Consideration on generic OAuth? #134
Comments
|
KeyCloak (https://www.keycloak.org) can be used as self hosted OAuth provider and there are certainly other options. I am not aware of any generic OAuth provider. LibreOffice adapted the plugin (actually forked it?) to use this plugin with LemonLDAP::NG, see this issue upstream for more details: [1]. |
|
And what about a generic Open ID Connect provider (like the one for Jenkins ? |
|
@vaceletm thanks for the pointer. It should be doable, of course. However, there is already a complication, see: if("auto".equals(automanualconfigure)) {
// Get the well-known configuration from the specified URL
this.wellKnownOpenIDConfigurationUrl = Util.fixEmpty(wellKnownOpenIDConfigurationUrl);
URL url = new URL(wellKnownOpenIDConfigurationUrl);
HttpRequest request = httpTransport.createRequestFactory().buildGetRequest(new GenericUrl(url));
com.google.api.client.http.HttpResponse response = request.execute();
WellKnownOpenIDConfigurationResponse config = OicSecurityRealm.JSON_FACTORY
.fromInputStream(response.getContent(), Charset.defaultCharset(),
WellKnownOpenIDConfigurationResponse.class);
this.authorizationServerUrl = config.getAuthorizationEndpoint();
this.tokenServerUrl = config.getTokenEndpoint();
this.userInfoServerUrl = config.getUserinfoEndpoint();
this.scopes = config.getScopesSupported() != null && !config.getScopesSupported().isEmpty() ? StringUtils.join(config.getScopesSupported(), " ") : "openid email";
this.logoutFromOpenidProvider = logoutFromOpenidProvider != null;
this.endSessionEndpoint = config.getEndSessionEndpoint();
} else {
this.authorizationServerUrl = authorizationServerUrl;
this.tokenServerUrl = tokenServerUrl;
this.userInfoServerUrl = userInfoServerUrl;
this.scopes = Util.fixEmpty(scopes) == null ? "openid email" : scopes;
this.wellKnownOpenIDConfigurationUrl = null; // Remove the autoconfig URL
this.logoutFromOpenidProvider = logoutFromOpenidProvider;
this.endSessionEndpoint = endSessionEndpoint;
}For example, Google supports well-known openid-configuration for openid-connect standard: [1], and the response is here: But GitHub does not, see: [2]. [1] https://accounts.google.com/.well-known/openid-configuration |
|
Yes, it's a known issue that Github doesn't fully respect OIDC standards. Microsoft Azure doesn't respect it either BTW. Of course having the possibility to add a generic OIDC server will not solve the issue with providers that doesn't implement the spec. And for those, there is no other way than the specific implementation anyway as, of course, each of them they don't follow the spec in different manners. But at least it opens the possibility to all the providers that do respect the spec. |
|
Let's assume we implement a new generic Auth plugin: The one obvious configuration of this plugin would be: What would user do if they would like to use if or GitHub, Microsoft Azure and other ooidc providers, that don't implement the standard? Should the new plugin Another option would be to not support non standard providers at all, and defer to non generic oidcs-plugin: |
|
I don't know if generic providers deserve a dedicated plugin (as it's done for Jenkins). In my understanding it's more a provider in the way you already list them. This generic provider would be more or less the same code of the google one but with the end points configurable. Of course if people use "generic" provider with github enpoints it won't work but since they will have the 'github' provider in the very same list it's unlikely that they will do that. Another way to see the problem is that, a compliant providers, is "just" the generic one with harcoded urls for endpoints. |
What you are saying is: this plugin currenty supports say 10 different OAuth providers. It could support another 100. Or it could support a generic one, so that we could use the generic one to add all possible 100 providers that support OIDC standard. IOW, the only configuration for generic OAuth provider in existing (or new plugin) would be: |
Correct.
Presque.
Depending on the implementation (and/or willing from the maintainer...) you could have both. |
|
Just to tell that Azure provides an endpoint for OpenID Connect configuration Registered apps can get an ID token and Access token. |
|
Just my two cents, OpenID Connect Core can be used without OpenID Connect Discovery, which is perfectly fine by the spec. You just have to configure the endpoints/settings manually. |
|
Why was this ignored and never implemented? It's a very legitimate use case. Also Dex doesn't require that you use the path /dex/auth and Dex does support the /.well-known/openid-configuration |
|
I was interested in knowing if I could get this working with authentik [1] but seems that there is no way to use a generic one as this issue states. It even provides a GitHub compatible endpoint but since URLs is hardcoded we'd need to compile the plugin ourselves. |
|
I ended up proposing a Authentik OAuth provider instead [1] and add support to that to link existing LDAP accounts for migrating. [1] https://gerrit-review.googlesource.com/c/plugins/oauth/+/388034 |
+1 the generic provider would be very like the other provider,it's really kind to support |
I just realize that we have to apply specific oauth providers. In terms of unlisted providers or self-hosted oauth serives, is there any good solution?
Or is there any consideration for not having custom oauth provider support?
(Maybe there's obviously any but I haven't seen)
The text was updated successfully, but these errors were encountered: