Commit graph

15 commits

Author SHA1 Message Date
Joseph Schorr
002972fc2f Read OIDC issuer from the OIDC discovery document, if present 2017-04-07 11:39:34 -04:00
Joseph Schorr
157640e696 Add config validator for OIDC logins 2017-02-28 16:18:19 -05:00
Joseph Schorr
198bdf88bc Move OAuth login into its own endpoints module 2017-02-16 16:27:54 -05:00
Joseph Schorr
cc4258c015 Blacklist any OIDC service ids that may conflict with our own 2017-02-16 16:27:53 -05:00
Joseph Schorr
2c35383724 Allow OAuth and OIDC login engines to bind to fields in internal auth
This feature is subtle but very important: Currently, when a user logs in via an "external" auth system (such as Github), they are either logged into an existing bound account or a new account is created for them in the database. While this normally works jut fine, it hits a roadblock when the *internal* auth system configured is not the database, but instead something like LDAP. In that case, *most* Enterprise customers will prefer that logging in via external auth (like OIDC) will also *automatically* bind the newly created account to the backing *internal* auth account. For example, login via PingFederate OIDC (backed by LDAP) should also bind the new QE account to the associated LDAP account, via either username or email. This change allows for this binding field to be specified, and thereafter will perform the proper lookups and bindings.
2017-02-16 16:27:53 -05:00
Joseph Schorr
f5dbc350f8 Fix missed tests and revert conftest change (breaks docker build) 2017-01-30 17:28:25 -05:00
Joseph Schorr
cf6033b423 Move http_client fixture to root-level conftest 2017-01-30 11:40:45 -05:00
Joseph Schorr
f8deb85751 Clarify OAuth logging message when missing access_token 2017-01-26 12:01:55 -05:00
Joseph Schorr
ce5fafcbd8 Fix pylint ignores to use names 2017-01-26 12:00:54 -05:00
Joseph Schorr
90b6a534c1 Change verify param in OIDC to read better 2017-01-26 12:00:43 -05:00
Joseph Schorr
8573535b8c Add comment clarifying how we validate client {ID, secret} in Gitlab 2017-01-24 15:20:19 -05:00
Joseph Schorr
adb2ff0b81 Switch base classes in OAuth to use ABC 2017-01-24 15:20:03 -05:00
Joseph Schorr
a9791ea419 Have external login always make an API request to get the authorization URL
This makes the OIDC lookup lazy, ensuring that the rest of the registry and app continues working even if one OIDC provider goes down.
2017-01-23 19:06:19 -05:00
Joseph Schorr
fda203e4d7 Add proper and tested OIDC support on the server
Note that this will still not work on the client side; the followup CL for the client side is right after this one.
2017-01-23 17:53:34 -05:00
Joseph Schorr
19f7acf575 Lay foundation for truly dynamic external logins
Moves all the external login services into a set of classes that share as much code as possible. These services are then registered on both the client and server, allowing us in the followup change to dynamically register new handlers
2017-01-20 15:21:08 -05:00