GitTimeraider
diff --git a/‎OIDC_IMPLEMENTATION.md‎
Lines changed: 161 additions & 0 deletions b/‎OIDC_IMPLEMENTATION.md‎
Lines changed: 161 additions & 0 deletions
diff --git a/‎OIDC_QUICK_REFERENCE.md‎
Lines changed: 122 additions & 0 deletions b/‎OIDC_QUICK_REFERENCE.md‎
Lines changed: 122 additions & 0 deletions
@@ -0,0 +1,161 @@
+# OIDC Implementation Summary
+
+This document summarizes the OIDC authentication implementation for the Subscription Tracker application.
+
+## Files Modified
+
+### 1. **app/models.py**
+- Added `OIDCSettings` model to store OIDC configuration:
+  - `display_name`: Name shown on the login button
+  - `client_id`: OAuth2 client ID
+  - `client_secret`: OAuth2 client secret
+  - `discovery_endpoint`: OIDC discovery URL
+  - `user_mapping_field`: Field to use for user matching (username, email, or custom)
+  - `custom_attribute`: Custom OIDC claim name (if custom mapping selected)
+  - `is_enabled`: Enable/disable OIDC (also controlled by environment variable)
+
+### 2. **app/forms.py**
+- Added `OIDCSettingsForm` with validation for:
+  - Display name
+  - Client credentials
+  - Discovery endpoint URL format
+  - User mapping configuration
+  - Custom attribute requirement when using custom mapping
+
+### 3. **app/routes.py**
+- Updated imports to include `OIDCSettings` model and `OIDCSettingsForm`
+- Modified `login()` route to:
+  - Check if OIDC is enabled via environment variable
+  - Show OIDC login button when enabled
+  - Hide normal login form when OIDC is active
+  - Pass OIDC configuration to template
+- Added `oidc_settings()` route for admin configuration page
+- Added `oidc_login()` route to initiate OIDC authentication flow
+- Added `oidc_callback()` route to handle OIDC authentication callback with user mapping
+
+### 4. **app/__init__.py**
+- Added Migration 4 to `migrate_database()` function:
+  - Automatically creates `oidc_settings` table on startup
+  - Supports PostgreSQL, MySQL, and SQLite
+
+### 5. **app/templates/login.html**
+- Added conditional rendering:
+  - Shows "Login with {OIDC_NAME}" button when OIDC is enabled
+  - Shows normal username/password form when OIDC is disabled
+  - Displays informational message when using OIDC
+
+### 6. **app/templates/oidc_settings.html** (New File)
+- Admin-only OIDC configuration page
+- Form fields for all OIDC settings
+- JavaScript to show/hide custom attribute field
+- Displays callback URL for configuring in IdP
+- Informational alerts about OIDC behavior
+
+### 7. **app/templates/base.html**
+- Added "OIDC Settings" link to Settings dropdown menu (admin only)
+
+### 8. **config.py**
+- Added `OIDC_ENABLED` configuration option that reads from environment variable
+- Defaults to `false` if not set
+
+### 9. **requirements.txt**
+- Added `Authlib==1.3.2` for OIDC/OAuth2 support
+
+### 10. **docker-compose.yml**
+- Added `OIDC_ENABLED` environment variable (defaults to `false`)
+
+### 11. **docker-compose.security.yml**
+- Added `OIDC_ENABLED` environment variable (defaults to `false`)
+
+### 12. **OIDC_SETUP.md** (New File)
+- Comprehensive documentation for OIDC setup
+- Configuration steps
+- User mapping explanation
+- Troubleshooting guide
+- Examples for Keycloak and Azure AD
+
+## How It Works
+
+### 1. Configuration Flow
+1. Admin logs in with normal credentials (OIDC disabled)
+2. Admin navigates to Settings > OIDC Settings
+3. Admin configures:
+   - Display name for the login button
+   - Client ID and secret from IdP
+   - Discovery endpoint URL
+   - User mapping strategy
+4. Admin notes the callback URL to configure in IdP
+5. Admin sets `OIDC_ENABLED=true` in environment
+6. Application restarts with OIDC enabled
+
+### 2. Authentication Flow (OIDC Enabled)
+1. User visits login page
+2. Instead of username/password form, sees "Login with {OIDC_NAME}" button
+3. User clicks button → redirected to IdP
+4. User authenticates at IdP
+5. IdP redirects back to `/auth/callback` with authorization code
+6. Application exchanges code for tokens
+7. Application extracts user info from ID token
+8. Application matches user based on configured mapping field:
+   - Username: Match `preferred_username` or `username` claim against `username` in DB
+   - Email: Match `email` claim against `email` in DB
+   - Custom: Match custom claim against both `username` and `email` in DB
+9. If match found → user logged in successfully
+10. If no match → login denied with error message
+
+### 3. User Mapping Logic
+- **No automatic user creation** - users must exist in database
+- **Exact matching required** - claim must exactly match database field
+- **Security by design** - unknown users cannot gain access
+- **Flexible mapping** - supports username, email, or custom attributes
+
+## Environment Variables
+
