feat(auth): multi provider authentication system#183
Conversation
Replaces single provider OIDC/LDAP with a flexible multi-provider architecture supporting multiple simultaneous instances per type and adding OAuth 2.0 Signed-off-by: Mark Rivera <mcrivera@gmail.com>
Signed-off-by: Mark Rivera <mcrivera@gmail.com>
Signed-off-by: Mark Rivera <mcrivera@gmail.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Move cookie string literals to AUTH_COOKIES constant. Signed-off-by: Mark Rivera <mcrivera@gmail.com>
Signed-off-by: Mark Rivera <mcrivera@gmail.com>
Signed-off-by: Mark Rivera <mcrivera@gmail.com>
Signed-off-by: Mark Rivera <mcrivera@gmail.com>
Signed-off-by: Mark Rivera <mcrivera@gmail.com>
| title="Requires saved config — opens the full OIDC login flow in a new tab" | ||
| @click="testOIDCLogin(provider.id)" | ||
| > | ||
| Test Login <UIcon name="i-heroicons-arrow-top-right-on-square" class="h-3 w-3" /> |
There was a problem hiding this comment.
please remove this functionality since it gets confusing for the end user to realize that they'd been logged out of the admin/prior account that they had been in when it goes and tests the login for the other service
| /> | ||
| </div> | ||
| <div class="flex items-center gap-4"> | ||
| <label class="w-48 text-left text-sm font-medium">Callback URL</label> |
There was a problem hiding this comment.
you should consider adding a help tooltip to clarify that this default value is likely good enough and that you will need to provide this callback url to the auth provider
| class="text-sm font-semibold text-indigo-600 hover:bg-indigo-500" | ||
| @click="saveAuthConfig" | ||
| > | ||
| Save |
There was a problem hiding this comment.
non-blocking: you should consider making this button actually be stylized as a button instead of being a word. other 'buttons' on the page are stylized as such.
| @@ -1,20 +1,52 @@ | |||
| <template> | |||
| <dl class="mb-6 space-y-6 divide-y divide-gray-100 border-b border-t border-gray-200 pb-6 pt-6 text-sm leading-6"> | |||
| <!-- Default Login Tab --> | |||
There was a problem hiding this comment.
have a tooltip that explains that the 'default tab' is for when you have to type in your username/password, and that the remainder of the SSO options will show up on the list below
| </div> | ||
| </dd> | ||
|
|
||
| <!-- Local Auth --> |
There was a problem hiding this comment.
the default password requirements should probably match the AS&D (i.e. 15 chars, 1 of each character class)
| @@ -1,20 +1,52 @@ | |||
| <template> | |||
| <dl class="mb-6 space-y-6 divide-y divide-gray-100 border-b border-t border-gray-200 pb-6 pt-6 text-sm leading-6"> | |||
There was a problem hiding this comment.
it feels weird that the divider between the different auth options in their list is the same as the divider between all the other UI bits that appear vertically
note the horizontal line with same styling + size for everything
Signed-off-by: Mark Rivera <mcrivera@gmail.com>
Groups are read from a configurable LDAP attribute (default: memberOf), CNs are extracted from DNs, and mapped to roles using the same groupName:roleId format as OIDC/OAuth. Access is denied when mappings are configured but the user matches no group. Signed-off-by: Mark Rivera <mcrivera@gmail.com>
Removes CN extraction so groups with identical CNs in different OUs are unambiguous. Pipe delimiter avoids conflicts with commas inside DNs. OIDC/OAuth mapping parsing is unchanged (still comma-delimited). Signed-off-by: Mark Rivera <mcrivera@gmail.com>
|
3 participants
Replaces single provider OIDC/LDAP with a flexible multi-provider architecture supporting multiple simultaneous instances per type and adding OAuth 2.0
closes: #3
closes: #171