Skip to content

feature/oidc_auth#49

Open
SkylordA wants to merge 4 commits intomainfrom
feature/oidc_auth
Open

feature/oidc_auth#49
SkylordA wants to merge 4 commits intomainfrom
feature/oidc_auth

Conversation

@SkylordA
Copy link
Contributor

Adds OIDC login to python UI
Updates docker compose files to add oidc containers.
closes #47

@SkylordA SkylordA self-assigned this Jan 16, 2026
@SkylordA SkylordA added the enhancement New feature or request label Jan 16, 2026
@SkylordA
Copy link
Contributor Author

NOTE: requires OasisLMF/OasisPlatform#1342 and OasisLMF/OasisLMF#1879 fixes to work with authentik. You might get some client not set, network errors or 4xx errors if not using these.

@SkylordA
Copy link
Contributor Author

Migration Guide

Refactors the Docker Compose setup and adds built-in OIDC support via Keycloak and Authentik. To learn how to run, see README.md.

What Changed

TLDR. The docker compose files more closely match the kubernetes version from OasisPlatform now.

Renamed Compose Files

Old New
oasis-platform.yml docker-compose.yml
oasis-ui.yml docker-compose.ui.yml

Old files remain in the repo but are no longer used by install.sh.

I've not touched the oasis-scenarios-*.yml files either, so they will probably need to be updated in a future PR.

NOTE: skip_login should still work with OIDC, just uses the client_credentials id and secret rather than any specific user credentials. Needs to be added to secrets.toml.

New Files Added

File / Directory Purpose
docker-compose.keycloak.yml Keycloak IdP services
docker-compose.authentik.yml Authentik IdP services
.env.simple, .env.keycloak, .env.authentik Per-auth-type env templates
oidc/keycloak/ Keycloak realm config and user definitions
oidc/authentik/ Authentik blueprint and user definitions
scripts/ Template processing and validation helpers
install.sh Unified installer — detects auth type, processes templates, brings up the stack

Infrastructure Additions

  • Traefik reverse proxy added to the stack (port 80 / 8443). Routes /api, /ws, /auth, /authentik, and / to the correct service by path prefix.
  • Keycloak and Authentik OIDC providers can now be included as part of the same Compose stack, selected by API_AUTH_TYPE in .env.

Base Image Changes

Service Old New
Server DB / Celery DB postgres (unpinned) postgres:15-alpine
Message broker rabbitmq (old tag) rabbitmq:3.11-management-alpine
Channel layer redis valkey/valkey:8.1-alpine3.21

Database Engine String Changes

SQLAlchemy / psycopg version updates require updated engine strings in .env:

Old New
postgresql_psycopg2 postgresql
db+postgresql+psycopg2 db+postgresql+psycopg

The .streamlit/secrets.toml file

The UI reads auth configuration from .streamlit/secrets.toml (mounted
read-only into the container). Set auth_type and the matching credentials
or OIDC client details here before running the installer. See the README for
examples.

The auth_type here is either "simple" or "oidc" based on auth_type found in OasisLMF APIClient/APISession.

@SkylordA SkylordA marked this pull request as ready for review February 20, 2026 14:29
…pts, updates streamlit to support oidc auth, updates readmes
@SkylordA SkylordA requested review from sambles and vinulw February 20, 2026 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Implement new OIDC login for users

1 participant

Comments