Another attempt at an OIDC integration#1568
Another attempt at an OIDC integration#1568KJTsanaktsidis wants to merge 7 commits intoNixOS:masterfrom
Conversation
I use Kanidm, which does not have support for custom roles / claims. That makes this approach DOA for me. |
|
What can Kanidm do/what would you expect the role mapping configuration on the Hydra side to look like? |
|
I’ll have a play around with this when I get a chance, but it looks like kanidm can map its groups to custom claims with this mechanism - https://kanidm.github.io/kanidm/stable/integrations/oauth2/custom_claims.html sidebar, but kanidm looks like it might be a lot less painful to integrate into the test/development environment than keycloak so I might try swapping it |
|
for context, my hydra instance with @ners patch use kanidm as well and it looks like this |
|
Hm, OK, so the reason kanidm can't literally just put the inside-hydra role names in a custom claim is because the custom claim values have to match the regex Most of the hydra roles (all except This limitation is probably a bit too strict on the kanidm side IMO - it's been discussed a few times kanidm/kanidm#2641, kanidm/kanidm#2882. I'll go add my two-cents worth into there. And in the meanwhile, I guess, make the hydra side accept e.g. |
KJTsanaktsidis
force-pushed
the
kjtsanaktsidis/oidc
branch
from
49d9980 to
f9f665d
Compare
This will be of use when developing & testing OIDC
The OIDC work needs to cache some information (at least, the JWKS keys) so we don't ask for them over and over again needlessly. An in-process cache is in theory fine, but using Plugin::Cache nicely gives us expiry support which we need too (to catch key revocations).
The login code in doEmailLogin is treating email address & username as the same concept, but it shouldn't be. Allow passing in a username field explicitly to doEmailLogin to set as the user's username column. The templates have also been changed to call a new usernameForDisplay method which will be able to customise the display of the username in circumstances where the username would look stupid (e.g. in the forthcoming OIDC support)
OIDC providers are configured in the config file under <oidc> <provider foobar>. There can be multiple providers, each one will get a menu item in the dropdown to log in with. After login is successful, we validate all the claims and then perform doEmailLogin, creating the user if it did not exist.
KJTsanaktsidis
force-pushed
the
kjtsanaktsidis/oidc
branch
from
f9f665d to
7075f60
Compare
|
OK I gritted my teeth and managed to write an end-to-end test for the OIDC integration (against a temporary Kanidm |
If presented with a "hydra_roles" claim, we will set the user roles to that claim.
KJTsanaktsidis
force-pushed
the
kjtsanaktsidis/oidc
branch
from
7075f60 to
5b86036
Compare
|
Note also the work in the lix fork of hydra: https://git.lix.systems/lix-project/hydra/pulls/73 |
|
Oh interesting
this is probably worth doing here too
this also sounds worth doing (or, at least reimplementing these specia cases in terms of the generic OIDC support) but probably not in a first pass - need to think carefully about the migration strategy to avoid breaking existing deployments |
4 participants
Building on the work of @lheckemann in #1298 & in @ners in https://github.com/ners/hydra/tree/oidc, I took a stab at trying to shape that work up in a way that can get merged.
This implementation:
discovery_url(although you can specifyissuer,authorization_endpoint,token_endpoint, andjwks_urlmanually)hydra_rolesclaim, and, if present, sets roles on the user based on that. I did think about implementing some kind of mapping mechanism, but Keycloak, at least, seems to make it pretty easy to beat the mapping into shape on that side, so perhaps there is no need.I banged my head trying to write some good tests for this, but really what this needs to meaningfully test things are full-system integration tests. I have a working
KeycloakContext.pmon my machine which starts a Keycloak instance in the test framework, but I'm not really sure how to write the kind of browser test that would be needed to go through the login flow. Any suggestions?