Openid, rebased from https://github.com/NginxProxyManager/nginx-proxy-manager/pull/4010 #1668
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* add `oidc-config` setting allowing an admin user to configure parameters * modify login page to show another button when oidc is configured * add dependency `openid-client` `v5.4.0` * add backend route to process "OAuth2 Authorization Code" flow initialisation * add backend route to process callback of above flow * sign in the authenticated user with internal jwt token if internal user with email matching the one retrieved from oauth claims exists Note: Only Open ID Connect Discovery is supported which most modern Identity Providers offer. Tested with Authentik 2023.2.2 and Keycloak 18.0.2
…ct-authentication
…ct-authentication
as it is already in devDependencies
… to login via OIDC more user-friendly.
…tion Add Cypress tests and documentation
…nect-authentication
…tion Merge upstream and update test expectations
There was a problem hiding this comment.
Pull Request Overview
This PR implements OpenID Connect (OIDC) support by adding a new frontend configuration view, updating controller endpoints, and introducing several backend routes and helper functions to initialize and process OIDC authentication flows.
- Adds the OIDC configuration modal and related view in the frontend.
- Introduces new backend routes to handle OIDC initialization, callback processing, and error redirection.
- Updates setup and API logic to support unauthenticated access for retrieving OIDC configuration.
Reviewed Changes
Copilot reviewed 15 out of 24 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| frontend/js/app/settings/oidc-config/main.js | Implements the OIDC settings modal view. |
| frontend/js/app/controller.js | Adds controller functions for certificate management and settings. |
| frontend/js/app/api.js | Allows unauthenticated GET access for OIDC configuration. |
| backend/setup.js | Ensures the default settings include an entry for OIDC configuration. |
| backend/routes/tokens.js | Clears temporary OIDC cookie after token handling. |
| backend/routes/settings.js | Redacts OIDC configuration and clears related temporary cookies. |
| backend/routes/oidc.js | Adds full OIDC flow including discovery, callback validation, and redirection. |
| backend/routes/main.js | Mounts the new OIDC routes. |
| backend/logger.js | Introduces a dedicated logger for OIDC events. |
| backend/lib/express/jwt-decode.js | Modifies JWT decoding to allow unauthenticated OIDC config retrieval. |
| backend/internal/token.js | Adds helper to generate tokens from OIDC claims. |
Files not reviewed (9)
- backend/package.json: Language not supported
- backend/schema/paths/settings/settingID/put.json: Language not supported
- frontend/js/app/dashboard/main.ejs: Language not supported
- frontend/js/app/settings/list/item.ejs: Language not supported
- frontend/js/app/settings/oidc-config/main.ejs: Language not supported
- frontend/js/i18n/de-lang.json: Language not supported
- frontend/js/i18n/en-lang.json: Language not supported
- frontend/js/i18n/it-lang.json: Language not supported
- frontend/js/login/ui/login.ejs: Language not supported
Signed-off-by: Zoey <zoey@z0ey.de>
Signed-off-by: Zoey <zoey@z0ey.de>
There was a problem hiding this comment.
Pull Request Overview
This PR introduces OpenID Connect (OIDC) support to the application to enable external Identity Provider integration and related authentication flows. Key changes include:
- Adding a new frontend view for OIDC configuration.
- Integrating new OIDC routes and API adjustments for authentication flows.
- Updating backend setup, token handling, and logging to support OIDC.
Reviewed Changes
Copilot reviewed 15 out of 24 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| frontend/js/app/settings/oidc-config/main.js | New view for OIDC configuration added to the settings modal. |
| frontend/js/app/controller.js | New controller methods added for OIDC and certificate-related actions. |
| frontend/js/app/api.js | Adjusted API behavior to allow unauthenticated access for OIDC config. |
| backend/setup.js | Updated default settings setup to include OIDC configuration. |
| backend/routes/tokens.js | Clears temporary OIDC cookie after successful token retrieval. |
| backend/routes/settings.js | Redacts OIDC configuration details and cleans up temporary cookies. |
| backend/routes/oidc.js | Implements OIDC endpoints for initialization, callback, and error handling. |
| backend/routes/main.js | Registers the new OIDC router. |
| backend/logger.js | Adds logging support for OIDC. |
| backend/lib/express/jwt-decode.js | Modifies JWT decode middleware to support unauthenticated OIDC config access. |
| backend/internal/token.js | Introduces a new token generation method based on OAuth claims. |
Files not reviewed (9)
- backend/package.json: Language not supported
- backend/schema/paths/settings/settingID/put.json: Language not supported
- frontend/js/app/dashboard/main.ejs: Language not supported
- frontend/js/app/settings/list/item.ejs: Language not supported
- frontend/js/app/settings/oidc-config/main.ejs: Language not supported
- frontend/js/i18n/de-lang.json: Language not supported
- frontend/js/i18n/en-lang.json: Language not supported
- frontend/js/i18n/it-lang.json: Language not supported
- frontend/js/login/ui/login.ejs: Language not supported
Comments suppressed due to low confidence (2)
backend/lib/express/jwt-decode.js:9
- Calling 'access.token.getUserId()' without ensuring that 'access.token' is defined might lead to a runtime error if the token is null. Consider adding a check to ensure that 'access.token' is not null before calling 'getUserId()'.
let oidc_access = req.url === '/oidc-config' && req.method === 'GET' && !access.token.getUserId();
backend/internal/token.js:88
- [nitpick] Using an instance ('Token') to call a creation method (Token.create) may be confusing. Consider refactoring to use the model's static method directly (e.g., TokenModel.create) or clarifying the design.
let Token = new TokenModel();
Signed-off-by: Zoey <zoey@z0ey.de>
There was a problem hiding this comment.
Pull Request Overview
This PR implements OpenID Connect (OIDC) authentication support and integrates OIDC configuration within the existing settings infrastructure. Key changes include:
- Adding a new frontend view to configure and submit OIDC settings.
- Implementing backend routes for initiating and handling the OIDC authorization flow.
- Updating the settings setup and API endpoints to support OIDC, including cookie handling for temporary data.
Reviewed Changes
Copilot reviewed 15 out of 24 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| frontend/js/app/settings/oidc-config/main.js | New view for the OIDC configuration modal |
| frontend/js/app/controller.js | Added OIDC support in settings form routing |
| frontend/js/app/api.js | Allow unauthenticated access for OIDC config retrieval |
| backend/setup.js | Updates to insert initial oidc-config setting if not present |
| backend/routes/tokens.js | Clears temporary OIDC cookie after successful authentication |
| backend/routes/settings.js | Redacts OIDC configuration and clears relevant temporary cookies |
| backend/routes/oidc.js | New routes implementing the OIDC authorization and callback flows |
| backend/routes/main.js | Registers the new OIDC route |
| backend/logger.js | Adds a dedicated logger for OIDC events |
| backend/lib/express/jwt-decode.js | Adjusts token loading logic for unauthenticated OIDC config requests |
| backend/internal/token.js | Generates a token based on OIDC claims |
Files not reviewed (9)
- backend/package.json: Language not supported
- backend/schema/paths/settings/settingID/put.json: Language not supported
- frontend/js/app/dashboard/main.ejs: Language not supported
- frontend/js/app/settings/list/item.ejs: Language not supported
- frontend/js/app/settings/oidc-config/main.ejs: Language not supported
- frontend/js/i18n/de-lang.json: Language not supported
- frontend/js/i18n/en-lang.json: Language not supported
- frontend/js/i18n/it-lang.json: Language not supported
- frontend/js/login/ui/login.ejs: Language not supported
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Zoey <zoey@z0ey.de>
There was a problem hiding this comment.
Pull Request Overview
This pull request introduces OpenID Connect (OIDC) support by adding a new settings view in the frontend, new backend routes for managing the OAuth flow and callback, and updates to API and middleware components to support unauthenticated access to the OIDC configuration.
- Added an OIDC configuration view and associated settings update in the frontend.
- Implemented new backend routes (oidc.js) for handling OIDC login flows and callbacks.
- Updated API, settings routes, and middleware to support temporary cookies and unauthenticated access where needed.
Reviewed Changes
Copilot reviewed 15 out of 24 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| frontend/js/app/settings/oidc-config/main.js | New OIDC configuration modal and settings update in the UI |
| frontend/js/app/controller.js | New functions to launch modals for certificate management, audit log, and settings |
| frontend/js/app/api.js | API update to allow unauthenticated OIDC configuration access |
| backend/setup.js | Inserts default settings for OIDC configuration if missing |
| backend/routes/tokens.js | Clears temporary OIDC cookies after token generation |
| backend/routes/settings.js | Redacts sensitive OIDC config fields before sending via API |
| backend/routes/oidc.js | New endpoints for initiating and processing the OIDC authorization flow |
| backend/routes/main.js | Registers the new OIDC route |
| backend/logger.js | Adds the OIDC logger scope |
| backend/lib/express/jwt-decode.js | Updates JWT decode middleware for unauthenticated OIDC configuration |
| backend/internal/token.js | Adds token generation for OAuth callback claims |
Files not reviewed (9)
- backend/package.json: Language not supported
- backend/schema/paths/settings/settingID/put.json: Language not supported
- frontend/js/app/dashboard/main.ejs: Language not supported
- frontend/js/app/settings/list/item.ejs: Language not supported
- frontend/js/app/settings/oidc-config/main.ejs: Language not supported
- frontend/js/i18n/de-lang.json: Language not supported
- frontend/js/i18n/en-lang.json: Language not supported
- frontend/js/i18n/it-lang.json: Language not supported
- frontend/js/login/ui/login.ejs: Language not supported
Comments suppressed due to low confidence (2)
frontend/js/app/settings/oidc-config/main.js:42
- [nitpick] Consider using 'view' instead of 'this' for consistency with the 'then' callback, which already uses 'view' to reference the current instance.
this.ui.buttons.prop('disabled', false).removeClass('btn-disabled');
backend/lib/express/jwt-decode.js:9
- Ensure that access.token is not null before calling getUserId() to avoid potential runtime errors.
let oidc_access = req.url === '/oidc-config' && req.method === 'GET' && !access.token.getUserId();
There was a problem hiding this comment.
Pull Request Overview
This pull request introduces OpenID Connect support into the application to allow OIDC-based authentication and configuration. The changes add a new frontend modal for OIDC settings, new backend routes for initiating and handling the OIDC authentication flow, and adjustments to the API and token generation processes.
Reviewed Changes
Copilot reviewed 15 out of 24 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| frontend/js/app/settings/oidc-config/main.js | Adds a modal dialog view to manage OIDC settings in the frontend. |
| frontend/js/app/controller.js | Introduces new controllers for certificate management, audit log, and settings (including OIDC). |
| frontend/js/app/api.js | Allows unauthenticated GET calls for obtaining OIDC configuration. |
| backend/setup.js | Inserts a new default OIDC configuration setting during setup. |
| backend/routes/tokens.js | Clears temporary cookies following a successful OIDC authentication. |
| backend/routes/settings.js | Redacts OIDC configuration details and clears temporary cookies in the settings endpoint. |
| backend/routes/oidc.js | Implements new OIDC routes handling authorization and callback flows. |
| backend/routes/main.js | Registers the new OIDC router. |
| backend/logger.js | Adds a dedicated logger for OIDC. |
| backend/lib/express/jwt-decode.js | Modifies token decoding middleware to support unauthenticated access for OIDC config. |
| backend/internal/token.js | Introduces a new method to generate tokens from OAuth claims. |
Files not reviewed (9)
- backend/package.json: Language not supported
- backend/schema/paths/settings/settingID/put.json: Language not supported
- frontend/js/app/dashboard/main.ejs: Language not supported
- frontend/js/app/settings/list/item.ejs: Language not supported
- frontend/js/app/settings/oidc-config/main.ejs: Language not supported
- frontend/js/i18n/de-lang.json: Language not supported
- frontend/js/i18n/en-lang.json: Language not supported
- frontend/js/i18n/it-lang.json: Language not supported
- frontend/js/login/ui/login.ejs: Language not supported
Comments suppressed due to low confidence (2)
frontend/js/app/settings/oidc-config/main.js:41
- [nitpick] Consider replacing alert(err.message) with a modal or inline error display to improve the user experience.
alert(err.message);
backend/lib/express/jwt-decode.js:9
- Ensure that access.token is defined before calling getUserId() to avoid potential runtime errors when the token is absent.
let oidc_access = req.url === '/oidc-config' && req.method === 'GET' && !access.token.getUserId();
Signed-off-by: Zoey <zoey@z0ey.de>
Signed-off-by: Zoey <zoey@z0ey.de>
Signed-off-by: Zoey <zoey@z0ey.de>
Signed-off-by: Zoey <zoey@z0ey.de>
Signed-off-by: Zoey <zoey@z0ey.de>
Signed-off-by: Zoey <zoey@z0ey.de>
Signed-off-by: Zoey <zoey@z0ey.de>
Signed-off-by: Zoey <zoey@z0ey.de>
Signed-off-by: Zoey <zoey@z0ey.de>
Signed-off-by: Zoey <zoey@z0ey.de>
|
The Docker Image can now be found here: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
will close #1664