Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FR: Generic OAuth OIDC option for SSO #1090

Open
5 of 6 tasks
jinnatar opened this issue Apr 9, 2024 · 4 comments · May be fixed by #1103
Open
5 of 6 tasks

FR: Generic OAuth OIDC option for SSO #1090

jinnatar opened this issue Apr 9, 2024 · 4 comments · May be fixed by #1103
Labels
status: triage Scope to be determined

Comments

@jinnatar
Copy link

jinnatar commented Apr 9, 2024
edited

Feature Description

Instead of implementing every OAuth provider under the sun, support standard OpenID Connect (OIDC). Most brand name providers could actually be implemented via the exact same integration giving an admin freedom to implement a provider you don't want to provide on the flagship instance.

Use Case

An organization implementing esigning on-premise is likely to have an identity provider in use and the diversity in the field is quite vast. Providing a well documented standard generic option for defining SSO gives them a way to plug it in on their own. OIDC is a modern alternative for SAML and well supported in IDMs. It's also significantly easier to configure for everyone involved than SAML.

Proposed Solution

Utilize the NextAuth OAuth provider, allowing plugging in required config values via ENV variables. To simplify, only support the "well-known" autoconfig path. (Well supported by most identity providers, even open source ones.)

The parameters that need to be collected from ENV variables are:

  • OIDC endpoint, i.e. the parameter to provide the next-auth wellKnown host part.
  • Client ID, i.e. the clientId parameter.
  • Client secret, i.e. the clientSecret parameter.
  • Provider name, i.e. how do to label the button for selecting it.

Perhaps optional to be configurable, since there are reasonable defaults:

  • Checks. For example state & pkce should be a reasonable default. If PKCE is not default enabled, an option needs to exist to enable it.
  • Scopes. openid email profile should be a reasonable default.

Alternatives (optional)

No response

Additional Context

Please check the boxes that apply to this feature request.

  • I have searched the existing feature requests to make sure this is not a duplicate.
  • I have provided a detailed description of the requested feature.
  • I have explained the use case or scenario for this feature.
  • I have included any relevant technical details or design suggestions.
  • I understand that this is a suggestion and that there is no guarantee of implementation.
  • I want to work on creating a PR for this issue if approved
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 9, 2024

Thank you for opening your first issue and for being a part of the open signing revolution!

One of our team members will review it and get back to you as soon as it possible 💚

Meanwhile, please feel free to hop into our community in Discord

@tankerkiller125
Copy link

tankerkiller125 commented Apr 12, 2024
edited

Digging into some of the code, this looks simple enough I might try implementing it myself this weekend. (It's been years since I touched NodeJS projects, but this looks pretty straight forward the more I look at it.

Once of the questions I have though, would it make sense to support an array of OIDC providers? So instead of only defining a single OIDC provider, you could define several?

@jinnatar
Copy link
Author

That could make sense for a more public instance such as the flagship. I imagine though that hobbyists and various organizations tend to have only one provider in use.

@tankerkiller125 tankerkiller125 linked a pull request Apr 14, 2024 that will close this issue
Open
5 tasks
@tankerkiller125
Copy link

I think that most orgs only have one provider, but with Microsoft now doing their "Multi-Tenant Orgs" feature available in public preview, I know of several orgs that intend to split out their Azure AD by division/sub-companies, which would require multiple OIDC providers if they shared a single documenso install.

With that said, for now I've created the PR with a single provider in mind since that should cover most orgs that would be looking to use documenso I think, along with general home self-hosters that have SSO implementations.

@adithyaakrishna adithyaakrishna added status: triage Scope to be determined and removed needs triage labels May 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: triage Scope to be determined
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add oidc support tankerkiller125/documenso
3 participants
@jinnatar @tankerkiller125 @adithyaakrishna