Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenID Connect based authentication (oauth) #4160

Open
vodorok opened this issue Jan 26, 2024 · 0 comments · May be fixed by #4298
Open

OpenID Connect based authentication (oauth) #4160

vodorok opened this issue Jan 26, 2024 · 0 comments · May be fixed by #4298
Assignees
Labels
GUI 🎨 new feature 👍 New feature request web 🌍 Related to the web app

Comments

@vodorok
Copy link
Contributor

vodorok commented Jan 26, 2024

Authentication with OpenID Connect (OIDC) would be a useful addition to CodeChecker authentication methods.
https://openid.net/developers/how-connect-works/

Currently, only PAM and LDAP authentication methods are supported, but there are cases where these methods are not flexible enough,
for example, in the demo server (https://codechecker-demo.eastus.cloudapp.azure.com), only a few predefined users exist, the viewing and administration must be done by using those, instead of using the proper users and permissions.

Phase I.

Requirements:

  • The feature must be implemented with https://github.com/lepture/authlib, https://docs.authlib.org/en/latest/index.html.
  • It should be possible to authenticate the user using the GitHub/Google (user-selectable) accounts over the web login screen.
  • Two-factor authentication should be supported if required by GitHub, or Google.
  • After successful authentication the user should be let in based on server settings (see below).
  • If the user authenticates once with GitHub, and in another case with Google, the same (user entity) should be used based on the email address.
  • If the user is not allowed to log in yet, bring the user to a landing page where she/he is informed that she/he must ask for permission to access the CodeChecker server. The CodeChecker admin can add the user manually to the allowed_users list.
  • Extend the CodeChecker authentication configuration https://github.com/Ericsson/codechecker/blob/master/docs/web/authentication.md with a new authentication method method_oauth and define the configuration parameters needed for the github and google external authenticators

The user entry should be restricted in two methods:

  • Let in everyone after successful authentication. (Phase I.)
  • Only let in those who are members of the predefined allowed_users group (Phase II.)

Phase II.

Group membership assignment based on Microsoft Entra Authentication domain.

#4349

Phase III.

Group membership managment using the internal db specified in ticket #4302

@vodorok vodorok added GUI 🎨 web 🌍 Related to the web app new feature 👍 New feature request labels Jan 26, 2024
@dkrupp dkrupp changed the title OpenID Connect based authentication OpenID Connect based authentication (oauth) Feb 28, 2024
@dkrupp dkrupp modified the milestone: release 6.25.0 Sep 17, 2024
@dkrupp dkrupp self-assigned this Sep 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
GUI 🎨 new feature 👍 New feature request web 🌍 Related to the web app
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants