-
Notifications
You must be signed in to change notification settings - Fork 226
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OpenID Connect auth support #2194
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -99,4 +99,26 @@ def shibboleth | |
set_flash_message(:notice, :success, kind: "Shibboleth") if is_navigational_format? | ||
end | ||
end | ||
|
||
def openid_connect | ||
if user_signed_in? | ||
if (data = request.env["omniauth.auth"]) && current_user.authentications.where(provider: data["provider"], | ||
uid: data["uid"]).empty? | ||
current_user.authentications.create(provider: data["provider"], | ||
uid: data["uid"]) | ||
end | ||
redirect_to root_path | ||
else | ||
@user = User.find_for_openid_connect_oauth(request.env["omniauth.auth"], current_user) | ||
unless @user | ||
# automatic cleanup of devise.* after sign in | ||
session["devise.openid_connect_data"] = request.env["omniauth.auth"].except("extra") | ||
@user = User.add_oauth_if_user_exists session | ||
@user ||= User.new_with_session(nil, session) | ||
end | ||
Comment on lines
+112
to
+118
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🛠️ Refactor suggestion Consider adding error handling for authentication failures. While the code handles the case when a user is not found, it doesn't handle potential failures during user creation or authentication. else
@user = User.find_for_openid_connect_oauth(request.env["omniauth.auth"], current_user)
- unless @user
+ if @user.nil?
# automatic cleanup of devise.* after sign in
session["devise.openid_connect_data"] = request.env["omniauth.auth"].except("extra")
@user = User.add_oauth_if_user_exists session
@user ||= User.new_with_session(nil, session)
+
+ if @user&.new_record?
+ flash[:alert] = "Failed to create user from OpenID Connect data"
+ redirect_to new_user_registration_url and return
+ end
end
|
||
|
||
sign_in_and_redirect @user, event: :authentication | ||
set_flash_message(:notice, :success, kind: "OpenID_Connect") if is_navigational_format? | ||
end | ||
end | ||
thezzisu marked this conversation as resolved.
Show resolved
Hide resolved
|
||
end |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -227,6 +227,10 @@ | |
config.omniauth :google_oauth2, "", "", setup: lambda{ |env| | ||
env['omniauth.strategy'].options.merge!(OauthConfigController.get_oauth_credentials :google_oauth2) | ||
} | ||
# Set up OpenID Connect interceptor | ||
config.omniauth :openid_connect, setup: lambda{ |env| | ||
env['omniauth.strategy'].options.merge!(OauthConfigController.get_oauth_credentials :openid_connect) | ||
} | ||
Comment on lines
+230
to
+233
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 💡 Codebase verification Based on the implementation details found, I can now provide a final response: OIDC configuration has security concerns that need addressing The current implementation has several security gaps:
Required changes:
🔗 Analysis chainVerify OIDC configuration management security. The credentials are loaded at runtime which is good for flexibility, but ensure:
Let me gather more information about the configuration validation and security measures. Let me try a different approach to find the implementation details. 🏁 Scripts executedThe following scripts were executed for the analysis: Script: #!/bin/bash
# Check for potential security issues in configuration management
# Look for OIDC configuration files
echo "Searching for OIDC configuration files..."
fd -t f -e yml -e yaml | rg -i "oauth|oidc"
# Check for potential credential exposure in version control
echo "Checking for potential credential exposure..."
rg -i "client_secret|client_id|private_key"
Length of output: 10075 Script: #!/bin/bash
# Check for OIDC configuration validation and security measures
# Look for OauthConfigController implementation
echo "Checking OauthConfigController implementation..."
ast-grep --pattern 'def get_oauth_credentials'
# Check for encryption/security related code
echo "Checking for encryption/security measures..."
rg -i "encrypt|secure|validate" app/controllers/oauth_config_controller.rb
# Check for configuration storage location and access controls
echo "Checking configuration storage..."
rg -i "config.*store|save.*config" app/controllers/oauth_config_controller.rb
Length of output: 488 Script: #!/bin/bash
# Search for the entire OauthConfigController class and related files
echo "Searching for OauthConfigController implementation..."
rg -l "class OauthConfigController"
echo "Looking for the file content..."
