feat: custom oauth2 provider

README.md

@@ -2,7 +2,7 @@
 
 Remark42 is a self-hosted, lightweight and simple (yet functional) comment engine, which doesn't spy on users. It can be embedded into blogs, articles, or any other place where readers add comments.
 
-* Social login via Google, Facebook, Microsoft, GitHub, Apple, Yandex, Patreon, Discord and Telegram
+* Social login via Google, Facebook, Microsoft, GitHub, Apple, Yandex, Patreon, Discord, Telegram and custom OAuth2 providers
 * Login via email
 * Optional anonymous access
 * Multi-level nested comments with both tree and plain presentations

backend/app/cmd/server.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"context"
+	"crypto/sha1" //nolint:gosec // used only for stable ID hashing, not for security
 	"embed"
 	"fmt"
 	"net"
@@ -22,6 +23,7 @@ import (
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/kyokomi/emoji/v2"
 	bolt "go.etcd.io/bbolt"
+	"golang.org/x/oauth2"
 
 	"github.com/go-pkgz/auth/v2"
 	"github.com/go-pkgz/auth/v2/avatar"
@@ -99,18 +101,19 @@ type ServerCommand struct {
 		SendJWTHeader bool   `long:"send-jwt-header" env:"SEND_JWT_HEADER" description:"send JWT as a header instead of server-set cookie; with this enabled, frontend stores the JWT in a client-side cookie (note: increases vulnerability to XSS attacks)"`
 		SameSite      string `long:"same-site" env:"SAME_SITE" description:"set same site policy for cookies" choice:"default" choice:"none" choice:"lax" choice:"strict" default:"default"` // nolint
 
-		Apple     AppleGroup `group:"apple" namespace:"apple" env-namespace:"APPLE" description:"Apple OAuth"`
-		Google    AuthGroup  `group:"google" namespace:"google" env-namespace:"GOOGLE" description:"Google OAuth"`
-		Github    AuthGroup  `group:"github" namespace:"github" env-namespace:"GITHUB" description:"Github OAuth"`
-		Facebook  AuthGroup  `group:"facebook" namespace:"facebook" env-namespace:"FACEBOOK" description:"Facebook OAuth"`
+		Apple     AppleGroup         `group:"apple" namespace:"apple" env-namespace:"APPLE" description:"Apple OAuth"`
+		Google    AuthGroup          `group:"google" namespace:"google" env-namespace:"GOOGLE" description:"Google OAuth"`
+		Github    AuthGroup          `group:"github" namespace:"github" env-namespace:"GITHUB" description:"Github OAuth"`
+		Facebook  AuthGroup          `group:"facebook" namespace:"facebook" env-namespace:"FACEBOOK" description:"Facebook OAuth"`
 		Microsoft MicrosoftAuthGroup `group:"microsoft" namespace:"microsoft" env-namespace:"MICROSOFT" description:"Microsoft OAuth"`
-		Yandex    AuthGroup  `group:"yandex" namespace:"yandex" env-namespace:"YANDEX" description:"Yandex OAuth"`
-		Twitter   AuthGroup  `group:"twitter" namespace:"twitter" env-namespace:"TWITTER" description:"[deprecated, doesn't work] Twitter OAuth"`
-		Patreon   AuthGroup  `group:"patreon" namespace:"patreon" env-namespace:"PATREON" description:"Patreon OAuth"`
-		Discord   AuthGroup  `group:"discord" namespace:"discord" env-namespace:"DISCORD" description:"Discord OAuth"`
-		Telegram  bool       `long:"telegram" env:"TELEGRAM" description:"Enable Telegram auth (using token from telegram.token)"`
-		Dev       bool       `long:"dev" env:"DEV" description:"enable dev (local) oauth2"`
-		Anonymous bool       `long:"anon" env:"ANON" description:"enable anonymous login"`
+		Yandex    AuthGroup          `group:"yandex" namespace:"yandex" env-namespace:"YANDEX" description:"Yandex OAuth"`
+		Twitter   AuthGroup          `group:"twitter" namespace:"twitter" env-namespace:"TWITTER" description:"[deprecated, doesn't work] Twitter OAuth"`
+		Patreon   AuthGroup          `group:"patreon" namespace:"patreon" env-namespace:"PATREON" description:"Patreon OAuth"`
+		Discord   AuthGroup          `group:"discord" namespace:"discord" env-namespace:"DISCORD" description:"Discord OAuth"`
+		Custom    CustomAuthGroup    `group:"custom" namespace:"custom" env-namespace:"CUSTOM" description:"Custom OAuth2 provider"`
+		Telegram  bool               `long:"telegram" env:"TELEGRAM" description:"Enable Telegram auth (using token from telegram.token)"`
+		Dev       bool               `long:"dev" env:"DEV" description:"enable dev (local) oauth2"`
+		Anonymous bool               `long:"anon" env:"ANON" description:"enable anonymous login"`
 		Email     struct {
 			Enable       bool          `long:"enable" env:"ENABLE" description:"enable auth via email"`
 			From         string        `long:"from" env:"FROM" description:"from email address"`
@@ -159,6 +162,21 @@ type MicrosoftAuthGroup struct {
 	Tenant string `long:"tenant" env:"TENANT" description:"Azure AD tenant ID, domain, or 'common' (default)" default:"common"`
 }
 
