added documentation for oauth

docs/web/authentication.md

@@ -9,23 +9,28 @@ the results stored on a server.
 
 Table of Contents
 =================
-* [Server-side configuration](#server-side-configuration)
-    * [<i>Dictionary</i> authentication](#dictionary-authentication)
-    * [External authentication methods](#external-auth-methods)
-        * [<i>PAM</i> authentication](#pam-authentication)
-        * [<i>LDAP</i> authentication](#ldap-authentication)
-            * [Configuration options](#configuration-options)
-    * Membership in custom groups with [<i>regex_groups</i>](#regex_groups-authentication)
-* [Client-side configuration](#client-side-configuration)
-    * [Web-browser client](#web-browser-client)
-    * [Command-line client](#command-line-client)
-        * [Preconfigured credentials](#preconfigured-credentials)
-        * [Automatic login](#automatic-login)
-        * [Currently active tokens](#currently-active-tokens)
-* [Personal access token](#personal-access-token)
-    * [`new`](#new-personal-access-token)
-    * [`list`](#list-personal-access-token)
-    * [`del`](#remove-personal-access-token)
+- [CodeChecker authentication subsystem](#codechecker-authentication-subsystem)
+- [Table of Contents](#table-of-contents)
+- [Server-side configuration ](#server-side-configuration-)
+  - [Dictionary authentication ](#dictionary-authentication-)
+  - [External authentication methods ](#external-authentication-methods-)
+    - [PAM authentication ](#pam-authentication-)
+    - [LDAP authentication ](#ldap-authentication-)
+      - [Configuration options ](#configuration-options-)
+  - [Membership in custom groups with regex\_groups](#membership-in-custom-groups-with-regex_groups)
+    - [OAUTH authentication ](#oauth-authentication-)
+      - [OAUTH Configuration options ](#oauth-configuration-options-)
+      - [Details per each provider ](#details-per-each-provider-)
+- [Client-side configuration ](#client-side-configuration-)
+  - [Web-browser client ](#web-browser-client-)
+  - [Command-line client ](#command-line-client-)
+    - [Preconfigured credentials ](#preconfigured-credentials-)
+    - [Automatic login ](#automatic-login-)
+    - [Currently active tokens ](#currently-active-tokens-)
+- [Personal access token ](#personal-access-token-)
+  - [New personal access token ](#new-personal-access-token-)
+  - [List personal access tokens ](#list-personal-access-tokens-)
+  - [Remove personal access token ](#remove-personal-access-token-)
 
 # Server-side configuration <a name="server-side-configuration"></a>
 
@@ -320,6 +325,124 @@ groups. For more information [see](permissions.md#managing-permissions).
 
 ----
 
+### <i>OAUTH</i> authentication <a name="oauth-authentication"></a>
+
+CodeChecker also supports OAUTH-based authentication. The `authentication.method_oauth` section contains the configuration for OAUTH authentication for different OAUTH providers. The server can be configured for different Oauth `providers` .Users can be added into the `allowed_users`
+
+#### OAUTH Configuration options <a name="oauth-configuration-options"></a>
+  * `enabled`
+
+    Indicated if OAUTH method is enabled 
+
+ * `providers`
+
+    The provider field contains configuration details for OAuth providers. Each provider's configuration includes but may vary depending on provider:
+
+ * `enabled`
+
+    Indicates if the Oauth provider is enabled
+
+ * `oauth_client_id`
+
+    Contains client ID provided by the OAuth provider.
+
+
+ * `oauth_client_secret`
+
+    The client secret provided by the OAuth provider.
+
+ * `oauth_authorization_uri`
+
+    This link in used for redirecting user for perovider's authentication page
+
+ * `oauth_redirect_uri`
+
+    The oauth_redirect_uri URI to which the OAuth provider will redirect after authorization and in some providers used for confirming the redirection URI.
+
+ * `oauth_token_uri`
+
+    The URI to exchange the authorization code for an access token.
+
+ * `oauth_user_info_uri`
+
+    The URI to fetch the authenticated user's information.
+
+ * `oauth_scope`
+
+    The scope of access requested from the OAuth provider.
+
+ * `oauth_user_info_mapping`
+
+    A mapping of user info fields from the provider to local fields.
+
+    * `username`
+
+        Field for the username.
+    * `email`
+
+        Field for the email.
+    * `fullname`
+
+        Field for the fullname.
+ * `allowed_users`
+
+  A list of allowed users differently configured for each provider
+
+~~~{.json}
+"method_oauth": {
+      "enabled": false,
+      "providers": {
+        "github": {
+          "enabled": false,
+          "oauth_client_id": "client id",
+          "oauth_client_secret": "client secret",
+          "oauth_authorization_uri": "https://github.com/login/oauth/authorize",
+          "oauth_token_uri": "https://github.com/login/oauth/access_token",
+          "oauth_user_info_uri": "https://api.github.com/user",
+          "oauth_scope": "openid email profile",
+          "oauth_user_info_mapping": {
+            "username": "login",
+            "email": "email",
+            "fullname": "name"
+          },
+          "allowed_users": [
+            "user1",
+            "user2",
+            "user3"
+          ]
+        },
+        "google": {
+          "enabled": false,
+          "oauth_client_id": "client id",
+          "oauth_client_secret": "client secret",
+          "oauth_authorization_uri": "https://accounts.google.com/o/oauth2/auth",
+          "oauth_redirect_uri": "http://localhost:8080/login",
+          "oauth_token_uri": "https://accounts.google.com/o/oauth2/token",
+          "oauth_user_info_uri": "https://www.googleapis.com/oauth2/v1/userinfo",
+          "oauth_scope": "openid email profile",
+          "oauth_user_info_mapping": {
+            "username": "email",
+            "email": "email",
+            "fullname": "name"
+          },
+          "allowed_users": [
+            "user1",
+            "user2",
+            "user3"
+          ]
+        }
+      }
+    }
+~~~
+
+#### Details per each provider <a name ="details-per-each-provider"></a>
+
+* For Google OAuth to function correctly, the `oauth_redirect_uri` in application's configuration must exactly match the `Authorized redirect URIs` specified in the Google API Console. 
+
+* For GitHub to redirect correctly, set the `Authorization callback URL` to the login page of CodeChecker. This ensures proper processing of the authorization. Additionally, set the homepage URL to the homepage of CodeChecker.
+
+
+
 # Client-side configuration <a name="client-side-configuration"></a>
 
 ## Web-browser client <a name="web-browser-client"></a>

web/server/codechecker_server/api/authentication.py

@@ -137,7 +137,6 @@ def createLinkGoogle(self):
         scope = oauth_config["oauth_scope"]
         authorization_uri = oauth_config["oauth_authorization_uri"]
         redirect_uri = oauth_config["oauth_redirect_uri"]
-        token_uri = oauth_config["oauth_token_uri"]
 
 
         # Create an OAuth2Session instance
@@ -242,6 +241,7 @@ def performLogin(self, auth_method, auth_string):
             scope = oauth_config["oauth_scope"]
             token_url = oauth_config["oauth_token_uri"]
             user_info_url = oauth_config["oauth_user_info_uri"]
+
 
             session = OAuth2Session(client_id, client_secret, scope=scope)
             token = session.fetch_token(
@@ -290,6 +290,7 @@ def performLogin(self, auth_method, auth_string):
                     "User is not authorized to access this service.")
 
             session = self.__manager.create_session("google@" + email + ":" + token['access_token'])
+
             return session.token
 
         raise codechecker_api_shared.ttypes.RequestFailed(

web/server/config/server_config.json

@@ -50,13 +50,12 @@
       "providers": {
         "github": {
           "enabled": false,
-          "oauth_client_id": "example_id",
-          "oauth_client_secret": "example_secret",
-          "oauth_redirect_uri": "http://localhost:8001/login",
+          "oauth_client_id": "client id",
+          "oauth_client_secret": "client secret",
           "oauth_authorization_uri": "https://github.com/login/oauth/authorize",
           "oauth_token_uri": "https://github.com/login/oauth/access_token",
           "oauth_user_info_uri": "https://api.github.com/user",
-          "oauth_scope": "user:email",
+          "oauth_scope": "openid email profile",
           "oauth_user_info_mapping": {
             "username": "login",
             "email": "email",
@@ -70,12 +69,13 @@
         },
         "google": {
           "enabled": false,
-          "oauth_client_id": "example_id",
-          "oauth_client_secret": "example_secret",
+          "oauth_client_id": "client id",
+          "oauth_client_secret": "client secret",
           "oauth_authorization_uri": "https://accounts.google.com/o/oauth2/auth",
-          "oauth_token_uri": "https://oauth2.googleapis.com/token",
+          "oauth_redirect_uri": "http://localhost:8080/login",
+          "oauth_token_uri": "https://accounts.google.com/o/oauth2/token",
           "oauth_user_info_uri": "https://www.googleapis.com/oauth2/v1/userinfo",
-          "oauth_scope": "https://www.googleapis.com/auth/userinfo.email",
+          "oauth_scope": "openid email profile",
           "oauth_user_info_mapping": {
             "username": "email",
             "email": "email",

web/server/vue-cli/src/views/Login.vue

@@ -152,8 +152,10 @@ export default {
 
     const url = new URL(window.location.href);
     let code = null, state = null;
+    //get the code and state from the url
     code = url.searchParams.get("code");
     state = url.searchParams.get("state");
+    //get the provider from the cookie
     const provider = document.cookie.split(";").find(
       c => c.includes("oauth_provider")).split("=")[1];