-
Notifications
You must be signed in to change notification settings - Fork 255
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(xo-server-auth-oidc): OpenID Connect authentication plugin
Fixes #6627
- Loading branch information
Showing
7 changed files
with
178 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
This plugin allows users to authenticate to Xen-Orchestra using [OpenID Connect](<https://en.wikipedia.org/wiki/OpenID#OpenID_Connect_(OIDC)>). | ||
|
||
The first time a user signs in, XO will create a new XO user with the | ||
same identifier. | ||
|
||
Like all other xo-server plugins, it can be configured directly via | ||
the web interface, see [the plugin documentation](https://xen-orchestra.com/docs/plugins.html). | ||
|
||
> Important: When registering your instance to your identity provider, | ||
> you must configure its callback URL to | ||
> `http://xo.company.net/signin/oidc/callback`! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../../scripts/npmignore |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
<!-- DO NOT EDIT MANUALLY, THIS FILE HAS BEEN GENERATED --> | ||
|
||
# xo-server-auth-oidc | ||
|
||
## Usage | ||
|
||
This plugin allows users to authenticate to Xen-Orchestra using [OpenID Connect](<https://en.wikipedia.org/wiki/OpenID#OpenID_Connect_(OIDC)>). | ||
|
||
The first time a user signs in, XO will create a new XO user with the | ||
same identifier. | ||
|
||
Like all other xo-server plugins, it can be configured directly via | ||
the web interface, see [the plugin documentation](https://xen-orchestra.com/docs/plugins.html). | ||
|
||
> Important: When registering your instance to your identity provider, | ||
> you must configure its callback URL to | ||
> `http://xo.company.net/signin/oidc/callback`! | ||
## Contributions | ||
|
||
Contributions are _very_ welcomed, either on the documentation or on | ||
the code. | ||
|
||
You may: | ||
|
||
- report any [issue](https://github.com/vatesfr/xen-orchestra/issues) | ||
you've encountered; | ||
- fork and create a pull request. | ||
|
||
## License | ||
|
||
[AGPL-3.0-or-later](https://spdx.org/licenses/AGPL-3.0-or-later) © [Vates SAS](https://vates.fr) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
'use strict' | ||
|
||
const { Strategy } = require('passport-openidconnect') | ||
|
||
// =================================================================== | ||
|
||
const DISCOVERABLE_SETTINGS = ['authorizationURL', 'issuer', 'userInfoURL', 'tokenURL'] | ||
|
||
exports.configurationSchema = { | ||
type: 'object', | ||
properties: { | ||
discoveryURL: { | ||
description: 'If this field is not used, you will need to manually enter settings in the *Advanced* section.', | ||
title: 'Auto-discovery URL', | ||
type: 'string', | ||
}, | ||
clientID: { title: 'Client identifier (key)', type: 'string' }, | ||
clientSecret: { title: 'Client secret', type: 'string' }, | ||
|
||
advanced: { | ||
title: 'Advanced', | ||
type: 'object', | ||
properties: { | ||
authorizationURL: { title: 'Authorization URL', type: 'string' }, | ||
callbackURL: { | ||
description: 'Default to https://<xo.company.net>/signin/oidc/callback`.', | ||
title: 'Callback URL', | ||
type: 'string', | ||
}, | ||
issuer: { title: 'Issuer', type: 'string' }, | ||
tokenURL: { title: 'Token URL', type: 'string' }, | ||
userInfoURL: { title: 'User info URL', type: 'string' }, | ||
usernameField: { | ||
default: 'username', | ||
description: 'Field to use as the XO username', | ||
title: 'Username field', | ||
type: 'string', | ||
}, | ||
}, | ||
}, | ||
}, | ||
required: ['clientID', 'clientSecret'], | ||
anyOf: [{ required: ['discoveryURL'] }, { properties: { advanced: { required: DISCOVERABLE_SETTINGS } } }], | ||
} | ||
|
||
// =================================================================== | ||
|
||
class AuthOidc { | ||
#conf | ||
#unregisterPassportStrategy | ||
#xo | ||
|
||
constructor(xo) { | ||
this.#xo = xo | ||
} | ||
|
||
async configure({ advanced, ...conf }, { loaded }) { | ||
this.#conf = { callbackURL: '/signin/oidc/callback', ...advanced, ...conf } | ||
|
||
if (loaded) { | ||
await this.unload() | ||
await this.load() | ||
} | ||
} | ||
|
||
async load() { | ||
const xo = this.#xo | ||
const { discoveryURL, usernameField, ...conf } = this.#conf | ||
|
||
if (discoveryURL !== undefined) { | ||
const res = await this.#xo.httpRequest(discoveryURL) | ||
const data = await res.json() | ||
|
||
for (const key of DISCOVERABLE_SETTINGS) { | ||
if (!conf[key]) { | ||
conf[key] = data[key.endsWith('URL') ? key.slice(0, -3).toLowerCase() + '_endpoint' : key] | ||
} | ||
} | ||
} | ||
|
||
this.#unregisterPassportStrategy = xo.registerPassportStrategy( | ||
new Strategy(conf, async (issuer, profile, done) => { | ||
try { | ||
const { id, [usernameField]: name } = profile | ||
done(null, await xo.registerUser2('oidc:' + issuer, { user: { id, name } })) | ||
} catch (error) { | ||
done(error.message) | ||
} | ||
}), | ||
{ label: 'OpenID Connect', name: 'oidc' } | ||
) | ||
} | ||
|
||
unload() { | ||
this.#unregisterPassportStrategy() | ||
} | ||
} | ||
|
||
// =================================================================== | ||
|
||
exports.default = ({ xo }) => new AuthOidc(xo) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
{ | ||
"private": true, | ||
"name": "xo-server-auth-oidc", | ||
"homepage": "https://github.com/vatesfr/xen-orchestra/tree/master/packages/xo-server-auth-oidc", | ||
"bugs": "https://github.com/vatesfr/xen-orchestra/issues", | ||
"repository": { | ||
"directory": "packages/xo-server-auth-oidc", | ||
"type": "git", | ||
"url": "https://github.com/vatesfr/xen-orchestra.git" | ||
}, | ||
"author": { | ||
"name": "Vates SAS", | ||
"url": "https://vates.fr" | ||
}, | ||
"license": "AGPL-3.0-or-later", | ||
"version": "0.0.0", | ||
"engines": { | ||
"node": ">=12" | ||
}, | ||
"dependencies": { | ||
"passport-openidconnect": "^0.1.1" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters