-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement OIDC authentication #1213
Conversation
See also #973 |
I can't wait for this to get merged. I would say though that since Gorilla Toolkit is in archive mode you probably shouldn't use anything from it. |
@mnestor neither can i 🙃
I did not choose to use gorilla/mux. Its what Semaphore uses for request routing (this is my first contribution to Semaphore, I'm not a maintainer). I think you'd be best off opening a separate issue for finding an alternative to gorilla/mux. |
Doh! Missed that |
Am looking forward on this to to be merged ! |
+1 on getting this added for extra authentication mechanisms alongside LDAP |
@s3lph , @binaryfire sorry for so long delay. Currently I have time to work on the project. And I will review the MR ASAP. |
Hi @s3lph You code looks very clear, all Dredd test passed, thank you! I have no experience with OpenID, anybody can help me to test this? :-D |
I think we will do this after testing period of SSO auth. |
Hi @fiftin . How would you like to conduct the tests with this feature? I think it's relatively simple to write docs and dockerfile examples using the most common openid providers out there. |
This prerelease includes the feature: https://github.com/ansible-semaphore/semaphore/releases/tag/v2.8.91 No documentation exists yet, only what @s3lph written. Thank you! |
Is there anyway to get this config in through docker environment variables? Can we get the environment variables config pr raised in the interim to edit the config,json? |
Hi @aaronnad Currently it is not available for docker. I don't know how to pass so many parameters vis ENV vars. |
@s3lph cloud you write some documentation for the feature? Docs for OpenID: https://github.com/semaphoreui/ansible-semaphore-docs/blob/main/administration-guide/openid.md |
Hi @lafayetteduarte and others. Anybody can write a doc how to setup Semaphore OpenID to work with Amazon OpenID: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html#manage-oidc-provider-console or GitLab: https://docs.gitlab.com/ee/integration/openid_connect_provider.html ? |
Wow, I did this! I connected Semaphore to GitLab OpenID! It is really easy, thank you @s3lph :) I will write tutorial how to do this. |
Hi @fiftin , tomorrow I will take a look at this. I've seen you are planning for roles in semaphore. |
I wrote a small tutorial how to setup OpenID with GitLab: https://www.ansible-semaphore.com/blog/openid-authentication/ if you write a tutorial, I could post it on the website, with a link to your profile. Thank you! |
Hi @fiftin , will do. i have some ldap example on the works ive used to debug the behaviour where the space in the parameters breaks the json generation. need to work on seeding the ldap database and write a compose as complete example. I forked the dev branch . As soon as its done i will pull it to my profile and send you a link so you can evaluate the idea. |
@lafayetteduarte It would be cool! |
Hi @fiftin Just to let you know I'm running late on this. Will get back to the debug as soon as possible. Will send the fork link when I'm done |
@fiftin , fork with the examples folder, here if you want to review-it Working examples:
this weekend i will add more examples for google, microsoft, facebook , linkedin and whatnots. Let me know if i'm missing something Thank you |
Hi, I'm unable to get this working with Authentik, Using the following configuration
I tried at first
So i then re-tried it with the trailing / and i was still getting a redirect to the login page and not the application. So i then tried to manually specify everything in case this would work, but again, authentik expects the trailing
Still when I click sign in with Authentik and sign in, i just get looped round and stay on the login screen but my user does get created in the database. Before sign-in with Authentik
After sigin with Authentik
There are no log outputs on the docker container saying any errors were caused either - this is a completely fresh installation. Edit: Debugging further, as soon as I added the oidc configuration, my local users are also no longer able to progress through to login - using the docker installation |
So upon further testing, If I go direct to the docker container and not through a reverse-proxy, the local admin works just fine. At present my semaphore installation is available at https://semaphore.my.tld. Trying to use that instead of the direct IP has a negative effect. Going direct to http://192.168.50.2:3001 then allows the login. It would appear that this configuration does not work/play well with reverse proxies. Edit: See screenshot below. It would appear that having the default security enabled for HTTP-Only Cookies on the VMWare NSX ALB (formerly AVI loadbalancers) does not work. Disabling this setting enables this to work fine. |
@aaronnad , is the http- only cookie related to the username / password flow ? |
Hi @lafayetteduarte , The HTTP-Only cookie issue happens without the OpenID Configuration present. I just get a re-direct back to the /auth/login path once I’ve entered my credentials. Some applications I’ve worked with have a similar issue, just took me a little while to remember it in this case for Semaphore. Secure cookies can be enabled on my reverse proxy still which is great. |
This PR implements login to Semaphore via OpenID Connect.
Multiple OIDC providers can be configured in config.json:
For each of the configured providers, an additional login button is added to the login page:
If a user clicks the second button, they are redirected via
/api/auth/oidc/${provider}/login
(I couldn't find a nice way to do this without redirecting through an API endpoint) to the OIDC provider. From there, they are redirected back to/api/auth/oidc/${provider}/redirect
, which validates the response and performs the backchannel token exchange. On success, a user session is created and the user is redirected on to/
, on failure the user is sent back to/auth/login
.Same as with LDAP authentication, an
external
user account is created if one does not exist yet.I tested this against Keycloak 21 using the
code
authentication flow.