Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow OIDC as default login #3617

Merged
merged 4 commits into from Jul 18, 2022
Merged

Allow OIDC as default login #3617

merged 4 commits into from Jul 18, 2022

Conversation

johnnyaug
Copy link
Contributor

@johnnyaug johnnyaug commented Jul 5, 2022
edited

Configure lakeFS to redirect to OIDC login automatically.

@johnnyaug johnnyaug requested review from arielshaqed and removed request for arielshaqed July 5, 2022 14:14
@johnnyaug johnnyaug marked this pull request as draft July 5, 2022 14:40
@johnnyaug johnnyaug closed this Jul 7, 2022
@johnnyaug johnnyaug deleted the auth/oidc_as_default_login branch July 7, 2022 07:54
@johnnyaug johnnyaug added the include-changelog PR description should be included in next release changelog label Jul 17, 2022
@johnnyaug johnnyaug reopened this Jul 17, 2022
arielshaqed
arielshaqed approved these changes Jul 18, 2022
View reviewed changes
Copy link
Contributor

@arielshaqed arielshaqed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NEAT!

If OIDC default is set, (how?) can a user still use username+password to login? And, will it make sense to keep a cookie on the browser for how to try logging in the next time?

docs/reference/configuration.md
@@ -57,6 +57,7 @@ This reference uses `.` to denote the nesting of values.
* `auth.ldap.default_user_group` `(string : )` - Create all LDAP users in this group. Defaults to `Viewers`.
* `auth.ldap.user_filter` `(string : )` - Additional filter for users.
* `auth.oidc.enabled` `(boolean : false)` - Set to true to enable authentication with an external OIDC provider.
* `auth.oidc.is_default_login` `(boolean : false)` - If true, the lakeFS login page will redirect to the external provider by default.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great way to add a property! I even complained about the added line on swagger.yml (then had to delete that comment when I saw this documentation...).

webui/src/pages/auth/login.jsx Outdated
Comment on lines 84 to 89
if (!error && response && response.state !== SETUP_STATE_INITIALIZED) {
router.push({pathname: '/setup', query: router.query})
}
if (!error && response && response.oidc_default_login) {
window.location = OIDC_LOGIN_URL;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic here is a bit worrying: it seems like a both ifs could be taken. Now I know that they cannot, but it still looks weird.

What makes it even more confusing is that when oidc_default_login, we do a client-side redirect but also return a <Layout>. AFAIU that React component will never be rendered, so perhaps return after line 88? And then move lines 87..89 about lines 84..86???

I think something like this might be easier (if it is indeed correct, of course!):

Suggested change
if (!error && response && response.state !== SETUP_STATE_INITIALIZED) {
router.push({pathname: '/setup', query: router.query})
}
if (!error && response && response.oidc_default_login) {
window.location = OIDC_LOGIN_URL;
}
if (!error && response && response.oidc_default_login) {
window.location = OIDC_LOGIN_URL;
return null;
}
if (!error && response && response.state !== SETUP_STATE_INITIALIZED) {
router.push({pathname: '/setup', query: router.query})
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

@johnnyaug
Copy link
Contributor Author

@arielshaqed - your comment is very important. I changed it so that if you explicitly browse to "/auth/login" you get the old, internal login. If you are redirected from another page - we redirect to OIDC login. PTAL.

@johnnyaug johnnyaug marked this pull request as ready for review July 18, 2022 09:40
@arielshaqed
Copy link
Contributor

@arielshaqed - your comment is very important. I changed it so that if you explicitly browse to "/auth/login" you get the old, internal login. If you are redirected from another page - we redirect to OIDC login. PTAL.

Still looks great! If I want to use username+password then I have to type in .../auth/login, or is there some link on the OIDC login page that I can use?

@johnnyaug
Copy link
Contributor Author

@arielshaqed, thanks! The OIDC page is at the control of the external provider - the user may choose to add a link there to "/auth/login".

@johnnyaug johnnyaug merged commit 1e17a15 into master Jul 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arielshaqed arielshaqed Awaiting requested review from arielshaqed

Assignees
No one assigned
Labels
include-changelog PR description should be included in next release changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@johnnyaug @arielshaqed