+// CustomAuthGroup defines options group for custom OAuth2 provider params
+type CustomAuthGroup struct {
+	Name         string   `long:"name" env:"NAME" description:"custom provider name used in auth route"`
+	CID          string   `long:"cid" env:"CID" description:"OAuth client ID"`
+	CSEC         string   `long:"csec" env:"CSEC" description:"OAuth client secret"`
+	AuthURL      string   `long:"auth-url" env:"AUTH_URL" description:"OAuth authorization endpoint"`
+	TokenURL     string   `long:"token-url" env:"TOKEN_URL" description:"OAuth token endpoint"`
+	InfoURL      string   `long:"info-url" env:"INFO_URL" description:"OAuth user info endpoint"`
+	Scopes       []string `long:"scopes" env:"SCOPES" env-delim:"," description:"OAuth scopes"`
+	IDField      string   `long:"id-field" env:"ID_FIELD" default:"sub" description:"user info field used as unique id"`
+	NameField    string   `long:"name-field" env:"NAME_FIELD" default:"name" description:"user info field used as display name"`
+	PictureField string   `long:"picture-field" env:"PICTURE_FIELD" default:"picture" description:"user info field used as avatar url"`
+	EmailField   string   `long:"email-field" env:"EMAIL_FIELD" default:"email" description:"user info field used as email"`
+}
+
 // StoreGroup defines options group for store params
 type StoreGroup struct {
 	Type string `long:"type" env:"TYPE" description:"type of storage" choice:"bolt" choice:"rpc" default:"bolt"` // nolint
@@ -330,6 +348,7 @@ func (s *ServerCommand) Execute(_ []string) error {
 		"AUTH_YANDEX_CSEC",
 		"AUTH_PATREON_CSEC",
 		"AUTH_DISCORD_CSEC",
+		"AUTH_CUSTOM_CSEC",
 		"TELEGRAM_TOKEN",
 		"SMTP_PASSWORD",
 		"ADMIN_PASSWD",
@@ -487,6 +506,54 @@ func contains(s string, a []string) bool {
 	return false
 }
 
