Skip to content

feature/oidc_auth#49

Open
SkylordA wants to merge 4 commits intomainfrom
feature/oidc_auth
Open

feature/oidc_auth#49
SkylordA wants to merge 4 commits intomainfrom
feature/oidc_auth

Conversation

@SkylordA
Copy link
Contributor

@SkylordA SkylordA commented Jan 16, 2026

Adds OIDC login to python UI
Updates docker compose files to add oidc containers.
closes #47

@SkylordA SkylordA self-assigned this Jan 16, 2026
@SkylordA SkylordA added the enhancement New feature or request label Jan 16, 2026
This was referenced Feb 20, 2026
Open
Open
@SkylordA
Copy link
Contributor Author

SkylordA commented Feb 20, 2026

NOTE: requires OasisLMF/OasisPlatform#1342 and OasisLMF/OasisLMF#1879 fixes to work with authentik. You might get some client not set, network errors or 4xx errors if not using these.

@SkylordA
Copy link
Contributor Author

SkylordA commented Feb 20, 2026

Migration Guide

Refactors the Docker Compose setup and adds built-in OIDC support via Keycloak and Authentik. To learn how to run, see README.md.

What Changed

TLDR. The docker compose files more closely match the kubernetes version from OasisPlatform now.

Renamed Compose Files

Old New
oasis-platform.yml docker-compose.yml
oasis-ui.yml docker-compose.ui.yml

Old files remain in the repo but are no longer used by install.sh.

I've not touched the oasis-scenarios-*.yml files either, so they will probably need to be updated in a future PR.

NOTE: skip_login should still work with OIDC, just uses the client_credentials id and secret rather than any specific user credentials. Needs to be added to secrets.toml.

New Files Added

File / Directory Purpose
docker-compose.keycloak.yml Keycloak IdP services
docker-compose.authentik.yml Authentik IdP services
.env.simple, .env.keycloak, .env.authentik Per-auth-type env templates
oidc/keycloak/ Keycloak realm config and user definitions
oidc/authentik/ Authentik blueprint and user definitions
scripts/ Template processing and validation helpers
install.sh Unified installer — detects auth type, processes templates, brings up the stack

Infrastructure Additions

  • Traefik reverse proxy added to the stack (port 80 / 8443). Routes /api, /ws, /auth, /authentik, and / to the correct service by path prefix.
  • Keycloak and Authentik OIDC providers can now be included as part of the same Compose stack, selected by API_AUTH_TYPE in .env.

Base Image Changes

Service Old New
Server DB / Celery DB postgres (unpinned) postgres:15-alpine
Message broker rabbitmq (old tag) rabbitmq:3.11-management-alpine
Channel layer redis valkey/valkey:8.1-alpine3.21

Database Engine String Changes

SQLAlchemy / psycopg version updates require updated engine strings in .env:

Old New
postgresql_psycopg2 postgresql
db+postgresql+psycopg2 db+postgresql+psycopg

The .streamlit/secrets.toml file

The UI reads auth configuration from .streamlit/secrets.toml (mounted
read-only into the container). Set auth_type and the matching credentials
or OIDC client details here before running the installer. See the README for
examples.

The auth_type here is either "simple" or "oidc" based on auth_type found in OasisLMF APIClient/APISession.

@SkylordA SkylordA marked this pull request as ready for review February 20, 2026 14:29
@SkylordA
creates new docker files for simple/oidc logins, updates install scri…
1d0a3cb 
…pts, updates streamlit to support oidc auth, updates readmes
@SkylordA SkylordA requested review from sambles and vinulw February 20, 2026 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vinulw vinulw Awaiting requested review from vinulw

@sambles sambles Awaiting requested review from sambles

Assignees

@SkylordA SkylordA

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement new OIDC login for users

1 participant

@SkylordA

Comments