Skip to content

feat: support for OIDC authentication #880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: support for OIDC authentication #880

wants to merge 4 commits into from

Conversation

rophy
Copy link

@rophy rophy commented Apr 12, 2025
edited
Loading

A prototype to enable OIDC support for #809.

How to test:

  1. docker-compose -f docker-compose.oidc.yml up -d, which uses Soluto/oidc-server-mock for a simple OIDC server provider, configured with one client ID and two user accounts.

  2. Load kutt login page http://localhost:3000/login

  3. You should see a "Login with OIDC" button (actually a link) at bottom:

image

  1. Clicking the link redirects you to http://7f000101.nip.io:8080/

    • The FQDN actually resolves to 127.0.0.1 for browser, and oidc-server-mock container IP for kutt container.
    • Such "magical DNS" is needed for local development, since OIDC requires both human browser and kutt backend to interact with OIDC endpoints. In real environments, OIDC_ISSUER should point to a real OIDC provider such as Google or Facebook.

  2. Login with the user accounts defined in docker-compose. Successful login should redirect back to kutt homepage.

  3. If the user does not exist, it is created with a random password, with email verified.

  4. The passport strategy of openid-client package requires express sesssion to be enabled. For cookie-session, it creates cookie like this:

image

What are still missing in this PR:

  1. Logging out kutt should log out OIDC as well.
  2. Apps which support OIDC should be able to customize the login button, such as "Login with Google".
  3. Once OIDC is enabled, it's common that site admins will want to disable form-based logins. Ideally should be supported via config.

@rophy
Copy link
Author

rophy commented Apr 13, 2025
edited
Loading

Tested OK for me for (a) local oidc-server-mock and (b) auth0.
Note that the first time you run docker-compose up, kutt crashes trying to discover OIDC endpoints while oidc-server-mock is still starting.

@rophy rophy mentioned this pull request Apr 13, 2025
Closed
@rophy
Copy link
Author

rophy commented Apr 14, 2025
edited
Loading

rophy/kutt main branch now points to rophy/oidc branch + auto build.

docker build for testing: https://github.com/rophy/kutt/pkgs/container/kutt/main

@rophy
Copy link
Author

rophy commented Apr 14, 2025

Once OIDC is enabled, it's common that site admins will want to disable form-based logins. Ideally should be supported via config.

env.DISALLOW_FORM_LOGIN

@poeti8
Copy link
Member

poeti8 commented Apr 16, 2025

Thank you, this looks excellent. I'll try it soon.

@zachmann
Copy link

@poeti8 Any update on this? It would be great to have this feature merged.

@poeti8
Copy link
Member

poeti8 commented May 27, 2025

@zachmann Yes, I'm really sorry for the delay, I was caught up with other things, I was gonna review and merge it this weekend, and I will.

@poeti8
Copy link
Member

poeti8 commented May 28, 2025

The mock OIDC server doesn't run for me. I have the same error as Soluto/oidc-server-mock#165 which seems to be not resolved yet.

Any workarounds you can think of?

@rophy
Copy link
Author

rophy commented May 28, 2025
edited
Loading

The mock OIDC server doesn't run for me. I have the same error as Soluto/oidc-server-mock#165 which seems to be not resolved yet.

Any workarounds you can think of?

The issue mentioned dexidp works fine for mac. Added a commit to replace oidc-server-mock with dexidp.

Password for the 2 users is "password".

Also fixed typo in the magical domain name, should be 7f000001.nip.io instead of 7f000101.nip.io

$ nslookup 7f000001.nip.io
Server:         10.255.255.254
Address:        10.255.255.254#53

Non-authoritative answer:
Name:   7f000001.nip.io
Address: 127.0.0.1

Dex login UI showed 2 login options. I'm not sure what the second one "Log in with Example" does, but it did not work for me. The "Log in with Email" works.

image

@poeti8
Copy link
Member

poeti8 commented May 29, 2025

Thanks, it worked for me now, I was able to login easily too. Superb job.

I changed my mind regarding the docker compose file. I think it's useful to have it as an example for people to see how it works. I'll add a note in the readme that says this is a mock server.

For the other two comments, what do you think and would you make the changes? If you don't have time I can take it up myself.

@rophy
Copy link
Author

rophy commented May 29, 2025

If all looks good so far, mat be we can get this merged first and pick up the other works in separated PRs? It helps me to be able to jump in and help on demand

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rophy @poeti8 @zachmann