.

@hennevogel hennevogel mentioned this pull request Jun 23, 2022
Open
@hellcp-work
Copy link
Contributor

To minimise the impact of this code being integrated with the rest of the codebase, it doesn’t support the identity concept, but instead matches the SSO users against those already known to OBS by their email addresses.

Which users can change in most idps, that's probably not the best idea. Maybe it would be possible to start off with introducing some way to support identities first before getting sso into the codebase? Alternatively allow admins to choose which field is static and base the match on that? SUSE Community Accounts have static usernames for example, so it would be best if that was the way the users were matched with accounts.

@andrewshadura
Copy link
Contributor Author

andrewshadura commented Jan 9, 2023 via email
edited

dmarcoux
dmarcoux reviewed Jan 9, 2023
View reviewed changes
src/api/Gemfile
gem 'omniauth'
gem 'omniauth-gitlab'
gem 'omniauth-github'
gem 'omniauth_openid_connect', git: 'https://github.com/m0n9oose/omniauth_openid_connect', ref: '88ae46e968dec5e66d4f92773b52babbe72d41fe'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the reason for pinning this gem to a commit? Is it a lack of a recent release?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, at the time when this was written, there was no compatible release.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did some work with omniauth_openid_connect as a part of paste-o-o, and there is a compatible version now, so we should be good to use the latest version

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes — after I kicked a bunch of people who did omniauth development, they’ve all got together, moved omniauth_openid_connect under the OmniAuth umbrella and made a new release 🙂

hellcp-work
hellcp-work reviewed Jan 10, 2023
View reviewed changes
src/api/config/auth.yml.example
@@ -0,0 +1,8 @@
fdo-gitlab:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should have example config for all the gems we have added here, as of now we have config just for gitlab. I'm also not sure if it's the best option to have a new config file for this, or if it wouldn't make sense to add into the existing one

@andrewshadura
Copy link
Contributor Author

@hellcp-work, right, it seems that both we (and our customer) and SUSE want this to move roughly in the same direction, so it’d probably make sense to co-ordinate the next steps. Implementing identities properly would both cover our and your use-case, while making the system more flexible and future-proof, so it probably makes sense to do just that — and we can probably invest some time to make it happen.

We also need to decide on a way to represent passwordless (SSO-only) users, since this would be very typical in this workflow.

@hellcp-work
Copy link
Contributor

We also need to decide on a way to represent passwordless (SSO-only) users, since this would be very typical in this workflow.

On the other hand we could also think about making that a feature, allowing authenticating with tokens instead of passwords, so that there is not necessarily an expectation of a password from the api side for authentication

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmarcoux dmarcoux dmarcoux left review comments

@hellcp-work hellcp-work hellcp-work left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Backend Things regarding the OBS backend Documentation 📖 Things regarding our documentation Frontend Things related to the OBS RoR app Test Suite / CI 💉 Things related to our tests/CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support SSO
4 participants
@andrewshadura @Conan-Kudo @hellcp-work @dmarcoux