+var reservedCustomProviderNames = map[string]struct{}{
+	"email":     {},
+	"anonymous": {},
+	"google":    {},
+	"github":    {},
+	"facebook":  {},
+	"yandex":    {},
+	"microsoft": {},
+	"patreon":   {},
+	"discord":   {},
+	"telegram":  {},
+	"dev":       {},
+	"apple":     {},
+}
+
+func isReservedCustomProviderName(name string) bool {
+	_, ok := reservedCustomProviderNames[name]
+	return ok
+}
+
+func (c CustomAuthGroup) isConfigured() bool {
+	return c.Name != "" || c.CID != "" || c.CSEC != "" || c.AuthURL != "" || c.TokenURL != "" || c.InfoURL != "" ||
+		len(c.Scopes) > 0 || c.IDField != "sub" || c.NameField != "name" || c.PictureField != "picture" || c.EmailField != "email"
+}
+
+func (c CustomAuthGroup) missingRequired() []string {
+	missing := []string{}
+	if c.Name == "" {
+		missing = append(missing, "AUTH_CUSTOM_NAME")
+	}
+	if c.CID == "" {
+		missing = append(missing, "AUTH_CUSTOM_CID")
+	}
+	if c.CSEC == "" {
+		missing = append(missing, "AUTH_CUSTOM_CSEC")
+	}
+	if c.AuthURL == "" {
+		missing = append(missing, "AUTH_CUSTOM_AUTH_URL")
+	}
+	if c.TokenURL == "" {
+		missing = append(missing, "AUTH_CUSTOM_TOKEN_URL")
+	}
+	if c.InfoURL == "" {
+		missing = append(missing, "AUTH_CUSTOM_INFO_URL")
+	}
+	return missing
+}
+
 // newServerApp prepares application and return it with all active parts
 // doesn't start anything
 func (s *ServerCommand) newServerApp(ctx context.Context) (*serverApp, error) {
@@ -966,6 +1033,49 @@ func (s *ServerCommand) addAuthProviders(authenticator *auth.Service) error {
 		providersCount++
 	}
 
+	if s.Auth.Custom.isConfigured() {
+		missing := s.Auth.Custom.missingRequired()
+		if len(missing) > 0 {
+			return fmt.Errorf("custom oauth provider configuration is incomplete, missing: %s", strings.Join(missing, ", "))
+		}
+
+		customName := strings.ToLower(strings.TrimSpace(s.Auth.Custom.Name))
+		if isReservedCustomProviderName(customName) {
+			return fmt.Errorf("custom oauth provider name %q is reserved", customName)
+		}
+
+		authenticator.AddCustomProvider(customName, auth.Client{Cid: s.Auth.Custom.CID, Csecret: s.Auth.Custom.CSEC}, provider.CustomHandlerOpt{
+			Endpoint: oauth2.Endpoint{
+				AuthURL:  s.Auth.Custom.AuthURL,
+				TokenURL: s.Auth.Custom.TokenURL,
+			},
+			InfoURL: s.Auth.Custom.InfoURL,
+			Scopes:  s.Auth.Custom.Scopes,
+			MapUserFn: func(data provider.UserData, _ []byte) token.User {
+				sourceID := data.Value(s.Auth.Custom.IDField)
+				if sourceID == "" {
+					sourceID = data.Value(s.Auth.Custom.EmailField)
+				}
+				if sourceID == "" {
+					sourceID = data.Value(s.Auth.Custom.NameField)
+				}
+
+				hashID := token.HashID(sha1.New(), sourceID) //nolint:gosec // stable provider user id hash
+				user := token.User{
+					ID:      customName + "_" + hashID,
+					Name:    data.Value(s.Auth.Custom.NameField),
+					Picture: data.Value(s.Auth.Custom.PictureField),
+					Email:   data.Value(s.Auth.Custom.EmailField),
+				}
+				if user.Name == "" {
+					user.Name = "noname_" + hashID[:4]
+				}
+				return user
+			},
+		})
+		providersCount++
+	}
+
 	if s.Auth.Dev {
 		log.Print("[INFO] dev access enabled")
 		u, errURL := url.Parse(s.RemarkURL)

