Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenID Connect based authentication (oauth) #4160

Open
vodorok opened this issue Jan 26, 2024 · 0 comments
Open

OpenID Connect based authentication (oauth) #4160

vodorok opened this issue Jan 26, 2024 · 0 comments
Labels
GUI 🎨 new feature 👍 New feature request web 🌍 Related to the web app

Comments

@vodorok
Copy link
Collaborator

vodorok commented Jan 26, 2024
edited

Authentication with OpenID Connect (OIDC) would be a useful addition to CodeChecker authentication methods.
https://openid.net/developers/how-connect-works/

Currently, only PAM and LDAP authentication methods are supported, but there are cases where these methods are not flexible enough,
for example, in the demo server (https://codechecker-demo.eastus.cloudapp.azure.com), only a few predefined users exist, the viewing and administration must be done by using those, instead of using the proper users and permissions.

Phase I.

Requirements:

  • The feature must be implemented with https://github.com/lepture/authlib, https://docs.authlib.org/en/latest/index.html.
  • It should be possible to authenticate the user using the GitHub/Google (user-selectable) accounts over the web login screen.
  • Two-factor authentication should be supported if required by GitHub, or Google.
  • After successful authentication the user should be let in based on server settings (see below).
  • If the user authenticates once with GitHub, and in another case with Google, the same (user entity) should be used based on the email address.
  • If the user is not allowed to log in yet, bring the user to a landing page where she/he is informed that she/he must ask for permission to access the CodeChecker server. The CodeChecker admin can add the user manually to the allowed_users list.

The user entry should be restricted in two methods:

  • Let in everyone after successful authentication. (Phase I.)
  • Only let in those who are members of the predefined allowed_users group (Phase II.)

Phase II.

Requirements:

  • It should be possible to add users (by an admin) in the web GUI of CodeChecker.
  • It should be possible to add groups too.
  • It should be possible to assign users to groups.
  • It should be possible to list users with the last login date also showing.
  • It should be possible to list group memberships.
  • A built-in predefined group should be added, named allowed_users.
  • The server should be configured in the server_config.json to restrict users based on allowed_users,

Minimum required fields for user addition:

  • Username
  • Email address (unique identifier of a user)
  • The last login date should be also collected and stored in the database.
@vodorok vodorok added GUI 🎨 web 🌍 Related to the web app new feature 👍 New feature request labels Jan 26, 2024
@dkrupp dkrupp changed the title OpenID Connect based authentication OpenID Connect based authentication (oauth) Feb 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
GUI 🎨 new feature 👍 New feature request web 🌍 Related to the web app
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vodorok