Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

请问是否可以开发支持通用的OAuth? 近期是否有计划?谢谢! #23

Open
DarkWayne opened this issue Apr 25, 2023 · 22 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@DarkWayne
Copy link

请问是否可以开发支持通用的OAuth(接入三方OAuth认证体系)? 近期是否有计划?望答复,谢谢!~~

@ruibaby
Copy link
Member

ruibaby commented Apr 25, 2023

本身是支持通过配置来适配其他的 OAuth 提供方的,你可以详细描述一下你期望的使用方式。

@ruibaby ruibaby added kind/feature Categorizes issue or PR as related to a new feature. priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. labels Apr 25, 2023
@DarkWayne
Copy link
Author

@ruibaby 老大好! ~ 我的场景是,我自身有一套内部的IDaaS身份认证系统,想通过OAuth来进行内部用户的登录认证。
但是看咱们目前标准的OAuth插件,只是支持gitLab、gitee等外部系统对接;
看这个后续是有可以有支持内部认证系统的标准插件吗? 或者有什么临时的折中解决方案,多谢老大给予指导 [拱手][拱手]

@JohnNiang
Copy link
Contributor

Hi @DarkWayne ,你可以试试根据下面的 AuthProvider 样例自己配置一个符合你的认证系统的 AuthProvider:

apiVersion: auth.halo.run/v1alpha1
kind: AuthProvider
metadata:
+ name: gitlab
  labels:
    auth.halo.run/auth-binding: "true"
spec:
+ displayName: GitLab
+ description: GitLab Inc. is an open-core company that operates GitLab, a DevOps software package which can develop, secure, and operate software.
+ logo: /plugins/plugin-oauth2/assets/static/gitlab.svg
+ website: https://gitlab.com
+ authenticationUrl: /oauth2/authorization/gitlab
+ bindingUrl: /apis/api.plugin.halo.run/v1alpha1/plugins/plugin-oauth2/connect/gitlab
+ unbindUrl: /apis/api.plugin.halo.run/v1alpha1/plugins/plugin-oauth2/disconnect/gitlab
  settingRef:
    name: generic-oauth2-setting
    group: genericOauth
  configMapRef:
+   name: oauth2-gitlab-config

然后通过 API 创建对应的 AuthProvider,示例如下(需要自行替换 URL、用户名和密码、请求体):

curl -X 'POST' \
  'http://localhost:8090/apis/auth.halo.run/v1alpha1/authproviders' \
  -u admin:admin \
  -H 'accept: */*' \
  -H 'Content-Type: */*' \
  -d '{
  "apiVersion": "auth.halo.run/v1alpha1",
  "kind": "AuthProvider",
  "metadata": {
    "name": "gitlab",
    "labels": {
      "auth.halo.run/auth-binding": "true"
    }
  },
  "spec": {
    "displayName": "GitLab",
    "description": "GitLab Inc. is an open-core company that operates GitLab, a DevOps software package which can develop, secure, and operate software.",
    "logo": "/plugins/plugin-oauth2/assets/static/gitlab.svg",
    "website": "https://gitlab.com",
    "authenticationUrl": "/oauth2/authorization/gitlab",
    "bindingUrl": "/apis/api.plugin.halo.run/v1alpha1/plugins/plugin-oauth2/connect/gitlab",
    "unbindUrl": "/apis/api.plugin.halo.run/v1alpha1/plugins/plugin-oauth2/disconnect/gitlab",
    "settingRef": {
      "name": "generic-oauth2-setting",
      "group": "genericOauth"
    },
    "configMapRef": {
      "name": "oauth2-gitlab-config"
    }
  }
}'

@DarkWayne
Copy link
Author

@JohnNiang 感谢啊!
有个细节问一下:在创建自定义配置的情况下, redirect_uri 是多少? authenticationUrl / bindingUrl / unbindUrl 的 path 最后的 "gitlab" 是不是来自于 metadata.name ?
请给下指导 [拱手]

@JohnNiang
Copy link
Contributor

#23 (comment)

Hi @DarkWayne ,还需要创建一个 Oauth2ClientRegistration 才行,示例如下:

apiVersion: oauth.halo.run/v1alpha1
kind: Oauth2ClientRegistration
metadata:
  name: gitlab
spec:
  clientAuthenticationMethod: "client_secret_basic"
  authorizationGrantType: "authorization_code"
  redirectUri: "{baseUrl}/login/oauth2/code/gitlab"
  scopes:
    - "read_user"
  authorizationUri: "https://gitlab.com/oauth/authorize"
  tokenUri: "https://gitlab.com/oauth/token"
  userInfoUri: "https://gitlab.com/api/v4/user"
  userInfoAuthenticationMethod: "header"
  userNameAttributeName: "username"
  clientName: "GitLab"

