Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Introduce a ThirdParty GenericOIDC implementation. #1321

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

[FEATURE] Introduce a ThirdParty GenericOIDC implementation. #1321

wants to merge 8 commits into from

Conversation

ghstahl
Copy link

@ghstahl ghstahl commented Feb 5, 2024

#1320

Description

Expanding third party IDPs to have a Generic OIDC configuration.
Currently google, github, and apple are hard coded and the only external connection.

Tested against google and azureAD-enterprise.

Implementation

Copied the google thrid party implementation.
This all still uses the Hanko OAuth2 workflow. OIDC is just a highlevel wrapper of OAuth2,

The big difference.

  1. Use the OIDC discovery to get all the needed urls (tokenendpoint, userinfo, etc)
  2. Allow scopes to be configured. These external OAuth2 idps can require different ones. i.e. AzureAD
  3. Start thinking about putting more data into the ThirdParty configs.
    Metadata: map[string]string, used primarily by the frontend as a way to have an open ended configuration attached to the IDP.
    ImageRef: where to pull the logo from.
    DisplayName: The current usage of using the lookup key as the display name should be expanded.
    etc.

Example Config for the third party.

third_party:
  redirect_url: http://localhost:8000/thirdparty/callback
  error_redirect_url: http://localhost:8888
  allowed_redirect_urls:
    - http://localhost:8888**
    - http://localhost:3000**
  providers:
    google:
      enabled: true
      client_id: 1096301616546-edbl612881t7rkpljp3qa3juminskulo.apps.googleusercontent.com
      secret: GOC**[REDACTED]**
    github:
      enabled: true
      client_id: e489eb4f05e9f247d8ad
      secret: 1bb**[REDACTED]**
  generic_oidc_providers:
    google_oidc:
      authority: https://accounts.google.com
      #display_name: Google(Generic OIDC Provider)
      enabled: true
      client_id: 1096301616546-edbl612881t7rkpljp3qa3juminskulo.apps.googleusercontent.com
      secret: GOC**[REDACTED]**
      scopes: "openid profile email"
      require_provider_email_verification: true
    mapped_staff_oidc:
      authority: https://login.microsoftonline.com/590**[REDACTED]**/v2.0
      #display_name: Mapped Staff (Generic OIDC Provider)
      enabled: true
      client_id: 3b918868-9bff-431f-bd9c-f9896d628e6b
      secret: hU4**[REDACTED]**
      scopes: "openid profile email User.Read"
      require_provider_email_verification: false
      hidden: true
      metadata:
        a: "b"
        c: "d"

Tests

Manually tested against google and azureAD.

Todos

This is more of a UI frontend thing, but idp lookup keys and display names are different.
The /.well-known/config needs to return more information about the IDP. i.e. the lookup key, displayName, metadata, etc.

Additional context

image image image image

@ghstahl ghstahl mentioned this pull request Feb 5, 2024
Closed
@ghstahl
Copy link
Author

ghstahl commented Feb 5, 2024

Testing with Microsoft Social

    microsoft_social:
      authority: https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0
      display_name: Microsoft Social
      enabled: true
      client_id: 0f81aa6c-b280-4503-b130-adc0567bfbe4
      secret: gN~***[REDACTED]***
      scopes: "openid profile email User.Read"
      require_provider_email_verification: false
      hidden: false
      metadata:
        a: "b"
        c: "d"

image
image
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
Hanko
Status: 🆕 New
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@ghstahl