New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
oidc: enable mozilla django oidc and hack in login/logout buttons for SSO #2464
base: main
Are you sure you want to change the base?
Conversation
df1b026
to
e57fd9e
Compare
If the OIDC server includes role information in the userinfo, it will be checked for admin and moderator roles, which will be applied to the user on each login. If OIDC_ENABLED=true then the normal login forms will be replaced with the (currently unstyled) "Login with OIDC" link. This also silences some of the debugging printouts.
I think I've solved all of the issues that I can other than the site setup hack to not create the admin user and also switch off registrations. |
Configuring the SSO to work with Keycloak should only require setting a few parameters. Other OIDC providers have not been tested.
Passwords and email can not be changed through bookwyrm's preferences since they are managed by the SSO system. 2FA is also handled through the SSO, so it can not be enabled. Accounts can be deleted, although this will not delete it from the SSO. What happens if they try to re-login?
Fixed the pylint issues, although I'm not sure how to address the failed pytest run https://github.com/bookwyrm-social/bookwyrm/actions/runs/3612489859 |
Dang, I'm not sure why that test is failing either! I'll try to take another look through it later this week. Is it possible to support OIDC and regular authentication simultaneously? |
Supporting both normal login and OIDC is probably possible, maybe by overloading the If we do go down that road, this extra logging looks like it will be useful: https://mozilla-django-oidc.readthedocs.io/en/stable/installation.html#troubleshooting |
Looks like there is a minor usability issue with django refreshing the auth tickets similar to mozilla/mozilla-django-oidc#435 (comment) I see multiple requests in the logs very quickly, so it seems like the race condition is the problem. Their second suggestion of setting |
now I'm at a loss as to how the tests are working... by moving the I'm also trying to track down the session refresh failures. The |
when the token times out, the notification API endpoint gets redirected to the OIDC refresh endpoint, except that the XHR doesn't honor the redirect.
When a "real" page load is done by the user, the redirect works:
This means that as long as the user is still active, the refresh should work correctly. If they leave their browser for a while, eventually they are outside of the refresh period and they are unable to get a new token. |
Looks like this might be the way to handle it: https://mozilla-django-oidc.readthedocs.io/en/stable/xhr.html Unfortunately the code in
|
I thought the client secret was for bookwyrm to authenticate to the SSO system and is never revealed to the users, so I'm not sure where the threat of leaking the secret is here. Plus the idea is that there is a single approved SSO that bookwyrm is trusting for auth, which means that there is no way for users to login or signup without going through the SSO (when OIDC is enabled).
…------- Original Message -------
On Wednesday, December 14th, 2022 at 5:18 PM, Jascha Urbach ***@***.***> wrote:
A little remark: OIDC should be on a single user base - every user should configure their own OICD provider after signup.
With this code you need to create one OIDC-provider beforehand and use this one for all users (except you run a single user instant, than this works fine) which is a bad idea as all users would share the client secret.
—
Reply to this email directly, [view it on GitHub](#2464 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AAXNHK5HY5QMSE6VYT3BUS3WNHXMLANCNFSM6AAAAAASQSKS2Y).
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Sorry, I was wrong and got a little bit confused... it is not the I was asking myself why not use https://django-allauth.readthedocs.io/en/latest/ as a library - it supports user creation via OIDC, login, etc. and you can use OIDC as well as User/Pass login. And: It supports not only kwycloak compliant OIDC providers but many more. |
I just went through this tutorial to see if allauth would be feasible: http://www.sarahhagstrom.com/2013/09/the-missing-django-allauth-tutorial/ (this tutorial is for having all auth as well as user/password login) it would be some work but can be done... |
allauth looks like it is much more general purpose and maybe more useful for some sites that want more flexibility in allowing external logins. One downside is that it requires a new database table, I think. For our use the ease of configuration of the mozilla oidc interface is really useful. Since this PR is (hopefully!) nearing a good state, perhaps you could start another one for allauth and we could compare the two approaches? |
Looks like the |
WARNING: I don't know how to django. Feel free to suggest better ways to do this!
TODO: