Skip to content

feat: implement sso auth via OIDC #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
justinhschaaf merged 27 commits into from
Mar 31, 2025
Merged

feat: implement sso auth via OIDC #2

justinhschaaf merged 27 commits into from
Mar 31, 2025

Conversation

@justinhschaaf
Copy link
Owner

@justinhschaaf justinhschaaf commented Feb 24, 2025
edited
Loading

This PR makes the necessary changes to enable SSO authentication via OIDC.

  • When navigating to /auth/oidc/login, users will be redirected to the OIDC provider to sign in.
  • The OIDC provider will return a ResponseToken to /auth/oidc/response, from which we decode the JWT and save the claims (user data) in a cookie.
  • When the user accesses an api route protected by the AuthenticatedUser request guard, the server will do the following:
    • Check for the JWT cookie and make sure it is not expired.
    • Check for an accompanying user cookie. If this cookie is present, the server makes sure the session as stored by PigWeb is not expired either.
    • If the user cookie is not present, check to see if the user exists in the database. If not, creates a new user with the info from the JWT.

Remaining Challenges:

@justinhschaaf justinhschaaf added the enhancement New feature or request label Feb 24, 2025
@justinhschaaf justinhschaaf self-assigned this Feb 24, 2025
@justinhschaaf
Copy link
Owner Author

justinhschaaf commented Mar 30, 2025

was initially running into the following error during testing:

Error: Unable to parse or validate JWT: Error(InvalidAlgorithm)

doing some digging into Authentik's source code, it only signs the JWT with the client secret + HS256 algorithm when no other certificate is set. updating the provider to use "-------" as the signing key got a different error message.

  • somehow this was changed back to the self-signed certificate later, but it still bypassed that first error. i already had a headache today, i'm not gonna question it.
Error: Unable to parse or validate JWT: Error(InvalidAudience)

the audience should just be the client id, and i double checked it's set properly. most likely this just needs to be passed to the jsonwebtoken library.

@justinhschaaf
Copy link
Owner Author

justinhschaaf commented Mar 30, 2025

had to disable alg validation to get rid of the InvalidAlgorithm error message, but passing the client id to the validator lets OIDC work on the server-side. need to update the client with login ui next

@justinhschaaf
Copy link
Owner Author

justinhschaaf commented Mar 31, 2025

there's still some quirks with this, e.g. client data handler errors out when a request fails due to your session expiring instead of just telling you, but improving the error handling can be done in the main branch. the core objective of this PR--implementing OIDC--is complete. 🎉

@justinhschaaf justinhschaaf merged commit f923cc3 into main Mar 31, 2025
@justinhschaaf justinhschaaf deleted the auth branch March 31, 2025 05:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@justinhschaaf justinhschaaf

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@justinhschaaf