server: refactor: introduce AuthUser interface#838
Conversation
|
Note that there seems to be an issue with formatting in this project... I'm using VS Code along its Java extension to develop and it often feels like reorganizing or cleaning up imports. I'd be in favor of keeping the cleanup as part of these changes. It would be good to look into making auto-formatting part of the build step, maybe as a gradle plugin of some kind? |
server/src/main/java/org/eclipse/openvsx/security/DefaultAuthUser.java
Outdated
Show resolved
Hide resolved
|
Rebased my branch. |
server/src/main/java/org/eclipse/openvsx/security/AuthUserFactory.java
Outdated
Show resolved
Hide resolved
|
@HeikoBoettger Can you share which additional identity provider you were able to implement using this PR? |
@amvanbaren Somehow I lost my comment. The PR didn't help completely, what is missing is basically a mapping of the login-attribute. One could add a GitLab specific mapping to the code, what I did based on this merge request adding a completely new generic provider type which uses additional setting from the application.yaml file defining for the web-interface what provider to use for the login-link and how to map the login (supporting mapping any of the attributes in the AuthUserFactory). If the code could be changed to use spring.security.oauth2.client.provider.[providerId].user-name-attribute / providerDetails.userInfoEndpoint.userNameAttributeName as described in https://docs.spring.io/spring-security/reference/servlet/oauth2/login/core.html#oauth2login-sample-application-config. Instead of login I could abuse the GitHub provider entry. To fully support other providers the UI would require a change to select the login method and the AuthToken inside the UserData class need to be contain a map from provider to token: Or the code gets simplified to just store an AuthToken for one provider at a time. I don't know why there are two fields in the UserData when there is only one provider-String. |
|
@paul-marechal Is it possible to rebase this branch on to the latest master? |
The |
paul-marechal
force-pushed
the
auth-user
branch
from
8f65be8 to
0e07da9
Compare
|
Ok so I initially didn't want to bother implementing the configuration of attributes because it adds a decent amount of complexity... I changed my mind figuring it might make someone else's life easier. The configuration may look like this: ovsx:
auth:
attribute-names:
gitlab:
avatar-url: awdawd
email: awdawd
full-name: awdawd
login-name: awdawd
provider-url: awdawdWe don't need to define mappings for |
|
@paul-marechal Thanks for providing the configuration. I'll try to configure Google OAuth using this PR. |
|
I want to apologize for forgetting to transpose code to handle Second, there's still a need to manually edit the webui code to change the OAuth2 authorization endpoint used from This PR is slowly growing bigger than what we required on our fork so I hope this will help. |
Yes, the login url is hardcoded in the webui: openvsx/webui/src/extension-registry-service.ts Lines 27 to 29 in 0f5315d The openvsx/server/src/main/java/org/eclipse/openvsx/UserAPI.java Lines 72 to 77 in 0f5315d |
|
I implemented the dynamic redirection based on a server configuration, I didn't encounter a CORS error? ovsx:
auth:
provider: azureopenvsx/server/src/main/java/org/eclipse/openvsx/UserAPI.java Lines 75 to 80 in 1abe659 |
|
Using the latest commit I can now assert that no more code changes are required to configure a custom provider (following our use cases) as I was able to completely configure authentication to Azure using only the server spring config. I initially forgot to include a few modifications... |
|
@paul-marechal Just to give an early feedback. I compared your changes with the modifications I did on my local branch I was thinking of contributing and it's more or less the same. One thing I wonder is, do you use the githubToken to store the token in the database (UserData)? The TokenService also contains a switch block with the providers. |
|
I didn't find it required to store anything in |
server/src/main/java/org/eclipse/openvsx/security/OAuth2UserServices.java
Outdated
Show resolved
Hide resolved
|
Note sure whether I did something wrong but I get an error message: "Missing configuration: ovsx.auth.attribute-names.gitlab". |
|
@paul-marechal First of all thank you for this awesome work.