+### OIDC_ENABLED
+- **Type**: Boolean
+- **Default**: `false`
+- **Values**: `true`, `1`, `yes` (case-insensitive) = enabled; anything else = disabled
+- **Effect**: 
+  - When `true`: Disables normal login, shows OIDC button
+  - When `false`: Normal username/password login
+
+## Security Features
+
+1. **Admin-only configuration** - Only admin users can configure OIDC
+2. **No automatic provisioning** - Users must exist before OIDC login
+3. **Failed login stops** - Unknown users are denied access immediately
+4. **Client secret protection** - Stored securely in database
+5. **Session management** - Uses Flask session for state management
+6. **CSRF protection** - Standard Flask-WTF CSRF protection on forms
+
+## Testing Checklist
+
+- [ ] OIDC settings page accessible by admin
+- [ ] Non-admin users cannot access OIDC settings
+- [ ] OIDC configuration saves successfully
+- [ ] Callback URL displays correctly
+- [ ] Login page shows OIDC button when `OIDC_ENABLED=true`
+- [ ] Login page shows normal form when `OIDC_ENABLED=false`
+- [ ] OIDC login redirects to IdP
+- [ ] OIDC callback handles successful authentication
+- [ ] User mapping works correctly (username/email/custom)
+- [ ] Unknown users are denied access
+- [ ] Database migration creates `oidc_settings` table
+- [ ] Application works normally with OIDC disabled
+
+## Future Enhancements (Not Implemented)
+
+- Automatic user provisioning from OIDC claims
+- Role mapping from OIDC groups
+- Multiple OIDC providers
+- Just-in-time user attribute updates
+- SSO session management
+- SAML support
+
+## Compatibility
+
+- **Python**: 3.8+
+- **Flask**: 3.0+
+- **Authlib**: 1.3.2+
+- **Databases**: SQLite, PostgreSQL, MySQL/MariaDB
+- **OIDC Providers**: Any standards-compliant OIDC provider
@@ -0,0 +1,122 @@
+# OIDC Quick Reference
+
+## Environment Variable
+
+```bash
+# Enable OIDC authentication (disables normal login)
+OIDC_ENABLED=true
+
+# Disable OIDC authentication (enables normal login)
+OIDC_ENABLED=false
+```
+
+## Configuration Page
+
+**URL**: Settings > OIDC Settings (Admin only)
+
+**Required Fields**:
+- Display Name (appears on login button)
+- Client ID
+- Client Secret
+- Discovery Endpoint URL
+
+**User Mapping Options**:
+- `username` - Match OIDC username/preferred_username claim
+- `email` - Match OIDC email claim
+- `custom` - Match a custom OIDC claim (must specify claim name)
+
+## Callback URL
+
+Configure this in your Identity Provider:
+```
+https://your-domain.com/auth/callback
+```
+
+## Login Behavior
+
+| OIDC_ENABLED | Login Page Shows |
+|--------------|------------------|
+| `true` | "Login with {OIDC_NAME}" button only |
+| `false` | Username/Password form only |
+
+## User Matching Rules
+
+1. OIDC claim value extracted from token
+2. Search database for matching user:
+   - Username mapping: Check `User.username` field
+   - Email mapping: Check `User.email` field
+   - Custom mapping: Check both `User.username` and `User.email` fields
+3. If match found: Login successful
+4. If no match: Login denied (no auto-provisioning)
+
+## Common OIDC Providers
+
+### Keycloak
+```
+Discovery: https://keycloak.example.com/realms/{realm}/.well-known/openid-configuration
+Mapping: email or username
+```
+
+### Azure AD / Entra ID
+```
+Discovery: https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration
+Mapping: email
+```
+
+### Google Workspace
+```
+Discovery: https://accounts.google.com/.well-known/openid-configuration
+Mapping: email
+```
+
+### Okta
+```
+Discovery: https://{your-okta-domain}/oauth2/default/.well-known/openid-configuration
+Mapping: email or username
+```
+
+## Emergency Access
+
+If OIDC is misconfigured:
+
+1. Set `OIDC_ENABLED=false`
+2. Restart container: `docker-compose restart`
+3. Login with username/password
+4. Fix OIDC configuration
+5. Re-enable OIDC
+
+## Troubleshooting Commands
+
+```bash
+# View application logs
+docker-compose logs -f web
+
+# Restart with OIDC disabled
+OIDC_ENABLED=false docker-compose restart
+
+# Check OIDC discovery endpoint
+curl https://your-idp.com/.well-known/openid-configuration
+```
+
+## Important Notes
+
+⚠️ **Users must exist in database before OIDC login**
+⚠️ **Match field (username/email) must be populated in database**
+⚠️ **Normal login disabled when OIDC_ENABLED=true**
+⚠️ **Keep a backup admin account accessible**
+
+## Quick Setup Steps
+
+1. Configure OIDC settings in app (with OIDC_ENABLED=false)
+2. Add callback URL to IdP
+3. Test with OIDC_ENABLED=false first
+4. Set OIDC_ENABLED=true
+5. Restart container
+6. Test login
+
+## Files Reference
+
+- Configuration Page: `app/templates/oidc_settings.html`
+- Routes: `app/routes.py` (oidc_login, oidc_callback, oidc_settings)
+- Model: `app/models.py` (OIDCSettings)
+- Full Guide: `OIDC_SETUP.md`