backend/app/cmd/server_test.go

@@ -95,6 +95,30 @@ func TestServerApp_DevMode(t *testing.T) {
 	app.Wait()
 }
 
+func TestServerApp_CustomOAuthProvider(t *testing.T) {
+	port := chooseRandomUnusedPort()
+	app, ctx, cancel := prepServerApp(t, func(o ServerCommand) ServerCommand {
+		o.Port = port
+		o.Auth.Custom.Name = "oidc"
+		o.Auth.Custom.CID = "cid"
+		o.Auth.Custom.CSEC = "csec"
+		o.Auth.Custom.AuthURL = "https://example.com/oauth2/authorize"
+		o.Auth.Custom.TokenURL = "https://example.com/oauth2/token"
+		o.Auth.Custom.InfoURL = "https://example.com/oauth2/userinfo"
+		return o
+	})
+
+	go func() { _ = app.run(ctx) }()
+	waitForHTTPServerStart(port)
+
+	providers := app.restSrv.Authenticator.Providers()
+	require.Equal(t, 11+1, len(providers), "extra auth provider")
+	assert.Equal(t, "oidc", providers[len(providers)-2].Name(), "custom auth provider")
+
+	cancel()
+	app.Wait()
+}
+
 func TestServerApp_AnonMode(t *testing.T) {
 	port := chooseRandomUnusedPort()
 	app, ctx, cancel := prepServerApp(t, func(o ServerCommand) ServerCommand {
@@ -389,6 +413,33 @@ func TestServerApp_Failed(t *testing.T) {
 		"failed to make authenticator: an AppleProvider creating failed: "+
 			"provided private key is not ECDSA")
 	t.Log(err)
+
+	// incomplete custom oauth config
+	opts = ServerCommand{}
+	opts.SetCommon(CommonOpts{RemarkURL: "https://demo.remark42.com", SharedSecret: "123456"})
+	p = flags.NewParser(&opts, flags.Default)
+	_, err = p.ParseArgs([]string{"--store.bolt.path=/tmp", "--backup=/tmp", "--image.fs.path=/tmp", "--auth.custom.name=oidc", "--auth.custom.cid=123"})
+	assert.NoError(t, err)
+	_, err = opts.newServerApp(context.Background())
+	assert.EqualError(t, err,
+		"failed to make authenticator: custom oauth provider configuration is incomplete, missing: "+
+			"AUTH_CUSTOM_CSEC, AUTH_CUSTOM_AUTH_URL, AUTH_CUSTOM_TOKEN_URL, AUTH_CUSTOM_INFO_URL")
+	t.Log(err)
+}
+
+func TestIsReservedCustomProviderName(t *testing.T) {
+	reserved := []string{
+		"email", "anonymous", "google", "github", "facebook", "yandex",
+		"microsoft", "patreon", "discord", "telegram", "dev", "apple",
+	}
+
+	for _, name := range reserved {
+		t.Run(name, func(t *testing.T) {
+			assert.True(t, isReservedCustomProviderName(name))
+		})
+	}
+
+	assert.False(t, isReservedCustomProviderName("oidc"))
 }
 
 func TestServerApp_Shutdown(t *testing.T) {

frontend/apps/remark42/app/common/types.ts

@@ -90,7 +90,7 @@ export interface Tree {
   info: PostInfo;
 }
 
-export type OAuthProvider =
+export type DefaultOAuthProvider =
   | 'apple'
   | 'facebook'
   | 'twitter'
@@ -102,6 +102,7 @@ export type OAuthProvider =
   | 'discord'
   | 'telegram'
   | 'dev';
+export type OAuthProvider = DefaultOAuthProvider | (string & {});
 export type FormProvider = 'email' | 'anonymous';
 export type Provider = OAuthProvider | FormProvider;
 

frontend/apps/remark42/app/components/auth/auth.spec.tsx

@@ -70,6 +70,7 @@ describe('<Auth/>', () => {
   it.each([
     [[]],
     [['dev']],
+    [['customoidc']],
     [['facebook', 'google']],
     [['facebook', 'google', 'microsoft']],
     [['facebook', 'google', 'microsoft', 'yandex']],
@@ -291,6 +292,23 @@ describe('<Auth/>', () => {
       );
       expect(setUser).toBeCalledWith(user);
     });
+
+    it('should use custom provider route', async () => {
+      StaticStore.config.auth_providers = ['customoidc'];
+
+      const oauthSignin = jest.spyOn(api, 'oauthSignin').mockImplementation(async () => null);
+
+      render(<Auth />);
+
+      fireEvent.click(screen.getByText('Sign In'));
+      await waitFor(() => fireEvent.click(screen.getByTitle('Sign In with Customoidc')));
+
+      await waitFor(() =>
+        expect(oauthSignin).toBeCalledWith(
+          `${BASE_URL}/auth/customoidc/login?from=http%3A%2F%2Flocalhost%2F%3FselfClose&site=remark`
+        )
+      );
+    });
   });
 
   describe('Telegram auth', () => {

frontend/apps/remark42/app/components/auth/auth.utils.ts

@@ -2,7 +2,6 @@ import { isJwtExpired } from 'utils/jwt';
 import { StaticStore } from 'common/static-store';
 import type { FormProvider, OAuthProvider } from 'common/types';
 
-import { OAUTH_PROVIDERS } from './components/oauth.consts';
 import { messages } from './auth.messsages';
 import { setItem, getItem } from 'common/local-storage';
 import { LS_EMAIL_KEY } from 'common/constants';
@@ -12,7 +11,9 @@ export function getProviders(): [OAuthProvider[], FormProvider[]] {
   const formProviders: FormProvider[] = [];
 
   StaticStore.config.auth_providers.forEach((p) => {
-    OAUTH_PROVIDERS.includes(p) ? oauthProviders.push(p as OAuthProvider) : formProviders.push(p as FormProvider);
+    p === 'email' || p === 'anonymous'
+      ? formProviders.push(p as FormProvider)
+      : oauthProviders.push(p as OAuthProvider);
   });
 
   return [oauthProviders, formProviders];

frontend/apps/remark42/app/components/auth/components/oauth.consts.ts

@@ -20,6 +20,7 @@ export const OAUTH_DATA = {
   microsoft: require('assets/social/microsoft.svg').default as string,
   yandex: require('assets/social/yandex.svg').default as string,
   dev: require('assets/social/dev.svg').default as string,
+  custom: require('assets/social/custom.svg').default as string,
   github: {
     name: 'GitHub',
     icons: {

frontend/apps/remark42/app/components/auth/components/oauth.utils.ts

@@ -16,7 +16,11 @@ export function getButtonVariant(num: number) {
 }
 
 export function getProviderData(provider: OAuthProvider, theme: Theme) {
-  const data = OAUTH_DATA[provider];
+  const data = OAUTH_DATA[provider as keyof typeof OAUTH_DATA];
+
+  if (!data) {
+    return { name: capitalizeFirstLetter(provider), icon: OAUTH_DATA.custom };
+  }
 
   if (typeof data !== 'string') {
     return {

site/src/docs/configuration/authorization/index.md

@@ -113,6 +113,31 @@ For more details refer to [Yandex OAuth](https://yandex.com/dev/oauth/doc/dg/con
 3. Under **"Redirects"** enter the correct url constructed as domain + `/auth/discord/callback`. ie `https://remark42.mysite.com/auth/discord/callback`
 4. Take note of the **CLIENT ID** and **CLIENT SECRET**, as they are values for `AUTH_DISCORD_CID` and `AUTH_DISCORD_CSEC` respectively
 
+### Custom OAuth2 Provider
+
+You can configure any OAuth2-compatible provider by setting these variables:
+
+- `AUTH_CUSTOM_NAME` - provider name used in auth routes
+- `AUTH_CUSTOM_CID` - OAuth client ID
+- `AUTH_CUSTOM_CSEC` - OAuth client secret
+- `AUTH_CUSTOM_AUTH_URL` - authorization endpoint
+- `AUTH_CUSTOM_TOKEN_URL` - token endpoint
+- `AUTH_CUSTOM_INFO_URL` - user info endpoint
+- `AUTH_CUSTOM_SCOPES` - optional scopes, comma-separated
+- `AUTH_CUSTOM_ID_FIELD` - optional user info field used as unique id (default `sub`)
+- `AUTH_CUSTOM_NAME_FIELD` - optional user info field used as display name (default `name`)
+- `AUTH_CUSTOM_PICTURE_FIELD` - optional user info field used as avatar URL (default `picture`)
+- `AUTH_CUSTOM_EMAIL_FIELD` - optional user info field used as email (default `email`)
+
+Callback URL format:
+
+`https://<remark42-url>/auth/<AUTH_CUSTOM_NAME>/callback`
+
+Notes:
+
+- `AUTH_CUSTOM_NAME` must be URL-safe and should not conflict with built-in providers: `email`, `anonymous`, `google`, `github`, `facebook`, `yandex`, `microsoft`, `patreon`, `discord`, `telegram`, `dev`, `apple`.
+- If any required custom variable is missing, Remark42 will fail to start.
+
 ### Telegram
 
 1. Contact [@BotFather](https://t.me/botfather) and follow his instructions to create your bot (call it, for example, "My site auth bot")