I used the following values for gitlab: ovsx:
auth:
attribute-names:
gitlab:
avatar-url: avatar_url
email: email
full-name: name
login-name: usernameI don't know what to set for the For |
|
For completeness this is the configuration inside |
|
I noticed that there's another PR opened which allows to auth users without oauth2, so I renamed the configuration I introduced from I also updated the main PR description with a configuration example I took from @HeikoBoettger-KarlStorz :) |
|
@amvanbaren Anything still missing to get this released? I can confirm this is working with both microsoft entra/azure sso (using a corporate tenant) and gitlab. |
amvanbaren
force-pushed
the
auth-user
branch
4 times, most recently
from
38601f7 to
95e22e0
Compare
|
I think this feature is ready to go. |
|
@amvanbaren Yes, I will test it tomorrow morning. |
amvanbaren
force-pushed
the
auth-user
branch
from
95e22e0 to
f9771a7
Compare
|
@amvanbaren Do you some more information on what has changed according to the /login end-point. I see that ther was a change to /login-providers but I that end-point now says that there are no login providers. |
|
@HeikoBoettger-KarlStorz The openvsx/server/src/main/java/org/eclipse/openvsx/UserService.java Lines 326 to 336 in f9771a7 |
|
I used in the generate-properties.sh for testing, but I the gitlab config isn't read into the attributeConfigs: Any guess what I am doing wrong? |
Missed the |
|
@amvanbaren Is there a description somewhere about testing the oauth2-stuff? For oauth2 the server needs to be reached by the same hostname and port during the whole login process otherwise the session cookie isn't working. I didn't had the x-forwarded-host and x-forwarded-proto headers set correctly in the reverse-proxy of my local install. I am not sure why this suddenly turned out to be an issue with my test setup. I can confirm the login with gitlab still works. |
|
@amvanbaren Is the usage of the x-forward-headers something new, I found an explicit comment in my code, that setting the headers didn't had any effect and now it does. I can confirm the microsoft login is working as well. |
|
@amvanbaren I haven't tried with multiple providers at once due to other tasks on my end. If needed I will do so as well. Please let me know. |
|
Hi. I'm trying to get this branch to work for a local deployment (very excited about it - thanks for the work). But I'm getting an error when launching the server:
I'm using the docker-compose file to start Any idea what I am missing? I have set authorization-grant-type in my application.yml file: |
|
@HeikoBoettger-KarlStorz No, that's ok. The only difference for multiple providers is that it shows a dialog with login buttons in the webui. |
- Replace the references to `OAuth2User` by `AuthUser`. This allows downstream extenders to more easily contribute alternative OAuth2 providers: If the expected data is stored in different attributes it will be possible to bridge it by implementing the proper `AuthUser`. - Introduce a configuration to define attribute names to use when mapping attributes from an auth provider. - Allow configuring the auth for arbitrary providers (other than github). - Add support for multiple login providers in webui Co-authored-by: amvanbaren <aart.vanbaren@eclipse-foundation.org>
|
@amvanbaren Thank you for merging and bringing this into the master. |
|
Hi Nikolaj,
I saw that there wasn’t yet an answer. Unless you just missed copying the right parts, the second part doesn’t work when put under spring, it must be under ovsx. Otherwise the question is whether you have actually changed the scripts/generate-properties.sh script or the compose-file because as far as I know that would generate and overwrite the application-property file to be used on every start.
Since this is merged now, have you checked with latest release?
Von: Nikolaj Fogh ***@***.***>
Gesendet: Montag, 10. März 2025 11:26
An: eclipse/openvsx ***@***.***>
Cc: HeikoBoettger ***@***.***>; Mention ***@***.***>
Betreff: Re: [eclipse/openvsx] server: refactor: introduce `AuthUser` interface (PR #838)
Hi. I'm trying to get this branch to work for a local deployment (very excited about it - thanks for the work). But I'm getting an error when launching the server:
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'extensionService' defined in file [/app/build/classes/java/main/org/eclipse/openvsx/ExtensionService.class]: Unsatisfied dependency expressed through constructor parameter 3: Error creating bean with name 'publishExtensionVersionHandler' defined in file [/app/build/classes/java/main/org/eclipse/openvsx/publish/PublishExtensionVersionHandler.class]: Unsatisfied dependency expressed through constructor parameter 5: Error creating bean with name 'userService' defined in file [/app/build/classes/java/main/org/eclipse/openvsx/UserService.class]: Unsatisfied dependency expressed through constructor parameter 5: Error creating bean with name 'clientRegistrationRepository' defined in class path resource [org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2ClientRegistrationRepositoryConfiguration.class]: Failed to instantiate [org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository]: Factory method 'clientRegistrationRepository' threw exception with message: authorizationGrantType cannot be null
I'm using the docker-compose file to start
docker-compose --profile debug --profile openvsx up
Any idea what I am missing?
