feat: add OIDC SSO authentication#1107
Merged
Merged
Conversation
Add OpenID Connect single sign-on, mirroring the existing SAML flow. - config: OIDC_ENABLED, OIDC_IDP_NAME, OIDC_DISCOVERY_URL, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, OIDC_SCOPES, configurable claim names and OIDC_SKIP_2FA - utils/oidc.py: Authlib client factory + claim-mapping helpers - app init: register the OIDC client on app.extensions when enabled - auth routes: /auth/oidc/login (redirect with PKCE) and /auth/oidc/callback (validate ID token, match user by email or auto-provision, set JWT cookies) - honour ENFORCE_2FA unless OIDC_SKIP_2FA is set - reject logins whose email_verified claim is explicitly false - expose oidc_enabled / oidc_idp_name via /api/config - add Authlib dependency - tests for claim mapping, provisioning/linking, email-verified and 2FA gating - document the OIDC configuration variables Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Authlib 1.7.x depends on joserfc, which requires cryptography>=45. pysaml2 caps pyopenssl<24.3.0, and every pyopenssl in that range caps cryptography<44. The resolver reconciles this by falling back to the ancient pyopenssl 22.0.0 (no upper cryptography bound) + cryptography 48, a pair that is broken at runtime (ImportError on OpenSSL X509 flags) and made the whole test suite INTERNALERROR at import time. Authlib 1.6.x has no joserfc dependency (requires only 'cryptography'), so the resolver settles on pyopenssl 24.2.1 + cryptography 43.x, which is compatible. The OIDC code uses only stable flask_client APIs present in 1.6.x. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
|
Thank you for your contribution! |
Contributor
Author
|
@frankrousseau You got it! Just something I coded for my studio that's useful for others. Side note: are you guys planning on redoing the docs site soon? There's a bunch of stuff that I feel like just isn't covered at all on the docs site that would be super helpful (obviously as well as this new feature and config reference). I would have proposed changes myself but couldn't find the docs repo. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds OpenID Connect (OIDC) single sign-on, mirroring the existing SAML flow. A deployer configures a single OIDC provider via env vars; users get a "Login with " button that redirects through the provider and returns with the same JWT cookies the app already uses.
Backend changes
OIDC_ENABLED,OIDC_IDP_NAME,OIDC_DISCOVERY_URL,OIDC_CLIENT_ID,OIDC_CLIENT_SECRET,OIDC_SCOPES, overridable claim names,OIDC_SKIP_2FAutils/oidc.py: Authlib client factory + claim-mapping/email-verified helpersapp.extensionswhen enabled/auth/oidc/login(PKCE redirect) and/auth/oidc/callback(validate ID token -> match by email or auto-provision -> set JWT cookies)ENFORCE_2FAunlessOIDC_SKIP_2FA; rejectemail_verified == falseoidc_enabled/oidc_idp_namevia/api/configspecs/configuration.mdDesign
OIDC_SKIP_2FA(off =ENFORCE_2FAapplies; on = trust IdP)Companion PR
Backend half - pairs with the Kitsu frontend PR cgwire/kitsu#2051 (OIDC login button). Merge together.