Add OIDC login via social-auth #2550
Conversation
- Adding in Keycloak instance stuff (mostly copied from UE/Learn but with some reworked documentation) - Added ol_open_id_connect backend, from Learn, but also captures the global_id (Keycloak ID) - Added global_id to the user model - Started in on situating the user for non-API-driven login requests - Added an interstitial to the login screen to allow the user to choose email or keycloak This is not particularly usable because OIDC needs feature-flagging. We don't want users trying to log in via Keycloak right yet. (It's also not done. Users get created, that's about it.) The existing custom parts of the pipeline check to make sure their backend is the one they expect before doing things, so the strategy is to add in basically the existing Python Social Auth pipeline things that would normally be there, but wrapping them so they only run if we're authenticating via OIDC. This should allow the existing email-based flow to work while also allowing OIDC to function alongside it.
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 13777604 | Triggered | Generic High Entropy Secret | b4226da | config/keycloak/realms/default-realm.json | View secret |
| 13777605 | Triggered | Generic High Entropy Secret | b4226da | config/keycloak/realms/default-realm.json | View secret |
| 13777606 | Triggered | Generic Private Key | b4226da | config/keycloak/tls/tls.key.default | View secret |
| 13777607 | Triggered | Generic High Entropy Secret | b4226da | config/keycloak/realms/default-realm.json | View secret |
| 13777608 | Triggered | Generic High Entropy Secret | b4226da | config/keycloak/realms/default-realm.json | View secret |
| 13777609 | Triggered | Generic Password | b4226da | config/keycloak/realms/default-realm.json | View secret |
| 13777610 | Triggered | Generic High Entropy Secret | b4226da | config/keycloak/realms/default-realm.json | View secret |
| 10259317 | Triggered | Generic Password | b4226da | docker-compose.yml | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
- Fixed an issue with the global_id field; using _create_user should also fill it if it's a non-OIDC user - Added the promote_user command from UE - Added EXPOSE_OIDC_LOGIN; if this is not set, the OIDC workflow won't be shown on login (but isn't disabled) - Worked out bugs in the pipeline and now should create the user correctly (i.e. set is_active = True) when logging in via OIDC - Updating logout to bounce through Keycloak - Updated frontend to hide the first interstitial step if OIDC is disabled - Tested with external Keycloak - Added more docs for external Keycloak, override sample, and updates to the regular docs
for more information, see https://pre-commit.ci
…mitxonline into jkachel/add-social-auth-keycloak
| fields = { | ||
| **extra_fields, | ||
| "email": email, | ||
| "global_id": extra_fields.get("global_id", uuid.uuid4()), |
There was a problem hiding this comment.
Shouldn't be setting a default global_id, this is generated by Keycloak so we can't create a reasonable default for it.
| parser.add_argument( | ||
| "email", | ||
| type=str, | ||
| help="The email of the user to promote/demote.", | ||
| ) | ||
|
|
||
| parser.add_argument( | ||
| "--promote", | ||
| action="store_true", | ||
| help="Promote the user to staff.", | ||
| ) | ||
|
|
||
| parser.add_argument( | ||
| "--demote", | ||
| action="store_true", | ||
| help="Demote the user from staff.", | ||
| ) | ||
|
|
||
| parser.add_argument( | ||
| "--superuser", | ||
| action="store_true", | ||
| help="Promote the user to superuser.", | ||
| ) |
There was a problem hiding this comment.
I would suggest structuring this using subparsers because it'll handle some of the validation you're doing below automatically. I recently did this in open-discussions for a similar type of command and it simplifies things substantially: https://github.com/mitodl/open-discussions/blob/master/authentication/management/commands/validate_user_emails.py#L30
| @@ -26,7 +27,8 @@ const ForgotPasswordPages = () => ( | |||
|
|
|||
| const LoginPages = () => ( | |||
| <Switch> | |||
| <Route exact path={routes.login.begin} component={LoginEmailPage} /> | |||
| <Route exact path={routes.login.begin} component={LoginChoicePage} /> | |||
There was a problem hiding this comment.
I don't know that we want to present UI to the user to choose which way to login, but it should instead be feature flagged as still being LoginEmailPage unless the flag is enabled. If the flag is enabled then the "Login" button should send them directly to Keycloak to login.
| # the backend should be setting the is_active flag to True (and it seems | ||
| # to be doing that!) but it isn't so we need to set it to active here. |
There was a problem hiding this comment.
Once we switchover completely to keycloak, we can set the default on the User model to True and remove this code.
What are the relevant tickets?
Closes mitodl/hq#6586
Description (What does it do?)
Configures the authentication pipeline to work with OIDC (Keycloak) based authentication.
A Keycloak instance is necessary for testing this. See the
README-keycloak.mdfor setup instructions. (It is not the same as it is elsewhere! Hopefully it's better/easier to follow.) The sample instance that exists elsewhere has been migrated here to make testing easier. Or, you can also use a different Keycloak instance, including one that is part of some other app (like Learn or Unified Ecommerce).When completed and enabled, users will be given the option of logging in via email or Keycloak:
We don't have design for this but the choice screen just gives you a couple buttons to direct the user.
This does not depend on APISIX at all. However, if this is sitting behind a correctly configured APISIX instance and the user's already logged in, the user should just get bounced straight back from Keycloak. But the app will not pick up an existing APISIX session.
Screenshots (if appropriate):
Login interstitial:
How can this be tested?
EXPOSE_OIDC_LOGINto True in your.env.README-keycloak.mdfor instructions.README-keycloak.mdif you're going to use a separate Keycloak instance on the same machine.Additional Context
This doesn't tackle grabbing an APISIX session. Different middleware is needed for this.