I have set authorization-grant-type in my application.yml file:
spring:
security:
oauth2:
client:
registration:
gitlab:
client-id: [redacted]
client-secret: [redacted]
authorization-grant-type: authorization_code
redirect-uri: http://[webui-host]:3000/login/oauth2/code/gitlab
scope: read_user
clientName: OpenVSX
provider:
gitlab:
authorization-uri: https://[gitlab-host]/oauth/authorize
token-uri: https://[gitlab-host]/oauth/token
user-info-uri: https://[gitlab-host]/api/v4/user
jwk-set-uri: https://[gitlab-host]/oauth/discovery/keys
user-name-attribute: id
oauth2:
provider: gitlab
attribute-names:
gitlab:
avatar-url: avatar_url
email: email
full-name: name
login-name: username
provider-url: ''
—
Reply to this email directly, view it on GitHub <#838 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFA3BRRA33AOOJLJNH5GJAD2TVSDJAVCNFSM6AAAAABTEVL2QKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOMJQGA4TMOBQG4> .
You are receiving this because you were mentioned. <https://github.com/notifications/beacon/AFA3BRWRTI76FUK2Y55F2GD2TVSDJA5CNFSM6AAAAABTEVL2QKWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTVBRDF2O.gif> Message ID: ***@***.*** ***@***.***> >
<https://avatars.githubusercontent.com/u/17196968?s=20&v=4> nfogh left a comment (eclipse/openvsx#838) <#838 (comment)>
Hi. I'm trying to get this branch to work for a local deployment (very excited about it - thanks for the work). But I'm getting an error when launching the server:
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'extensionService' defined in file [/app/build/classes/java/main/org/eclipse/openvsx/ExtensionService.class]: Unsatisfied dependency expressed through constructor parameter 3: Error creating bean with name 'publishExtensionVersionHandler' defined in file [/app/build/classes/java/main/org/eclipse/openvsx/publish/PublishExtensionVersionHandler.class]: Unsatisfied dependency expressed through constructor parameter 5: Error creating bean with name 'userService' defined in file [/app/build/classes/java/main/org/eclipse/openvsx/UserService.class]: Unsatisfied dependency expressed through constructor parameter 5: Error creating bean with name 'clientRegistrationRepository' defined in class path resource [org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2ClientRegistrationRepositoryConfiguration.class]: Failed to instantiate [org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository]: Factory method 'clientRegistrationRepository' threw exception with message: authorizationGrantType cannot be null
I'm using the docker-compose file to start
docker-compose --profile debug --profile openvsx up
Any idea what I am missing?
I have set authorization-grant-type in my application.yml file:
spring:
security:
oauth2:
client:
registration:
gitlab:
client-id: [redacted]
client-secret: [redacted]
authorization-grant-type: authorization_code
redirect-uri: http://[webui-host]:3000/login/oauth2/code/gitlab
scope: read_user
clientName: OpenVSX
provider:
gitlab:
authorization-uri: https://[gitlab-host]/oauth/authorize
token-uri: https://[gitlab-host]/oauth/token
user-info-uri: https://[gitlab-host]/api/v4/user
jwk-set-uri: https://[gitlab-host]/oauth/discovery/keys
user-name-attribute: id
oauth2:
provider: gitlab
attribute-names:
gitlab:
avatar-url: avatar_url
email: email
full-name: name
login-name: username
provider-url: ''
—
Reply to this email directly, view it on GitHub <#838 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFA3BRRA33AOOJLJNH5GJAD2TVSDJAVCNFSM6AAAAABTEVL2QKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOMJQGA4TMOBQG4> .
You are receiving this because you were mentioned. <https://github.com/notifications/beacon/AFA3BRWRTI76FUK2Y55F2GD2TVSDJA5CNFSM6AAAAABTEVL2QKWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTVBRDF2O.gif> Message ID: ***@***.*** ***@***.***> >
|
Hi I tried with the latest release, and it works great there. It might have had something to do with the scripts you refer to. Thanks for following up on my message. Since the MR was closed, i didn't think anyone was paying attention :) |
5 participants
Replace the references to
OAuth2UserbyAuthUser. This allows downstream extenders to more easily contribute alternative OAuth2 providers: If the expected data is stored in different attributes it will be possible to bridge it by implementing the properAuthUser.New configuration example: