Commit graph

22 commits

Author SHA1 Message Date
Joseph Schorr
c55ad59f1f Allow admins to configure the login scopes for OIDC login
Some OIDC implementations return a larger set of scopes than is necessary, so we allow admins to override.
2017-12-06 15:54:26 -05:00
Joseph Schorr
f51a863158 Remove access_token from user_info 2017-10-02 16:51:09 -04:00
Joseph Schorr
bc82edb2d1 Add ability to configure OIDC internal auth engine via superuser panel 2017-09-12 12:23:52 -04:00
Joseph Schorr
e724125459 Add support for using OIDC tokens via the Docker CLI 2017-09-12 12:23:22 -04:00
Joseph Schorr
751598056e Enable support in OIDC for endpoints without user info support
The user info endpoint is apparently optional.
2017-08-01 13:24:27 -04:00
Joseph Schorr
c0cc574ca2 Add Authorization header with token to user info call
While not required, it is recommended to send the token as an Authorization header to the UserInfo call in OIDC: http://openid.net/specs/openid-connect-core-1_0.html#UserInfo

Some implementations expect this and will fail if not present
2017-04-27 11:24:12 -04:00
Joseph Schorr
0c7bac26b7 Add additional debug logs to OIDC auth to make debugging easier 2017-04-07 11:48:53 -04:00
Joseph Schorr
002972fc2f Read OIDC issuer from the OIDC discovery document, if present 2017-04-07 11:39:34 -04:00
Joseph Schorr
157640e696 Add config validator for OIDC logins 2017-02-28 16:18:19 -05:00
Joseph Schorr
198bdf88bc Move OAuth login into its own endpoints module 2017-02-16 16:27:54 -05:00
Joseph Schorr
cc4258c015 Blacklist any OIDC service ids that may conflict with our own 2017-02-16 16:27:53 -05:00
Joseph Schorr
2c35383724 Allow OAuth and OIDC login engines to bind to fields in internal auth
This feature is subtle but very important: Currently, when a user logs in via an "external" auth system (such as Github), they are either logged into an existing bound account or a new account is created for them in the database. While this normally works jut fine, it hits a roadblock when the *internal* auth system configured is not the database, but instead something like LDAP. In that case, *most* Enterprise customers will prefer that logging in via external auth (like OIDC) will also *automatically* bind the newly created account to the backing *internal* auth account. For example, login via PingFederate OIDC (backed by LDAP) should also bind the new QE account to the associated LDAP account, via either username or email. This change allows for this binding field to be specified, and thereafter will perform the proper lookups and bindings.
2017-02-16 16:27:53 -05:00
Joseph Schorr
f5dbc350f8 Fix missed tests and revert conftest change (breaks docker build) 2017-01-30 17:28:25 -05:00
Joseph Schorr
cf6033b423 Move http_client fixture to root-level conftest 2017-01-30 11:40:45 -05:00
Joseph Schorr
f8deb85751 Clarify OAuth logging message when missing access_token 2017-01-26 12:01:55 -05:00
Joseph Schorr
ce5fafcbd8 Fix pylint ignores to use names 2017-01-26 12:00:54 -05:00
Joseph Schorr
90b6a534c1 Change verify param in OIDC to read better 2017-01-26 12:00:43 -05:00
Joseph Schorr
8573535b8c Add comment clarifying how we validate client {ID, secret} in Gitlab 2017-01-24 15:20:19 -05:00
Joseph Schorr
adb2ff0b81 Switch base classes in OAuth to use ABC 2017-01-24 15:20:03 -05:00
Joseph Schorr
a9791ea419 Have external login always make an API request to get the authorization URL
This makes the OIDC lookup lazy, ensuring that the rest of the registry and app continues working even if one OIDC provider goes down.
2017-01-23 19:06:19 -05:00
Joseph Schorr
fda203e4d7 Add proper and tested OIDC support on the server
Note that this will still not work on the client side; the followup CL for the client side is right after this one.
2017-01-23 17:53:34 -05:00
Joseph Schorr
19f7acf575 Lay foundation for truly dynamic external logins
Moves all the external login services into a set of classes that share as much code as possible. These services are then registered on both the client and server, allowing us in the followup change to dynamically register new handlers
2017-01-20 15:21:08 -05:00