feat(auth): implement oidc authentication and session management#8854
Open
rbstp wants to merge 1 commit intoapache:mainfrom
Open
feat(auth): implement oidc authentication and session management#8854rbstp wants to merge 1 commit intoapache:mainfrom
rbstp wants to merge 1 commit intoapache:mainfrom
Conversation
dosubot
Bot
added
size:XXL
rbstp
force-pushed
the
feat/oidc
branch
2 times, most recently
from
e04a68d to
788ee11
Compare
DevLake had no native OIDC login. The existing protections: nginx Basic auth and /rest/* Bearer tokens, all sit outside the API and don't give you SSO at the application layer. This adds an OIDC login flow behind a default-off AUTH_ENABLED switch. Multiple providers (Entra ID, Google, etc.) can be configured side by side, sessions are revocable server-side, and CSRF is enforced on state-changing requests when authenticating via the session cookie. When AUTH_ENABLED=false the system behaves exactly as before; existing Basic auth, oauth2-proxy, and API-key flows are untouched. Refs: apache#8694 Refs: https://devlake-io.slack.com/archives/C03AJH1HBAT/p1776917914734679
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds OIDC login behind a default-off
AUTH_ENABLEDswitch. Providers are configured viaOIDC_PROVIDERSplus per-name env blocks, so a deployment can offer Entra ID and Google (or any other OIDC IdP) side by side. Sessions are signed JWTs in HttpOnly cookies, backed by a newauth_sessionstable so they can be revoked server-side without rotatingSESSION_SECRET.CSRF is enforced on state-changing requests when the caller is using the session cookie; API-key, Basic auth, and proxy-header callers are unaffected. Azure Workload Identity is supported for the Entra provider so AKS deployments can drop
CLIENT_SECRETin favor of a federated SA-token assertion.When
AUTH_ENABLED=false, which is the default so no need to add it, the system behaves exactly as before.env.examplecontains the variables needed to add the OIDC login.Does this close any open issues?
Refs: #8694
Refs: https://devlake-io.slack.com/archives/C03AJH1HBAT/p1776917914734679
Screenshots
Example with Google, validated with Entra ID as well.
Other Information
Validated with Entra ID (AAD) and Google Auth, but it should work with other providers as well, as long as they respect the OIDC spec.
Expect a 401 in DevTools on first load before the redirect to
/login. It is the axios interceptor bouncing unauthenticated requests through the OIDC flow, not a bug.