Skip to content

Single Sign-On via OIDC #888

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 35 commits into from
May 5, 2025
Merged

Single Sign-On via OIDC #888

merged 35 commits into from
May 5, 2025

Conversation

@lovasoa
Copy link
Collaborator

@lovasoa lovasoa commented Apr 21, 2025

WIP.

Add support for single signon through oidc

lovasoa added 30 commits April 22, 2025 01:24
@lovasoa
add oidc config variables
95c37c7
@lovasoa
setup a basic middleware
6f58587
@lovasoa
implement an async http client that uses oidc
c21f89a
@lovasoa
initialize provider_metadata in OidcService
661c6d6
@lovasoa
better error handling in oidc config
5e54aab
@lovasoa
HTTP client initialization in oidc now follows global config
845b39b
@lovasoa
Merge branch 'main' into oidc
67d2979
@lovasoa
oidc: implement redirects
d5fd554 
- Add `host` configuration option for specifying the application's web address in configuration.md and app_config.rs.
- Update docker-compose.yaml to include SQLPAGE_HOST and SQLPAGE_OIDC_ISSUER_URL environment variables.
- Enhance OIDC middleware to utilize the new `host` setting for redirect URLs and improve cookie handling in oidc.rs.
@lovasoa
improve local oidc configurability
32bda97
@lovasoa
log
e193fdf
@lovasoa
Update warning message in OIDC configuration to clarify how to disabl…
ef9dd31 
…e it by providing a host setting
@lovasoa
Update OIDC redirect logging to use info level with client ID
08c97f6
@lovasoa
Refactor unauthenticated request handling in OIDC service
5e8b12d 
- Extracted logic for handling unauthenticated requests into a separate method `handle_unauthenticated_request`.
- Updated the main request handling flow to utilize the new method for improved readability and maintainability.
@lovasoa
Enhance OIDC service with callback handling and token processing
d70fac3 
- Introduced `handle_oidc_callback` method to manage OIDC callback requests.
- Added `process_oidc_callback` and `exchange_code_for_token` methods for token exchange logic.
- Updated `handle_unauthenticated_request` to check for callback URL and redirect accordingly.
- Refactored `build_redirect_response` to improve clarity in response handling.
@lovasoa
in handle_oidc_callback use service_request.into_response
a5cb479
@lovasoa
fmt
938f51c
@lovasoa
Implement oidc code exchange and token storage
e305b89
@lovasoa
validate oidc cookies
9f22532 
- Updated `get_sqlpage_auth_cookie` to return a result for better error handling and validation of the SQLPage auth cookie.
- Improved logging throughout the OIDC service for better traceability of requests and responses.
- Adjusted the handling of OIDC callback parameters to include context in error messages.
@lovasoa
OIDC callback: redirect to the auth URL on failure.
8e07bab
@lovasoa
oidc use localhost for redirect config instead of 0.0.0.0 by default
9f302d9
@lovasoa
Enhance OIDC provider metadata discovery with improved logging and er…
5919008 
…ror context
@lovasoa
maintain the initial URL during OIDC authentication
55bf296 
- Added state cookie handling to maintain the initial URL during OIDC authentication.
- Refactored `build_auth_url` to accept the initial URL as a parameter.
- Enhanced `process_oidc_callback` to retrieve the state from the cookie and redirect accordingly.
@lovasoa
implement csrf token
92ba450
@lovasoa
update deps
1535b4a
@lovasoa
update sso examples
3b500c7
@lovasoa
nonce verification
c040cc7 
- Improved error logging for invalid auth cookies and ID token verification.
- Introduced nonce verification logic to ensure security during OIDC authentication.
- Adjusted parameters for nonce hashing to optimize for short-lived tokens.
@lovasoa
Refactor OIDC logging and improve documentation
51c08d0 
- Updated logging statements for better clarity and context.
- Refactored code for nonce verification and error handling.
- Enhanced documentation in `app_config.rs` for clarity on `https_domain` usage.
@lovasoa
Remove unused app_state field from OidcService struct
249a687
@lovasoa
Enhance OIDC client error handling and refactor HTTP request types
5ad010b 
- Added context to OIDC client creation error handling.
- Updated HTTP request and response types for better integration with the openidconnect library.
- Introduced AwcWrapperError for improved error management in HTTP calls.
@lovasoa
clippy fixes
e18d03f 
- Changed http_client from Arc to Rc in OidcService for improved memory efficiency.
- Updated related code to reflect the new ownership model for the HTTP client.
lovasoa added 5 commits April 30, 2025 01:45
@lovasoa
initialize the oidc and http clients only once
7f20cd2 
- Added OidcState struct to encapsulate OIDC configuration and client.
- Refactored OidcMiddleware to utilize OidcState for improved state management.
- Updated HTTP client handling in OIDC service methods for better integration with app data.
- Enhanced logging for OIDC middleware initialization and request processing.
@lovasoa
functions for accessing user claims from OIDC tokens + documentation
d831c1b 
- Updated SQLPage authentication component documentation for clarity on usage and options.
- Removed deprecated login and redirect handler scripts to streamline the SSO implementation.
- Enhanced logout functionality to properly clear session cookies and redirect users.
- Improved request handling to include OIDC claims in the request context for better user information retrieval.
@lovasoa
better sso troubleshooting info
2a9e967
@lovasoa
fmt
6c8a565
@lovasoa
add sso to the changelog
ea93e68
@lovasoa lovasoa marked this pull request as ready for review May 5, 2025 15:58
@lovasoa lovasoa merged commit adcbaa6 into main May 5, 2025
10 checks passed
@lovasoa lovasoa deleted the oidc branch May 5, 2025 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lovasoa