Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OIDC login via social-auth #2550

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Add OIDC login via social-auth #2550

wants to merge 3 commits into from

Conversation

jkachel
Copy link
Contributor

@jkachel jkachel commented Feb 24, 2025
edited
Loading

Closer to done but not ready yet - need more tests and test fixes.

What are the relevant tickets?

Closes mitodl/hq#6586

Description (What does it do?)

Configures the authentication pipeline to work with OIDC (Keycloak) based authentication.

A Keycloak instance is necessary for testing this. See the README-keycloak.md for setup instructions. (It is not the same as it is elsewhere! Hopefully it's better/easier to follow.) The sample instance that exists elsewhere has been migrated here to make testing easier. Or, you can also use a different Keycloak instance, including one that is part of some other app (like Learn or Unified Ecommerce).

When completed and enabled, users will be given the option of logging in via email or Keycloak:

  • Email login works as it did. Users can sign up, run forgot password, sign in via email, etc. all as before.
  • Keycloak login will bounce the user over to Keycloak to authenticate, and then they will return to MITx Online. If the user's account doesn't exist, it will be created. Users will not have to verify their email addresses in MITx Online. Users will have to complete the MITx Online-specific profile loading process.

We don't have design for this but the choice screen just gives you a couple buttons to direct the user.

This does not depend on APISIX at all. However, if this is sitting behind a correctly configured APISIX instance and the user's already logged in, the user should just get bounced straight back from Keycloak. But the app will not pick up an existing APISIX session.

Screenshots (if appropriate):

Login interstitial:

image

How can this be tested?

  • Set EXPOSE_OIDC_LOGIN to True in your .env.
  • Configure the OIDC settings appropriately. See the README-keycloak.md for instructions.
  • Follow the instructions for configuring the provided Keycloak instance or configure the app to use an external one. See the notes in README-keycloak.md if you're going to use a separate Keycloak instance on the same machine.
  • Go to the app, and click Login.
  • You should see the interstitial above.
  • Clicking Sign In with Email should take you to the normal sign-in workflow - this should work as expected, with no changes.
  • Clicking Sign In with Keycloak should redirect you to Keycloak to sign in. Upon returning to the app, you should be logged in. If your account didn't exist in MITx Online before, it should be created.
  • Clicking Log Out should redirect you into Keycloak for logout.

Additional Context

This doesn't tackle grabbing an APISIX session. Different middleware is needed for this.

@jkachel
First run at OIDC login for MITx Online
b4226da 
- Adding in Keycloak instance stuff (mostly copied from UE/Learn but with some reworked documentation)
- Added ol_open_id_connect backend, from Learn, but also captures the global_id (Keycloak ID)
- Added global_id to the user model
- Started in on situating the user for non-API-driven login requests
- Added an interstitial to the login screen to allow the user to choose email or keycloak

This is not particularly usable because OIDC needs feature-flagging. We don't want users trying to log in via Keycloak right yet. (It's also not done. Users get created, that's about it.)

The existing custom parts of the pipeline check to make sure their backend is the one they expect before doing things, so the strategy is to add in basically the existing Python Social Auth pipeline things that would normally be there, but wrapping them so they only run if we're authenticating via OIDC. This should allow the existing email-based flow to work while also allowing OIDC to function alongside it.
@gitguardian GitGuardian
Copy link

gitguardian bot commented Feb 24, 2025
edited
Loading

⚠️ GitGuardian has uncovered 8 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
13777604 Triggered Generic High Entropy Secret b4226da config/keycloak/realms/default-realm.json View secret
13777605 Triggered Generic High Entropy Secret b4226da config/keycloak/realms/default-realm.json View secret
13777606 Triggered Generic Private Key b4226da config/keycloak/tls/tls.key.default View secret
13777607 Triggered Generic High Entropy Secret b4226da config/keycloak/realms/default-realm.json View secret
13777608 Triggered Generic High Entropy Secret b4226da config/keycloak/realms/default-realm.json View secret
13777609 Triggered Generic Password b4226da config/keycloak/realms/default-realm.json View secret
13777610 Triggered Generic High Entropy Secret b4226da config/keycloak/realms/default-realm.json View secret
10259317 Triggered Generic Password b4226da docker-compose.yml View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secrets safely. Learn here the best practices.
  3. Revoke and rotate these secrets.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

jkachel and others added 2 commits February 25, 2025 15:56
@jkachel
Finalizing this (other than tests)
c49d617 
- Fixed an issue with the global_id field; using _create_user should also fill it if it's a non-OIDC user
- Added the promote_user command from UE
- Added EXPOSE_OIDC_LOGIN; if this is not set, the OIDC workflow won't be shown on login (but isn't disabled)
- Worked out bugs in the pipeline and now should create the user correctly (i.e. set is_active = True) when logging in via OIDC
- Updating logout to bounce through Keycloak
- Updated frontend to hide the first interstitial step if OIDC is disabled
- Tested with external Keycloak
- Added more docs for external Keycloak, override sample, and updates to the regular docs
@pre-commit-ci
[pre-commit.ci] auto fixes from pre-commit.com hooks
89ea083 
for more information, see https://pre-commit.ci
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jkachel