New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow OIDC as default login #3617
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NEAT!
If OIDC default is set, (how?) can a user still use username+password to login? And, will it make sense to keep a cookie on the browser for how to try logging in the next time?
@@ -57,6 +57,7 @@ This reference uses `.` to denote the nesting of values. | |||
* `auth.ldap.default_user_group` `(string : )` - Create all LDAP users in this group. Defaults to `Viewers`. | |||
* `auth.ldap.user_filter` `(string : )` - Additional filter for users. | |||
* `auth.oidc.enabled` `(boolean : false)` - Set to true to enable authentication with an external OIDC provider. | |||
* `auth.oidc.is_default_login` `(boolean : false)` - If true, the lakeFS login page will redirect to the external provider by default. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a great way to add a property! I even complained about the added line on swagger.yml
(then had to delete that comment when I saw this documentation...).
webui/src/pages/auth/login.jsx
Outdated
if (!error && response && response.state !== SETUP_STATE_INITIALIZED) { | ||
router.push({pathname: '/setup', query: router.query}) | ||
} | ||
if (!error && response && response.oidc_default_login) { | ||
window.location = OIDC_LOGIN_URL; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The logic here is a bit worrying: it seems like a both if
s could be taken. Now I know that they cannot, but it still looks weird.
What makes it even more confusing is that when oidc_default_login
, we do a client-side redirect but also return a <Layout>
. AFAIU that React component will never be rendered, so perhaps return
after line 88? And then move lines 87..89 about lines 84..86???
I think something like this might be easier (if it is indeed correct, of course!):
if (!error && response && response.state !== SETUP_STATE_INITIALIZED) { | |
router.push({pathname: '/setup', query: router.query}) | |
} | |
if (!error && response && response.oidc_default_login) { | |
window.location = OIDC_LOGIN_URL; | |
} | |
if (!error && response && response.oidc_default_login) { | |
window.location = OIDC_LOGIN_URL; | |
return null; | |
} | |
if (!error && response && response.state !== SETUP_STATE_INITIALIZED) { | |
router.push({pathname: '/setup', query: router.query}) | |
} | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
@arielshaqed - your comment is very important. I changed it so that if you explicitly browse to "/auth/login" you get the old, internal login. If you are redirected from another page - we redirect to OIDC login. PTAL. |
Still looks great! If I want to use username+password then I have to type in |
@arielshaqed, thanks! The OIDC page is at the control of the external provider - the user may choose to add a link there to "/auth/login". |
Configure lakeFS to redirect to OIDC login automatically.