Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication: Add OIDC Integration #1797

Open
redxtech opened this issue Oct 18, 2024 · 8 comments
Open

Authentication: Add OIDC Integration #1797

redxtech opened this issue Oct 18, 2024 · 8 comments

Comments

@redxtech
Copy link

Use case

I would like to see OIDC support for authentication, to make it easier to integrate with existing setups that use auth providers such as authentik.

Proposal

Django appears to have support for OIDC build in (https://django-oidc-provider.readthedocs.io/en/master/), so adding it here should definitely be easier than if you were to start from scratch. If that somehow doesn't apply here, there should probably be another way to implement this as well. Let me know if I'm wrong!
@kmoy1
Copy link
Contributor

kmoy1 commented Oct 23, 2024

Would like to work on this

@kmoy1
Copy link
Contributor

kmoy1 commented Oct 27, 2024
edited
Loading

Is part of this request to add an OIDC authentication backend and authenticate against that instead of the default django.contrib.auth.backends.ModelBackend (checking against the User model)? If that's the case, I am not sure django-oidc-provider provides one- may need to use the mozilla-django-oidc library instead which does.

In general, I'd like a little more clarity on the requirements here. Thanks!

@rolandgeider
Copy link
Member

We definitely need a user object for the rest of the application to work. I'm not sure how the oidc provider works, but I assumed it would do that automatically

@kmoy1
Copy link
Contributor

kmoy1 commented Oct 27, 2024
edited
Loading

Yes, I was just thinking that if we set up an OIDC IDP like Authentik, we would manage/authenticate user accounts there instead of locally in database.sqlite like we do currently. Unless I'm mistaken?

@kmoy1 kmoy1 mentioned this issue Nov 1, 2024
Open
1 task
@kmoy1
Copy link
Contributor

kmoy1 commented Nov 1, 2024
edited
Loading

I've added a basic example of support for OIDC authentication using the mozilla-django-oidc library. However, this CR does require the manual setup of an OIDC provider (I used Authentik here). I didn't see another way around this. It also requires several environment variables to be set (e.g. OIDC_RP_CLIENT_ID) after the application is bound to Authentik.

I understand there is much manual setup here but I don't see another way to automate the creation of the IDP and the setting of the necessary environment variables. If anyone has further information on how to address this, it would be much appreciated.

@InputObject2
Copy link

InputObject2 commented Nov 9, 2024
edited
Loading

If we're setting up oidc auth, the oidc provider part isn't wger's responsibility.

Also needing a couple environment variables is pretty common. These are well-known variables that most providers use, so it wouldn't be limited to working with Authentik.

We would probably need some custom variables to allow some config through the env like

OIDC_AUTH_PROVIDER_NAME
OIDC_AUTH_ENABLED
OIDC_CREATE_USERS

@rolandgeider
Copy link
Member

This only allows to setup one OIDC provider right? Is that enough or would we potentially want more?

@kmoy1
Copy link
Contributor

kmoy1 commented Nov 10, 2024

Yes, this was meant specifically for the Authentik. But the mozilla-django-oidc library can definitely extend to other OIDC providers too. Again, the issue is that (as far as I know) the provider needs to be configured manually and separately from this app.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rolandgeider @redxtech @InputObject2 @kmoy1