-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ENHANCEMENT]: Some improvements around OIDC/OAuth provider configuration #1685
[ENHANCEMENT]: Some improvements around OIDC/OAuth provider configuration #1685
Conversation
fac1103
to
6bcf7f8
Compare
2f81bbe
to
52ff337
Compare
internal/api/impl/auth/oauth.go
Outdated
var errToken error | ||
if token != nil { | ||
// TODO(cegarcia): Is it really necessary?, claims that we are searching for are id_token claims, | ||
// and if there is an id token, then it is OIDC |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Putting back into draft mode in order to resolve this comment.
I will try more oauth providers as for now only github has been tried and doesn't have jwt access_token neither id_token.
I have a good hope that this token parsing is actually not necessary at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I made the choice to not parse the token here and rely only on API /userinfos data of the provider to retrieve needful information. This will be acceptable as first shot and we'll see with usages if we need to improve.
Anyway, with generic oauth, access_token is not guaranteed to be a jwt token neither to contain the right claims at the right place. A true id_token would guarantee that but if we receive id_token, then it is OIDC.
From what I see in the web, the mainstream will be more and more OIDC and this is what we should push for as much as possible.
2a68543
to
b287d62
Compare
Signed-off-by: Celian GARCIA <celian.garcia@amadeus.com>
…default) Signed-off-by: Celian GARCIA <celian.garcia@amadeus.com>
Signed-off-by: Celian GARCIA <celian.garcia@amadeus.com>
Signed-off-by: Celian GARCIA <celian.garcia@amadeus.com>
14d5b65
to
dcb3190
Compare
Signed-off-by: Celian GARCIA <celian.garcia@amadeus.com>
Signed-off-by: Celian GARCIA <celian.garcia@amadeus.com>
dcb3190
to
18d29f5
Compare
Signed-off-by: Celian GARCIA <celian.garcia@amadeus.com>
Signed-off-by: Celian GARCIA <celian.garcia@amadeus.com>
255c2e0
to
564821f
Compare
…eds and 500 otherwise) Signed-off-by: Celian GARCIA <celian.garcia@amadeus.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
excepting my last comment, lgtm !
d4adebb
to
a197a80
Compare
Signed-off-by: Celian GARCIA <celian.garcia@amadeus.com>
a197a80
to
5f6f5e3
Compare
67a5f36
into
perses:feat/social-authentication
Description
This PR comes after having tested several external OIDC provider.
So far I tested Azure, Google, Gitlab, Linkedin as OIDC providers.
This last one seems to not support all the features like the others.
That's why this PR allow more fine grain in configuration:
discovery_url
configSet a custom Discovery URL (the famous "/.well-known/openid-configuration" where all the config can be accessed)
With linkedin the problem is that the lib we use expected the discovery url to be {issuer}/.well-known/openid-configuration, which is not the case
PKCE check
By default my first implementatio assumed that PKCE verification is supported by all the OIDC providers, which is not the case.
So we can now disable it through
disable_pkce
configuration.More efficient user info parsing
In anticipation, I also include in that PR an interface and a service that will have to be implemented to upsert user at login time (see userinfo.go file)
Screenshots
Checklist
[<catalog_entry>] <commit message>
naming convention using one of thefollowing
catalog_entry
values:FEATURE
,ENHANCEMENT
,BUGFIX
,BREAKINGCHANGE
,DOC
,IGNORE
.UI Changes
See Storybook
and e2e docs for more details. Common issues
include: