Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: oidc #1989

Merged
merged 41 commits into from
Jun 24, 2024
Merged

feat: oidc #1989

Show file tree
Hide file tree
Changes from 17 commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
66e5edc
feat: oidc poc
sheensantoscapadngan Jun 17, 2024
61fcb2b
feat: finished oidc form functions
sheensantoscapadngan Jun 17, 2024
56cc248
feature: finalized oidc core service methods
sheensantoscapadngan Jun 17, 2024
2c237ee
feat: moved oidc to ee directory
sheensantoscapadngan Jun 17, 2024
d79ffbe
misc: added license checks for oidc sso
sheensantoscapadngan Jun 17, 2024
4f2f7b2
misc: moved oidc endpoints to /sso
sheensantoscapadngan Jun 17, 2024
df51d05
feat: integrated oidc with sso login
sheensantoscapadngan Jun 17, 2024
96ad3b0
misc: used redis for oic session managemen
sheensantoscapadngan Jun 18, 2024
8de4443
feat: added support for login via cli
sheensantoscapadngan Jun 18, 2024
c5c00b5
misc: added session regenerate for fresh state
sheensantoscapadngan Jun 18, 2024
371b96a
misc: removed cookie path proxy for dev envs
sheensantoscapadngan Jun 18, 2024
bcd6533
misc: added handling of inactive and undefined oidc config
sheensantoscapadngan Jun 18, 2024
bdc7c01
misc: added comment regarding session and redis usage
sheensantoscapadngan Jun 18, 2024
0685a5e
Merge remote-tracking branch 'origin/main' into feature/oidc
sheensantoscapadngan Jun 18, 2024
18e6957
feat: added support for limiting email domains
sheensantoscapadngan Jun 18, 2024
92f2f16
misc: added option for trusting OIDC emails by default
sheensantoscapadngan Jun 19, 2024
2bc6db1
misc: readded cookie nginx config for dev
sheensantoscapadngan Jun 19, 2024
0100ddf
misc: addressed review comments
sheensantoscapadngan Jun 19, 2024
6a83b58
misc: added support for dynamic discovery of OIDC configuration
sheensantoscapadngan Jun 19, 2024
6457c34
misc: addressed eslint issue regarding configurationType
sheensantoscapadngan Jun 19, 2024
1193ddb
misc: added rate limit for oidc login endpoint
sheensantoscapadngan Jun 19, 2024
7c06755
misc: added frontend validation for oidc form
sheensantoscapadngan Jun 19, 2024
63a9e46
misc: removed unnecessary zod assertions
sheensantoscapadngan Jun 19, 2024
b198f97
misc: added oidc create validation in route
sheensantoscapadngan Jun 19, 2024
ecca6f4
Merge remote-tracking branch 'origin/main' into feature/oidc
sheensantoscapadngan Jun 19, 2024
d64e2fa
misc: added client id and secret focus toggle
sheensantoscapadngan Jun 19, 2024
f0a70d8
misc: added samesite lax
sheensantoscapadngan Jun 19, 2024
6c98c96
misc: added comment for samesite lax
sheensantoscapadngan Jun 19, 2024
ad92565
misc: grammar update
sheensantoscapadngan Jun 19, 2024
3e23055
misc: added oifc checks to signup
sheensantoscapadngan Jun 20, 2024
e0f5ecb
misc: added oidc to text label
sheensantoscapadngan Jun 20, 2024
e9639df
docs: added keycloak-oidc documentation
sheensantoscapadngan Jun 20, 2024
8d55c28
misc: added redirect after user creation
sheensantoscapadngan Jun 20, 2024
1e0f54d
doc: added mentions of oidc
sheensantoscapadngan Jun 20, 2024
d19e2f6
misc: added oidc to user alias type
sheensantoscapadngan Jun 20, 2024
4a1a399
docs: added documentation for auth0 oidc configuration
sheensantoscapadngan Jun 20, 2024
0f36fc4
docs: added docs for general oidc configuration
sheensantoscapadngan Jun 20, 2024
193d6da
misc: removed read sso from org member
sheensantoscapadngan Jun 20, 2024
f31340c
Minor adjustments to oidc docs
dangtony98 Jun 20, 2024
52fcf53
misc: moved authenticate to preValidation
sheensantoscapadngan Jun 21, 2024
973403c
Merge branch 'feature/oidc' of https://github.com/Infisical/infisical…
sheensantoscapadngan Jun 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
130 changes: 130 additions & 0 deletions backend/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions backend/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,7 @@
"bcrypt": "^5.1.1",
"bullmq": "^5.4.2",
"cassandra-driver": "^4.7.2",
"connect-redis": "^7.1.1",
"cron": "^3.1.7",
"dotenv": "^16.4.1",
"fastify": "^4.26.0",
Expand All @@ -118,6 +119,7 @@
"mysql2": "^3.9.8",
"nanoid": "^5.0.4",
"nodemailer": "^6.9.9",
"openid-client": "^5.6.5",
"ora": "^7.0.1",
"oracledb": "^6.4.0",
"passport-github": "^1.1.0",
Expand Down
2 changes: 2 additions & 0 deletions backend/src/@types/fastify.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
import { TRateLimitServiceFactory } from "@app/ee/services/rate-limit/rate-limit-service";
Expand Down Expand Up @@ -102,6 +103,7 @@ declare module "fastify" {
permission: TPermissionServiceFactory;
org: TOrgServiceFactory;
orgRole: TOrgRoleServiceFactory;
oidc: TOidcConfigServiceFactory;
superAdmin: TSuperAdminServiceFactory;
user: TUserServiceFactory;
group: TGroupServiceFactory;
Expand Down
4 changes: 4 additions & 0 deletions backend/src/@types/knex.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,9 @@ import {
TLdapGroupMaps,
TLdapGroupMapsInsert,
TLdapGroupMapsUpdate,
TOidcConfigs,
TOidcConfigsInsert,
TOidcConfigsUpdate,
TOrganizations,
TOrganizationsInsert,
TOrganizationsUpdate,
Expand Down Expand Up @@ -549,6 +552,7 @@ declare module "knex/types/tables" {
TDynamicSecretLeasesUpdate
>;
[TableName.SamlConfig]: Knex.CompositeTableType<TSamlConfigs, TSamlConfigsInsert, TSamlConfigsUpdate>;
[TableName.OidcConfig]: Knex.CompositeTableType<TOidcConfigs, TOidcConfigsInsert, TOidcConfigsUpdate>;
[TableName.LdapConfig]: Knex.CompositeTableType<TLdapConfigs, TLdapConfigsInsert, TLdapConfigsUpdate>;
[TableName.LdapGroupMap]: Knex.CompositeTableType<TLdapGroupMaps, TLdapGroupMapsInsert, TLdapGroupMapsUpdate>;
[TableName.OrgBot]: Knex.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;
Expand Down
47 changes: 47 additions & 0 deletions backend/src/db/migrations/20240617041053_add-oidc-auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
import { Knex } from "knex";

import { TableName } from "../schemas";

export async function up(knex: Knex): Promise<void> {
if (!(await knex.schema.hasTable(TableName.OidcConfig))) {
await knex.schema.createTable(TableName.OidcConfig, (tb) => {
tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
tb.string("issuer").notNullable();
tb.string("authorizationEndpoint").notNullable();
tb.string("jwksUri").notNullable();
tb.string("tokenEndpoint").notNullable();
tb.string("userinfoEndpoint").notNullable();
tb.text("encryptedClientId").notNullable();
tb.string("clientIdIV").notNullable();
tb.string("clientIdTag").notNullable();
tb.text("encryptedClientSecret").notNullable();
tb.string("clientSecretIV").notNullable();
tb.string("clientSecretTag").notNullable();
tb.string("allowedEmailDomains").nullable();
tb.boolean("isActive").notNullable();
tb.timestamps(true, true, true);
tb.uuid("orgId").notNullable().unique();
tb.foreign("orgId").references("id").inTable(TableName.Organization);
});
}

if (await knex.schema.hasTable(TableName.SuperAdmin)) {
if (!(await knex.schema.hasColumn(TableName.SuperAdmin, "trustOidcEmails"))) {
await knex.schema.alterTable(TableName.SuperAdmin, (tb) => {
tb.boolean("trustOidcEmails").defaultTo(false);
});
}
}
}

export async function down(knex: Knex): Promise<void> {
await knex.schema.dropTableIfExists(TableName.OidcConfig);

if (await knex.schema.hasTable(TableName.SuperAdmin)) {
if (await knex.schema.hasColumn(TableName.SuperAdmin, "trustOidcEmails")) {
await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
t.dropColumn("trustOidcEmails");
});
}
}
}
1 change: 1 addition & 0 deletions backend/src/db/schemas/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ export * from "./kms-root-config";
export * from "./ldap-configs";
export * from "./ldap-group-maps";
export * from "./models";
export * from "./oidc-configs";
export * from "./org-bots";
export * from "./org-memberships";
export * from "./org-roles";
Expand Down
1 change: 1 addition & 0 deletions backend/src/db/schemas/models.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ export enum TableName {
SecretRotationOutput = "secret_rotation_outputs",
SamlConfig = "saml_configs",
LdapConfig = "ldap_configs",
OidcConfig = "oidc_configs",
LdapGroupMap = "ldap_group_maps",
AuditLog = "audit_logs",
AuditLogStream = "audit_log_streams",
Expand Down
32 changes: 32 additions & 0 deletions backend/src/db/schemas/oidc-configs.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
// Code generated by automation script, DO NOT EDIT.
// Automated by pulling database and generating zod schema
// To update. Just run npm run generate:schema
// Written by akhilmhdh.

import { z } from "zod";

import { TImmutableDBKeys } from "./models";

export const OidcConfigsSchema = z.object({
id: z.string().uuid(),
issuer: z.string(),
authorizationEndpoint: z.string(),
jwksUri: z.string(),
tokenEndpoint: z.string(),
userinfoEndpoint: z.string(),
encryptedClientId: z.string(),
clientIdIV: z.string(),
clientIdTag: z.string(),
encryptedClientSecret: z.string(),
clientSecretIV: z.string(),
clientSecretTag: z.string(),
allowedEmailDomains: z.string().nullable().optional(),
isActive: z.boolean(),
createdAt: z.date(),
updatedAt: z.date(),
orgId: z.string().uuid()
});

export type TOidcConfigs = z.infer<typeof OidcConfigsSchema>;
export type TOidcConfigsInsert = Omit<z.input<typeof OidcConfigsSchema>, TImmutableDBKeys>;
export type TOidcConfigsUpdate = Partial<Omit<z.input<typeof OidcConfigsSchema>, TImmutableDBKeys>>;
3 changes: 2 additions & 1 deletion backend/src/db/schemas/super-admin.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@ export const SuperAdminSchema = z.object({
allowedSignUpDomain: z.string().nullable().optional(),
instanceId: z.string().uuid().default("00000000-0000-0000-0000-000000000000"),
trustSamlEmails: z.boolean().default(false).nullable().optional(),
trustLdapEmails: z.boolean().default(false).nullable().optional()
trustLdapEmails: z.boolean().default(false).nullable().optional(),
trustOidcEmails: z.boolean().default(false).nullable().optional()
});

export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;
Expand Down
10 changes: 9 additions & 1 deletion backend/src/ee/routes/v1/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import { registerGroupRouter } from "./group-router";
import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
import { registerLdapRouter } from "./ldap-router";
import { registerLicenseRouter } from "./license-router";
import { registerOidcRouter } from "./oidc-router";
import { registerOrgRoleRouter } from "./org-role-router";
import { registerProjectRoleRouter } from "./project-role-router";
import { registerProjectRouter } from "./project-router";
Expand Down Expand Up @@ -64,7 +65,14 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
{ prefix: "/pki" }
);

await server.register(registerSamlRouter, { prefix: "/sso" });
await server.register(
async (ssoRouter) => {
await ssoRouter.register(registerSamlRouter);
await ssoRouter.register(registerOidcRouter, { prefix: "/oidc" });
},
{ prefix: "/sso" }
);

await server.register(registerScimRouter, { prefix: "/scim" });
await server.register(registerLdapRouter, { prefix: "/ldap" });
await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
Expand Down
Loading
Loading