Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add secondary OIDC provider capability #743

Merged
merged 9 commits into from
Oct 4, 2024
Merged

Add secondary OIDC provider capability #743

merged 9 commits into from
Oct 4, 2024

Conversation

sbreker
Copy link
Member

@sbreker sbreker commented Sep 26, 2024

Add ability to define more than one OIDC provider in AM. Specific providers can be chosen using HTTP query params passed to the server when authenticating.

sbreker and others added 4 commits October 3, 2024 17:02
@sbreker @replaceafill
Add secondary OIDC provider capability
245d89e 
Add ability to define more than one OIDC provider in AM. Specific
providers can be chosen using HTTP query params passed to the server
when authenticating.
@sbreker @replaceafill
Add OIDC setting to deactivate local auth
9c46180 
Add a new setting to control whether local AMSS authentication is
available when OIDC authentication is in use. If local AM authentication
is disabled, then users will only be able to authenticate via the OIDC
provider. If the new setting is not configured, local AM authentication
is available.
@replaceafill
Add integration test for logging out
e18703c
@replaceafill
Add integration tests for secondary provider
e08928e
@replaceafill
Disable Django's model authentication backend
8b0533f 
If the OIDC_ALLOW_LOCAL_AUTHENTICATION setting denies local
authentication, users should not be able to authenticate even if they
access the local login form directly.
@replaceafill replaceafill requested a review from a team October 3, 2024 22:32
sbreker
sbreker commented Oct 4, 2024
View reviewed changes
Copy link
Member Author

@sbreker sbreker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great @replaceafill! 👍

Curious why you chose to hard code LOGIN_URL = "/oidc/authenticate/"?

@replaceafill
Copy link
Member

replaceafill commented Oct 4, 2024
edited
Loading

Curious why you chose to hard code LOGIN_URL = "/oidc/authenticate/"?

@sbreker sorry I forgot to include the explanation in the commit. During manual testing I noticed the LoginRequiredMiddleware class prevents Django from reaching the point where it understand the LOGIN_URL as a named URL pattern as we intended.

See

archivematica-storage-service/storage_service/common/middleware.py

Line 53 in a384809

fullURL = f"{settings.LOGIN_URL}?next={quote(request.get_full_path())}"
where the oidc_authentication_init pattern is converted into a string and the middleware redirects you to an nonexistent /oidc_authentication_init URL instead.

Captura desde 2024-10-03 16-50-56

The Dashboard doesn't have this problem, but I decided to keep the values consistent for now.

replaceafill
replaceafill approved these changes Oct 4, 2024
View reviewed changes
Copy link
Member

@replaceafill replaceafill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much for your hard work @sbreker! 🎉

@replaceafill replaceafill merged commit 6b22515 into qa/0.x Oct 4, 2024
9 checks passed
@replaceafill replaceafill deleted the dev/oidc-enhancements-for-sso branch October 4, 2024 22:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@replaceafill replaceafill replaceafill approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sbreker @replaceafill