Skip to content

feat: support for OIDC authentication #880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: support for OIDC authentication #880

wants to merge 3 commits into from

Conversation

rophy
Copy link

@rophy rophy commented Apr 12, 2025
edited
Loading

A prototype to enable OIDC support for #809.

How to test:

  1. docker-compose -f docker-compose.oidc.yml up -d, which uses Soluto/oidc-server-mock for a simple OIDC server provider, configured with one client ID and two user accounts.

  2. Load kutt login page http://localhost:3000/login

  3. You should see a "Login with OIDC" button (actually a link) at bottom:

image

  1. Clicking the link redirects you to http://7f000101.nip.io:8080/

    • The FQDN actually resolves to 127.0.0.1 for browser, and oidc-server-mock container IP for kutt container.
    • Such "magical DNS" is needed for local development, since OIDC requires both human browser and kutt backend to interact with OIDC endpoints. In real environments, OIDC_ISSUER should point to a real OIDC provider such as Google or Facebook.

  2. Login with the user accounts defined in docker-compose. Successful login should redirect back to kutt homepage.

  3. If the user does not exist, it is created with a random password, with email verified.

  4. The passport strategy of openid-client package requires express sesssion to be enabled. For cookie-session, it creates cookie like this:

image

What are still missing in this PR:

  1. Logging out kutt should log out OIDC as well.
  2. Apps which support OIDC should be able to customize the login button, such as "Login with Google".
  3. Once OIDC is enabled, it's common that site admins will want to disable form-based logins. Ideally should be supported via config.

@rophy
Copy link
Author

rophy commented Apr 13, 2025
edited
Loading

Tested OK for me for (a) local oidc-server-mock and (b) auth0.
Note that the first time you run docker-compose up, kutt crashes trying to discover OIDC endpoints while oidc-server-mock is still starting.

@rophy rophy mentioned this pull request Apr 13, 2025
Closed
@rophy
Copy link
Author

rophy commented Apr 14, 2025
edited
Loading

rophy/kutt main branch now points to rophy/oidc branch + auto build.

docker build for testing: https://github.com/rophy/kutt/pkgs/container/kutt/main

@rophy
Copy link
Author

rophy commented Apr 14, 2025

Once OIDC is enabled, it's common that site admins will want to disable form-based logins. Ideally should be supported via config.

env.DISALLOW_FORM_LOGIN

@poeti8
Copy link
Member

poeti8 commented Apr 16, 2025

Thank you, this looks excellent. I'll try it soon.

@zachmann
Copy link

@poeti8 Any update on this? It would be great to have this feature merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rophy @poeti8 @zachmann