-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OpenID-Connect Support #78
Add OpenID-Connect Support #78
Conversation
Thanks to Vinod for pointing out that this might be a better solution with Dependency-Track's frontend being rewritten as SPA
This is required for tests of classes that make use of the cache
…point Also, remove OidcSigningKeyResolver and remove OidcAuthenticationService from AuthenticationFilter. These changes are necessary for compatibility with Auth Servers that do not provide their Access Tokens in JWT form. GitLab for example just uses random strings. Additionally, we'll authenticate via OIDC just once now and then issue a "local" JWT. This is the way LDAP authentication is implemented as well.
…ing in separate class
Unlike LDAP, the OpenID Connect standard does not provide any means to retrieve a list of all available groups or roles. In order to still allow for a mapping between OIDC groups/roles and Teams, Admins will need to setup groups in Alpine manually.
Conveniently implicitly contains tests for getters & setters
…nidconnect-support
@stevespringett I'd consider this PR to be ready for review. I'll possibly add minor changes while integrating this into Dependency-Track and its new frontend, but all in all this is pretty much the final version. |
…nidconnect-support
We don't need to perform additional requests to get group memberships of the authenticated user, so there's little to none performance hits to be expected when syncing always.
This is to be uniform with the frontend configuration. JavaScript's oidc-client (currently) does not allow to directly provide the discovery uri.
https://openid.net/specs/openid-connect-discovery-1_0.html states: "URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer."
I noticed that the current way of authenticating users is somewhat flawed. LDAP or OIDC users with the name I was thinking about a new claim |
…nidconnect-support
This is for the use case where admins manually create OidcUsers. At this time, only the username is known. Now, if a user that has been manually created logs in for the first time, his subject identifier is assigned to the OidcUser entity. From this point on, the subject identifier cannot change. If it does, authentication will fail.
This PR addresses #10 by implementing support for OAuth2 / OpenID Connect.
I'm opening this PR in a WIP state mainly for transparency reasons, but also to potentially get early feedback. I'll update this description when something changes and let you know when I feel like the PR is ready for a serious review.
TODO
How to test
Besides the unit tests, here's a quick guide on how to test this implementation in action. It can be done locally using Docker, Keycloak and Dependency-Track:
Setup Dependency-Track
openidconnect-support
branch of Dependency-Track and build an executable WAR:openidconnect-support
branch of the new Dependency-Track frontend:public/static/config.json
as follows:npm run serve
admin:admin
)Administration
->Access Management
->OpenID Connect Groups
and add create the groupsDTRACK_ADMINS
andDTRACK_USERS
DTRACK_ADMINS
to the teamAdministrators
andDTRACK_USERS
toPortfolio Managers
Setup Keycloak
realm-export.json
:master
realm with pre-configured clientdependency-track
realm-export.json
$ docker run -d -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e KEYCLOAK_IMPORT=/tmp/realm-export.json -v "$(pwd)/realm-export.json:/tmp/realm-export.json" -p 8081:8080 --name keycloak jboss/keycloak:8.0.2
http://localhost:8081/auth
withadmin:admin
dtrack-oidc
Manage
->Users
->Add user
with the following credentials:dtrack
dtrack@mail.local
test
(Make sure the optionTemporary
isOFF
)Groups
tab for the user and join eitherDTRACK_ADMINS
,DTRACK_USERS
or bothTest
*.postman_collection.json
and*.postman_environment.json
files from this gist and import them into Postmandtrack
: