feat (Login): Add OIDC login support

Cargo.toml

@@ -15,7 +15,8 @@ google-login = ["third-party-login"]
 github-login = ["third-party-login"]
 gitlab-login = ["third-party-login"]
 microsoft-login = ["third-party-login"]
-all-login = ["google-login", "github-login", "gitlab-login", "microsoft-login"]
+oidc-login = ["third-party-login"]
+all-login = ["google-login", "github-login", "gitlab-login", "microsoft-login", "oidc-login"]
 
 [dev-dependencies]
 dotenvy = "0.15.6"
@@ -38,4 +39,5 @@ serde = { version = "1", features = ["derive"] }
 serde_yaml = "0.9.34-deprecated"
 uuid = { version = "1", features = ["serde", "v4"] }
 tera = { version = "1", optional = true }
-reqwest = { version = "0.12.4", features = ["json", "rustls-tls"], default-features = false, optional = true }
+reqwest = { version = "0.12.4", features = ["json", "rustls-tls"], default-features = false, optional = true }
+tokio = { version = "1.47.1", features = ["sync"] }

README.md

@@ -70,7 +70,7 @@ rtabby-web-api store tabby's configuration in a database. You can choose between
     ```
     Token must be a valid and unique uuid v4. You can create one [here](https://www.uuidgenerator.net/version4).
 
-    rTabby supports OAuth2 providers like Github, Gitlab, Google or Microsoft. You can enable them by adding OAuth client and secret through env var in your `docker-compose.yml`.
+    rTabby supports OAuth2 providers like Github, Gitlab, Google, Microsoft or OpenID Connect (OIDC). You can enable them by adding OAuth client and secret through env var in your `docker-compose.yml`. For OIDC, you'll also need to provide your configuration url (ends with `/.well-known/openid-configuration`).
     OAuth login callback is `/login/{provider}/callback`.
 
     ```yml
@@ -84,6 +84,9 @@ rtabby-web-api store tabby's configuration in a database. You can choose between
       #- GOOGLE_APP_CLIENT_SECRET=
       #- MICROSOFT_APP_CLIENT_ID=
       #- MICROSOFT_APP_CLIENT_SECRET=
+      #- OIDC_APP_CLIENT_ID=
+      #- OIDC_APP_CLIENT_SECRET=
+      #- OIDC_APP_CONFIG_URL=
     ``` 
 
     When using OAuth prividers, browse to `http://<rtabby instance>/login` to authenticate and create your user and token.

docker-compose-sqlite.yml

@@ -32,6 +32,9 @@ services:
       #- GOOGLE_APP_CLIENT_SECRET=
       #- MICROSOFT_APP_CLIENT_ID=
       #- MICROSOFT_APP_CLIENT_SECRET=
+      #- OIDC_APP_CLIENT_ID=
+      #- OIDC_APP_CLIENT_SECRET=
+      #- OIDC_APP_CONFIG_URL=
     volumes:
       - ./config:/config
     networks:

docker-compose.yml

@@ -31,6 +31,9 @@ services:
       #- GOOGLE_APP_CLIENT_SECRET=
       #- MICROSOFT_APP_CLIENT_ID=
       #- MICROSOFT_APP_CLIENT_SECRET=
+      #- OIDC_APP_CLIENT_ID=
+      #- OIDC_APP_CLIENT_SECRET=
+      #- OIDC_APP_CONFIG_URL=
 
     volumes:
       - ./config:/config

src/login/error.rs

@@ -22,6 +22,7 @@ impl fmt::Display for ProviderError {
 pub enum OauthError {
     UserInfo(reqwest::Error),
     AccessToken(reqwest::Error),
+    OIDCConfiguration(reqwest::Error),
 }
 
 impl error::Error for OauthError {}
@@ -32,7 +33,8 @@ impl fmt::Display for OauthError {
             Self::UserInfo(ref err) => write!(f, "Unable to retreive OAuth user info: {err}"),
             Self::AccessToken(ref err) => {
                 write!(f, "Unable to retreive OAuth user access token: {err}")
-            }
+            },
+            Self::OIDCConfiguration(ref  err) => write!(f, "Unable to retreive OIDC configuration: {err}")
         }
     }
 }

src/login/mod.rs

@@ -18,6 +18,8 @@ use providers::gitlab;
 use providers::google;
 #[cfg(feature = "microsoft-login")]
 use providers::microsoft;
+#[cfg(feature = "oidc-login")]
+use providers::oidc;
 
 use self::providers::OauthInfo;
 
