Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OIDC protocol #71

Merged
merged 1 commit into from
Oct 30, 2024
Merged

Support OIDC protocol #71

merged 1 commit into from
Oct 30, 2024

Conversation

JohnNiang
Copy link
Contributor

This PR adds OidcAuthorizationCodeReactiveAuthenticationManager to authenticate request if authorization request contains the scope openid.

Below is an example of Logto integration:

  • Oauth2ClientRegistration
apiVersion: oauth.halo.run/v1alpha1
kind: Oauth2ClientRegistration
metadata:
  name: logto
spec:
  clientAuthenticationMethod: "client_secret_basic"
  authorizationGrantType: "authorization_code"
  redirectUri: "{baseUrl}/login/oauth2/code/logto"
  scopes:
    - "profile"
    - "openid"
  authorizationUri: "https://2ri34b.logto.app/oidc/auth"
  tokenUri: "https://2ri34b.logto.app/oidc/token"
  userInfoUri: "https://2ri34b.logto.app/oidc/me"
  issuerUri: "https://2ri34b.logto.app/oidc"
  jwkSetUri: "https://2ri34b.logto.app/oidc/jwks"
  userInfoAuthenticationMethod: "header"
  userNameAttributeName: "username"
  clientName: "Logto"
  configurationMetadata:
    id_token_signing_alg_values_supported:
      - ES384

https://2ri34b.logto.app/oidc/.well-known/openid-configuration

Please note that the spec.configurationMetadata.id_token_signing_alg_values_supported is required because Logto only uses ES384 algorithm to sign.

  • AuthProvider
apiVersion: auth.halo.run/v1alpha1
kind: AuthProvider
metadata:
  name: logto
  labels:
    auth.halo.run/auth-binding: "true"
spec:
  displayName: Logto
  description: Logto is an Auth0 alternative designed for modern apps and SaaS products. It offers a seamless developer experience and is well-suited for individuals and growing companies.
  logo: /plugins/plugin-oauth2/assets/static/logto.svg
  website: https://logto.io
  authenticationUrl: /oauth2/authorization/logto
  bindingUrl: /oauth2/authorization/logto
  unbindUrl: /apis/uc.api.auth.halo.run/v1alpha1/user-connections/logto/disconnect
  authType: oauth2
  settingRef:
    name: generic-oauth2-setting
    group: genericOauth
  configMapRef:
    name: oauth2-logto-config

/kind feature

Fixes #68

支持 OIDC 认证协议

@f2c-ci-robot f2c-ci-robot bot added kind/feature Categorizes issue or PR as related to a new feature. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Oct 29, 2024
@f2c-ci-robot f2c-ci-robot bot requested review from guqing and ruibaby October 29, 2024 06:24
@ruibaby ruibaby mentioned this pull request Oct 29, 2024
Open
ruibaby
ruibaby reviewed Oct 30, 2024
View reviewed changes
Copy link
Member

@ruibaby ruibaby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

可以考虑在 README 上写一个自行添加 Provider 和构建的文档,以解决这些自定义的需求。

@f2c-ci-robot f2c-ci-robot bot added the lgtm Indicates that a PR is ready to be merged. label Oct 30, 2024
guqing
guqing approved these changes Oct 30, 2024
View reviewed changes
Copy link
Member

@guqing guqing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@f2c-ci-robot f2c-ci-robot
Copy link

f2c-ci-robot bot commented Oct 30, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: guqing

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@f2c-ci-robot f2c-ci-robot bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 30, 2024
@f2c-ci-robot f2c-ci-robot bot merged commit 79e06a1 into halo-sigs:main Oct 30, 2024
2 checks passed
@JohnNiang JohnNiang deleted the feat/oidc branch October 30, 2024 04:18
@JohnNiang
Copy link
Contributor Author

/lgtm

可以考虑在 README 上写一个自行添加 Provider 和构建的文档,以解决这些自定义的需求。

建议直接引用或者解决 #23,毕竟这些都是临时解决方案。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ruibaby ruibaby ruibaby left review comments

@guqing guqing guqing approved these changes

Assignees

@ruibaby ruibaby

@guqing guqing

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Request to support OIDC authentication protocol
3 participants
@JohnNiang @ruibaby @guqing