Skip to content
/ kvmd Public

Custom auth flow support and OAuth2/OIDC plugin #194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
intelfx wants to merge 16 commits into
base: master
Choose a base branch
from
Open

Custom auth flow support and OAuth2/OIDC plugin #194

intelfx wants to merge 16 commits into from

Conversation

@intelfx
Copy link
Member

@intelfx intelfx commented Jun 17, 2025
edited
Loading

Preliminary implementation of a pluggable authentication flow architecture, with the OAuth/OAuth2 backend as the first user thereof.

Credits: #156

This implementation accepts configuration under the kvmd.auth.flows.oauth key, as follows:

kvmd:
  auth:
    flows:
      oauth:
        enabled: true
        providers:
          github:
            type: oauth2
            client_id: myclient
            client_secret: mysecret123
            access_token_url: https://github.com/login/oauth/access_token
            authorize_url: https://github.com/login/oauth/authorize
            base_url: https://github.com/
            user_info_url: https://api.github.com/user
            short_name: GitHub
            long_name: GitHub
            scope: openid user
            username_attribute: email
          keycloak:
            type: oauth2
            client_id: client2
            client_secret: str
            access_token_url: https://sso.keycloak.my.tld/realms/master/protocol/openid-connect/token
            authorize_url: https://sso.keycloak.my.tld/realms/master/protocol/openid-connect/auth
            base_url: https://sso.keycloak.my.tld/
            user: https://sso.keycloak.my.tld/realms/master/protocol/openid-connect/
            short_name: Keycloak
            long_name: My Keycloak
            scope: openid profile
            username_attribute: sub

UI-wise, each provider corresponds to a separate button on the login page which triggers the corresponding auth flow.

API-wise, the new APIs are located under /api/auth/flow/oauth/{key}. The name of a section under kvmd.auth.flows.oauth.providers (e.g., github or microsoft) is an arbitrary URL-safe string, and it is used as the {key} in the base URL above.

The callback URL will be {pi-kvm}/api/auth/flow/oauth/{key}/callback. You will have to whitelist that URL in the OAuth authorization server in use.

@mdevaev mdevaev mentioned this pull request Jun 29, 2025
Closed
@intelfx intelfx marked this pull request as ready for review November 13, 2025 12:00
@intelfx intelfx force-pushed the work/oauth branch 6 times, most recently from b25f491 to af1ed06 Compare November 13, 2025 13:39
@intelfx intelfx changed the title Draft: OAuth OAuth Manager and OAuth2/OpenID connect Plugin (from #156) Custom auth flow support and OAuth2/OIDC plugin Nov 13, 2025
intelfx added 16 commits November 20, 2025 23:44
@intelfx
yamlconf: add dynamic key marker
5a86402 
Add a sentinel marker `yamlconf.Dynamic()` that can be used as a schema
key to signal a schema applying to an arbitrary number of keys at this
level.
@intelfx
yamlconf: factor out validation of one key
92bce1e
@intelfx
yamlconf: make make_full_* helpers variadic (0 or 1 args expected)
a397ad3
@intelfx
yamlconf: support validating "dynamic" keys
f76e014 
If the schema definition at a given level has a `Dynamic` marker key,
validate every key that is not otherwise present in the schema against
the definition of that key.

Further down the line, we can make unexpected extra keys illegal,
but for that we need to sanitize a;; existing uses of dynamic content.
@intelfx
htserver: extract routing-specific stubs into HttpRouterBase
7f57a28
@intelfx
kvmd.router: add HttpRouter class as a standalone / nested request ro…
6dae5a9 
…uter
@intelfx
kvmd.router: accept subpath=None for no URL rewriting in nested dis…
249ce18 
…patch
@intelfx
kvmd.auth: AuthManager: add support for external auth flow plugins
7903340
@intelfx
kvmd.api.auth: AuthApi: add generic API for external auth flow plugins
2568d68
@intelfx
kvmd.api.auth: do not rewrite URL in /api/auth/flow/... nested disp…
65688fa 
…atch
@intelfx
schema: add kvmd.auth.flows with dynamic content for additional aut…
3aad991 
…h flows
@intelfx
plugins.flows: add infrastructure for custom auth flows
9a5fa80
@intelfx
plugins.flows.oauth: add OAuth login flow and API extension
7dea722
@intelfx
plugins.oauth: add infrastructure for OAuth providers (for plugins.fl…
0efcfd7 
…ows.oauth)
@intelfx
plugins.oauth.oauth2: add OAuth2 provider
2c07e8a
@intelfx
web: add basic UI for OAuth
81801b1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@intelfx