Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Implement OpenID Connect-based login #7256

Merged
merged 45 commits into from
May 8, 2020
Merged

Implement OpenID Connect-based login #7256

merged 45 commits into from
May 8, 2020
+2,163 −12

Commits on May 7, 2020

  1. Implement OpenID Connect-based login 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    968791b View commit details
    Browse the repository at this point in the history

  2. OIDC login: allow specifying custom endpoints 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    ff202e5 View commit details
    Browse the repository at this point in the history

  3. OIDC login: include redirect_uri in grant & authorization steps 

    This would break with some providers if multiple redirect uris were
configured.

Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    380260e View commit details
    Browse the repository at this point in the history

  4. OIDC login: make user properties configurable 

    the localpart and the display name are derived from claims returned by
the provider using a user-configurable jinja template

Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    582e19b View commit details
    Browse the repository at this point in the history

  5. OIDC login: add changelog entry 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    7dccd63 View commit details
    Browse the repository at this point in the history

  6. OIDC login: disable by default 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    e8f893a View commit details
    Browse the repository at this point in the history

  7. OIDC login: add some tests 

    This adds tests for:
- part of the config
- well-known discovery
- jwks fetching
- redirect uri

Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    82a8efb View commit details
    Browse the repository at this point in the history

  8. OIDC login: add some typings 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    cc7250f View commit details
    Browse the repository at this point in the history

  9. OIDC login: allow skipping verification 

    Also adds test to the provider metadata verification

Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    359a55c View commit details
    Browse the repository at this point in the history

  10. OIDC login: fix syntax 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    8a78906 View commit details
    Browse the repository at this point in the history

  11. OIDC login: allow fetching userinfo 

    This allows to use generic OAuth2 providers like GitHub that are not
OpenID Connect compliant.

Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    0f3f3db View commit details
    Browse the repository at this point in the history

  12. OIDC login: re-generate sample config 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    42988e0 View commit details
    Browse the repository at this point in the history

  13. Send Accept: application/json in SimpleHttpClient JSON methods 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    b0c0f52 View commit details
    Browse the repository at this point in the history

  14. OIDC login: support alternative client auth methods 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    61ba148 View commit details
    Browse the repository at this point in the history

  15. OIDC login: reload jwks if jwt decoding fails 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    a0836db View commit details
    Browse the repository at this point in the history

  16. OIDC login: fix test on python 3.5 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    7ff9a5d View commit details
    Browse the repository at this point in the history

  17. OIDC login: fix test on python 3.5 (attempt #2) 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    0809627 View commit details
    Browse the repository at this point in the history

  18. OIDC login: user-friendly errors 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    b9f18c1 View commit details
    Browse the repository at this point in the history

  19. OIDC login: add docs to test with some providers 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    3052ea8 View commit details
    Browse the repository at this point in the history

  20. OIDC login: fix auth method default config 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    5583c47 View commit details
    Browse the repository at this point in the history

  21. OIDC login: regenerate sample config 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    2a5f66c View commit details
    Browse the repository at this point in the history

  22. OIDC login: fix lint 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    6d77dcb View commit details
    Browse the repository at this point in the history

  23. OIDC login: test oauth2 callback 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    a77ab05 View commit details
    Browse the repository at this point in the history

  24. OIDC login: fix test on python 3.5 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    d662043 View commit details
    Browse the repository at this point in the history

  25. OIDC login: add a lot of docstrings 

    also fixes a few things discussed in the PR

Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    5668fc5 View commit details
    Browse the repository at this point in the history

  26. OIDC login: custom modules for user mappings 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    4f8ffaa View commit details
    Browse the repository at this point in the history

  27. OIDC login: remove type hints from docstrings 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    782bf3a View commit details
    Browse the repository at this point in the history

  28. OIDC login: fix various things 

    - comment about the JWKS loading process
- type hints
- cookies with SameSite=Lax

Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    e9b0138 View commit details
    Browse the repository at this point in the history

  29. OIDC login: use the SSO template dir for OIDC 

    It also renames the config variable internally from
sso_redirect_confirm_template_dir to sso_template_dir.

Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    244e7c5 View commit details
    Browse the repository at this point in the history

  30. OIDC login: fix syntax on python 3.5 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    1ef3b20 View commit details
    Browse the repository at this point in the history

  31. OIDC login: simplify the code exchange request 

    Also fixes the tests

Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    c60fa61 View commit details
    Browse the repository at this point in the history

  32. OIDC login: fix code exchange request on py3.5 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    6e2a0db View commit details
    Browse the repository at this point in the history

  33. OIDC login: fix sample config in docs 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    e76c50a View commit details
    Browse the repository at this point in the history

  34. OIDC login: proper error handling in code exchange 

    This ensures the OP is behaving correctly and returns valid HTTP codes

Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    543e046 View commit details
    Browse the repository at this point in the history

  35. OIDC login: more tests 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    ea5d71d View commit details
    Browse the repository at this point in the history

  36. Apply suggestions from code review 

    Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose @clokep
    sandhose and clokep committed May 7, 2020
    Configuration menu
    Copy the full SHA
    2181fac View commit details
    Browse the repository at this point in the history

  37. OIDC login: fix sample config templates 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    02f8dc0 View commit details
    Browse the repository at this point in the history

  38. OIDC login: log throughout the process 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    a6b6bd9 View commit details
    Browse the repository at this point in the history

  39. OIDC login: check the validity of the auth method 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    be7b732 View commit details
    Browse the repository at this point in the history

  40. OIDC login: fix dev docs & add Twitch example 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    c358f72 View commit details
    Browse the repository at this point in the history

  41. OIDC login: make the user attribute mapping async 

    Also passes the token as parameter of the mapping provider

Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    9bd40d1 View commit details
    Browse the repository at this point in the history

  42. OIDC login: check for None values in metadata 

    This allows to simplify the metadata edit code in tests and leverage
unittest.mock.patch.dict

Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    eace065 View commit details
    Browse the repository at this point in the history

  43. OIDC login: refactor macaroon generation/verification 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    b3e7b6c View commit details
    Browse the repository at this point in the history

  44. OIDC login: add docstrings to tests 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    cfa177c View commit details
    Browse the repository at this point in the history

  45. OIDC login: various fixes from PR review 

    Signed-off-by: Quentin Gliech <quentin@connecteu.rs>
    @sandhose
    sandhose committed May 7, 2020
    Configuration menu
    Copy the full SHA
    0f5b4fd View commit details
    Browse the repository at this point in the history