fd -t f oauth_config_controller.rb -x cat {}
echo "Checking for configuration files handling..."
rg -g "*.rb" -i "yaml|yml.*load|credentials.*load" app/controllers/
Length of output: 6506 |
||
|
||
|
||
# ==> Warden configuration | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
# OpenID Connect Integration Setup | ||
|
||
OpenID Connect (OIDC) is a modern authentication protocol built on top of OAuth 2.0. It allows applications to verify user identities through an external identity provider (IdP). By implementing OIDC, you can enable students to sign into Autolab using a third-party identity provider (e.g., your institution's CAS). | ||
|
||
This guide will walk you through setting up Autolab with your chosen IdP. | ||
|
||
## Registration Process | ||
|
||
First, register your Autolab instance with your IdP. While the registration process varies across different OIDC IdP implementations, there are several key parameters to configure: | ||
|
||
- `redirect_url`: Must be set to `{scheme}://{your_autolab_instance}/auth/users/auth/openid_connect/callback` | ||
- For production environments, always use `https` as the scheme. Only use `http` for local development. | ||
- Carefully specify `your_autolab_instance` to exactly match your deployment configuration and access URL. | ||
- `client_id`: | ||
- Some IdPs allow you to specify a custom `client_id`, while others generate a unique identifier automatically. Either way, you'll need this ID for the next step. | ||
- `client_secret`: | ||
- Upon registration completion, the IdP typically generates a unique and secure `client_secret`. | ||
- Store this secret securely (e.g., using environment variables or secure credential storage). | ||
- Never commit the secret to version control or share it in public forums. | ||
|
||
## Configuring Autolab for OpenID Connect | ||
|
||
To enable OIDC in Autolab, create or modify the `Autolab/config/oauth_config.yml` file with the following configuration: | ||
|
||
```yml | ||
--- | ||
openid_connect: | ||
# Example configuration for Auth0 with sample credentials | ||
issuer: https://dev-s5lhkwr76zowpqbs.us.auth0.com/ | ||
discovery: true | ||
uid_field: 'sub' | ||
client_auth_method: other | ||
scope: ['openid', 'email', 'profile'] | ||
send_nonce: false | ||
client_options: | ||
identifier: 4RfbkCTRdfxQYs7vVABzHbWDwkpq58u6 | ||
secret: O6vwmDkp31jE63r_VLR8SKvcIBFdrUqvnm1wv958DRJTFEiCOQsLU7haPobqmVwi | ||
redirect_uri: http://localhost:3303/auth/users/auth/openid_connect/callback | ||
``` | ||
thezzisu marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
The configuration options under `openid_connect` correspond to the [`omniauth_openid_connect` package settings](https://github.com/omniauth/omniauth_openid_connect/tree/master?tab=readme-ov-file#options-overview). | ||
|
||
Map the `client_options.identifier` and `client_options.secret` to the `client_id` and `client_secret` obtained during registration. For other fields, consult both the `omniauth_openid_connect` documentation and your IdP's documentation to determine the required fields and appropriate values. | ||
|
||
### Required Claims | ||
|
||
Ensure your IdP's ID token includes the following claims (configure via `scope` or your IdP's management console): | ||
|
||
- `email` | ||
- `name` OR `first_name` and `last_name` | ||
- If both `first_name` and `last_name` are provided, they will be used for the user's name | ||
- If only `name` is provided, it will be used as `first_name`, and `last_name` will be empty | ||
|
||
After updating `oauth_config.yml` and restarting Autolab, you can verify the configuration in Autolab's **OAuth Integration** settings page: | ||
|
||
![OIDC Setup Screenshot](/images/openid_setup.png) | ||
thezzisu marked this conversation as resolved.
Show resolved
Hide resolved
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💡 Codebase verification
OpenID Connect implementation found but needs enhancement
The
find_for_openid_connect_oauth
method is implemented in the User model but appears to have minimal functionality:Suggested improvements:
🔗 Analysis chain
Verify User model implementation for OpenID Connect.
Ensure that the
User
model implements the required methods for OIDC authentication.Let me try a different approach to search for these methods using
rg
which might be more effective for Ruby files.🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
Length of output: 476
Script:
Length of output: 1163