@DarkWayne
Copy link
Author

@JohnNiang @ruibaby 大神好!我已经做了一下尝试,目前本地的认证服务已通过配置接入了,已经可获取内部用户凭证和信息。 但是仍有个问题,就是无法向halo里自动同步注册用户,看咱们的插件是否有什么解决方案或计划

@DarkWayne
Copy link
Author

DarkWayne commented May 6, 2023

@JohnNiang @ruibaby 大神好!我已经做了一下尝试,目前本地的认证服务已通过配置接入了,已经可获取内部用户凭证和信息。 但是仍有个问题,就是无法向halo里自动同步注册用户,看咱们的插件是否有什么解决方案或计划

@JohnNiang @ruibaby 两位有空帮回复一下[拱手]

@JohnNiang
Copy link
Contributor

/cc @guqing

@guqing
Copy link
Member

guqing commented May 8, 2023

你想实现使用 IDaas 已有账户就能登录到 Halo,可能需要一个类似自动注册的功能,比如登录时没有账号就自动注册 Halo 账号关联它,但是目前不支持自动注册只支持先创建 Halo 账号然后绑定第三方账号实现登录或者登录时没有账号需要注册再绑定。

自动注册的功能有计划支持,会提供一个选项比如开启自动注册后使用 OAuth2 登录时自动创建 Halo 账号

@DarkWayne
Copy link
Author

@guqing 感谢感谢!看后续计划的大时间概会很久么?

@guqing
Copy link
Member

guqing commented May 10, 2023

@guqing 感谢感谢!看后续计划的大时间概会很久么?

不确定,因为目前要维护的仓库实在太多了,主要还是先紧 halo-dev/halo 主仓库的维护

@f2c-ci-robot f2c-ci-robot bot closed this as completed in #33 Jul 3, 2023
f2c-ci-robot bot pushed a commit that referenced this issue Jul 3, 2023
…#33)

### What this PR does?
登录成功后支持跳转到指定页面

/kind feature

Fixes #23 

```release-note
登录成功后支持跳转到指定页面
```
@guqing
Copy link
Member

guqing commented Jul 3, 2023

/reopen
issue 关联错误导致关闭,我将重新打开

@f2c-ci-robot
Copy link

f2c-ci-robot bot commented Jul 3, 2023

@guqing: Reopened this issue.

In response to this:

/reopen
issue 关联错误导致关闭,我将重新打开

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@f2c-ci-robot f2c-ci-robot bot reopened this Jul 3, 2023
@LGY07
Copy link

LGY07 commented Feb 15, 2024

同样需要自定义OAuth和OICD

1 similar comment
@chenjuefei
Copy link

同样需要自定义OAuth和OICD

@hhhguany
Copy link

同样需要自定义OAuth和OICD

@JohnNiang JohnNiang removed the priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. label Oct 29, 2024
@JohnNiang
Copy link
Contributor

JohnNiang commented Oct 29, 2024

/ping @halo-sigs/halo ,可以考虑在 Console 端提供新增 ClientRegistration 和 AuthProvider 的功能了。

@ruibaby
Copy link
Member

ruibaby commented Oct 29, 2024

/ping @halo-sigs/halo ,可以考虑在 Console 端提供新增 ClientRegistration 和 AuthProvider 的功能了。

暂时没时间,建议按照 #71 自行编译这个插件。

@JohnNiang
Copy link
Contributor

如果可以接受的话,暂时先用 https://www.halo.run/store/apps/app-MrbzY 插件手动创建(修改)自定义 OAuth2ClientRegistration 和 AuthProvider。

@Corps-Cy
Copy link

Image
我在对接自己的 OAuth平台时已经能够成功获取 code令牌了 但是在redirect_uri回调时 却异常{baseUri}/login?oauth2_error 请问有什么方式可以解决嘛

@JohnNiang
Copy link
Contributor

JohnNiang commented Nov 26, 2024

Hi @Corps-Cy ,建议重新提交 Issue。另外,需要提供足够多的信息,例如日志。

建议尝试一下最新的未发布版本 1.5.0-rc.1,已经支持了 OIDC 协议。

@Corps-Cy
Copy link

Image
我经过查找日志发现了问题所在,在获取 token信息时,请个中重复附带了 scope参数 这个貌似不符合要求,请问在 1.5.0-rc.1 版本中符合去掉参数的要求吗

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Development

No branches or pull requests

8 participants