@@ -94,6 +96,16 @@ pub fn get_provider_config() -> ProvidersConfig {
         }));
     }
 
+    #[cfg(feature = "oidc-login")]
+    if app_env::var(oidc::env::ENV_OIDC_APP_CLIENT_ID).is_ok()
+        && app_env::var(oidc::env::ENV_OIDC_APP_CLIENT_SECRET).is_ok()
+    {
+        available_providers.push(providers::Provider::Oidc(OauthInfo {
+            client_id: app_env::var(oidc::env::ENV_OIDC_APP_CLIENT_ID).unwrap(),
+            client_secret: app_env::var(oidc::env::ENV_OIDC_APP_CLIENT_SECRET).unwrap(),
+        }));
+    }
+
     ProvidersConfig {
         https_callback,
         available_providers,

src/login/providers/mod.rs

@@ -6,6 +6,8 @@ pub mod gitlab;
 pub mod google;
 #[cfg(feature = "microsoft-login")]
 pub mod microsoft;
+#[cfg(feature = "oidc-login")]
+pub mod oidc;
 
 use super::error::OauthError;
 use serde::{Deserialize, Serialize};
@@ -22,6 +24,7 @@ pub struct OauthInfo {
 
 #[derive(Debug, Deserialize)]
 pub struct OauthUserInfo<I = String, N = String> {
+    #[serde(rename = "sub")] // "id" is called "sub" in the OIDC speficication
     id: I,
     name: N,
 }
@@ -52,6 +55,8 @@ pub enum Provider {
     Google(OauthInfo),
     #[cfg(feature = "microsoft-login")]
     Microsoft(OauthInfo),
+    #[cfg(feature = "oidc-login")]
+    Oidc(OauthInfo),
 }
 
 impl Provider {
@@ -69,6 +74,8 @@ impl Provider {
             Self::Google(oauth) => oauth.clone(),
             #[cfg(feature = "microsoft-login")]
             Self::Microsoft(oauth) => oauth.clone(),
+            #[cfg(feature = "oidc-login")]
+            Self::Oidc(oauth) => oauth.clone(),
         }
     }
 
@@ -108,15 +115,25 @@ impl Provider {
             Self::Microsoft(_) => {
                 params.push(("scope", "https://graph.microsoft.com/User.Read".to_string()));
             }
+            #[cfg(feature = "oidc-login")]
+            Self::Oidc(_) => {
+                params.push(("scope", "profile openid".to_string()));
+            }
             #[cfg(feature = "github-login")]
             _ => {}
         }
 
         params
     }
 
-    pub fn get_login_url(&self, scheme: Scheme, host: String, state: String) -> String {
+    pub async fn get_login_url(
+        &self,
+        scheme: Scheme,
+        host: String,
+        state: String,
+    ) -> Result<String, OauthError> {
         let params = self.get_login_url_params(scheme, host, state);
+        let oidc_config = oidc::get_oidc_config().await?;
 
         let oauth_url = match self {
             #[cfg(feature = "github-login")]
@@ -127,11 +144,15 @@ impl Provider {
             Self::Google(_) => google::GOOGLE_OAUTH_AUTHORIZE_URL,
             #[cfg(feature = "microsoft-login")]
             Self::Microsoft(_) => microsoft::MICROSOFT_OAUTH_AUTHORIZE_URL,
+            #[cfg(feature = "oidc-login")]
+            Self::Oidc(_) => &oidc_config.authorization_endpoint,
         };
 
-        reqwest::Url::parse_with_params(oauth_url, params)
+        let url = reqwest::Url::parse_with_params(oauth_url, params)
             .unwrap()
-            .to_string()
+            .to_string();
+
+        Ok(url.to_string())
     }
 
     #[allow(unused_variables)]
@@ -152,6 +173,8 @@ impl Provider {
             Self::Microsoft(oauth) => microsoft::user_info(scheme, oauth, host, token)
                 .await?
                 .into(),
+            #[cfg(feature = "oidc-login")]
+            Self::Oidc(oauth) => oidc::user_info(scheme, oauth, host, token).await?.into(),
         };
 
         Ok(ThirdPartyUserInfo {
@@ -182,6 +205,8 @@ impl fmt::Display for Provider {
             Self::Google(_) => write!(f, "Google"),
             #[cfg(feature = "microsoft-login")]
             Self::Microsoft(_) => write!(f, "Microsoft"),
+            #[cfg(feature = "oidc-login")]
+            Self::Oidc(_) => write!(f, "OIDC"),
         }
     }
 }