Skip to content

Feature/openid connect #3093

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 25 commits into from
Closed

Feature/openid connect #3093

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
d189ffc
added openid auth support
Apr 9, 2021
5f59e99
merged in changes from main
dylanturn Apr 10, 2021
e1abd86
scrubbed some small changes that I didn't mean to include
dylanturn Apr 10, 2021
906e7b6
Updated the yarn lockfile. Updated the OIDC user console log with debug.
dylanturn Apr 10, 2021
12c813f
ran yarn fmt, and made sure yarn lint, _audit, test:unit would pass.
dylanturn Apr 10, 2021
0440796
made the oidc group claim optional
dylanturn Apr 15, 2021
4fcfab2
Added documentation that explains how to configure and OpenID-Connect…
dylanturn Apr 15, 2021
a11d9a9
added markdown to reduce the image sizes
dylanturn Apr 15, 2021
1532cb5
resized the images
dylanturn Apr 15, 2021
2a0c448
updated the doc images
dylanturn Apr 15, 2021
6add98b
updated the doc images
dylanturn Apr 15, 2021
3ac81d9
updated the doc images
dylanturn Apr 15, 2021
aabfded
Updated the documentation with a couple extra steps after testing it out
dylanturn Apr 15, 2021
c3c305c
updated the screenshot to make sure the code-server endpoint url is c…
dylanturn Apr 15, 2021
153e89b
Merge pull request #4 from turnbros/feature/openid-connect-remove-cla…
dylanturn Apr 15, 2021
d5ffe24
Merge pull request #5 from turnbros/documentation/openid-setup-guides
dylanturn Apr 15, 2021
9e2b4f3
replace console.debug with logger.debug
dylanturn Apr 16, 2021
af31604
updated the logger.debug and ran yarn fmt
dylanturn Apr 16, 2021
793817b
Merge pull request #6 from turnbros/fix/openid-connect-logging
dylanturn Apr 16, 2021
d503138
updated the logger format to match what was actually requested
dylanturn Apr 16, 2021
f2f731a
Merge pull request #7 from turnbros/fix/openid-connect-logging
dylanturn Apr 16, 2021
becd7da
Merge branch 'main' into feature/openid-connect
dylanturn Apr 22, 2021
ed29b32
bumped the jose version to appease the audit gods
dylanturn Apr 22, 2021
cf1ad0d
Apply suggestions from code review
dylanturn Apr 23, 2021
ab718f1
update the documentation to better conform to the style guide
dylanturn Apr 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@
"cookie-parser": "^1.4.5",
"env-paths": "^2.2.0",
"express": "^5.0.0-alpha.8",
"express-openid-connect": "^2.3.1",
"http-proxy": "^1.18.0",
"httpolyglot": "^0.1.2",
"js-yaml": "^4.0.0",
Expand Down
16 changes: 15 additions & 1 deletion src/node/app.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
import { logger } from "@coder/logger"
import compression from "compression"
import express, { Express } from "express"
import { auth } from "express-openid-connect"
import { promises as fs } from "fs"
import http from "http"
import * as httpolyglot from "httpolyglot"
import * as util from "../common/util"
import { DefaultedArgs } from "./cli"
import { AuthType, DefaultedArgs } from "./cli"
import { handleUpgrade } from "./wsRouter"

/**
Expand Down Expand Up @@ -59,6 +60,19 @@ export const createApp = async (args: DefaultedArgs): Promise<[Express, Express,
const wsApp = express()
handleUpgrade(wsApp, server)

if (args.auth == AuthType.Openid) {
const openidConfig = {
authRequired: true,
auth0Logout: true,
issuerBaseURL: args["openid-issuer-base-url"],
clientID: args["openid-client-id"],
baseURL: args["openid-base-url"],
secret: args["openid-secret"]
};
app.use(auth(openidConfig));
wsApp.use(auth(openidConfig));
}

return [app, wsApp, server]
}

Expand Down
31 changes: 31 additions & 0 deletions src/node/cli.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import { canConnect, generateCertificate, generatePassword, humanPath, paths } f
export enum AuthType {
Password = "password",
None = "none",
Openid = "openid"
}

export class Optional<T> {
Expand All @@ -29,6 +30,12 @@ export interface Args extends VsArgs {
config?: string
auth?: AuthType
password?: string
"openid-issuer-base-url"?: string
"openid-client-id"?: string
"openid-base-url"?: string
"openid-secret"?: string
"openid-group-claim"?:string
"openid-user-group"?:string
"hashed-password"?: string
cert?: OptionalString
"cert-host"?: string
Expand Down Expand Up @@ -105,6 +112,30 @@ const options: Options<Required<Args>> = {
type: "string",
description: "The password for password authentication (can only be passed in via $PASSWORD or the config file).",
},
"openid-issuer-base-url": {
type: "string",
description: "The base url for providers .well-known endpoint",
},
"openid-client-id": {
type: "string",
description: "The client ID of this OpenID application",
},
"openid-base-url": {
type: "string",
description: "The base URL for code-server",
},
"openid-secret": {
type: "string",
description: "A long secret used to encrypt the session cookie",
},
"openid-group-claim": {
type: "string",
description: "A claim that contains the authenticated users group assignments",
},
"openid-user-group": {
type: "string",
description: "The group that a user will need to be a member of to access this instance",
},
"hashed-password": {
type: "string",
description:
Expand Down
25 changes: 25 additions & 0 deletions src/node/http.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { field, logger } from "@coder/logger"
import * as express from "express"
import * as expressCore from "express-serve-static-core"
import { RequestContext } from "express-openid-connect"
import qs from "qs"
import safeCompare from "safe-compare"
import { HttpCode, HttpError } from "../common/http"
Expand All @@ -16,6 +17,7 @@ declare global {
export interface Request {
args: DefaultedArgs
heart: Heart
oidc: RequestContext
}
}
}
Expand Down Expand Up @@ -69,6 +71,29 @@ export const authenticated = (req: express.Request): boolean => {
? safeCompare(req.cookies.key, req.args["hashed-password"])
: req.args.password && safeCompare(req.cookies.key, hash(req.args.password)))
)
case AuthType.Openid:
console.log(req.oidc.user)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like we might want to use console.debug and add some other text here? It's definitely helpful to have debug output as figuring out OIDC integration problems can be... a challenge 😅 but we'd some other text that we can search for, so we know where the logs are coming from.

maybe something like:

console.debug("authenticated using OpenID Connect as", req.oidc.user)

other debug info like the returned OIDC claims seems useful too? they're secret credentials, but since code-server is meant for a single user, maybe logging those is OK?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, very sorry, I'll include this change along with the updates to yarn lockfile.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No apologies needed! Thanks so much for your contribution! ❤️

console.log(req.oidc.isAuthenticated())

const groupClaim = req.args["openid-group-claim"]
const userGroup = req.args["openid-user-group"]

if (req.oidc.isAuthenticated()){
for (const key in req.oidc.idTokenClaims) {
var claims = <string[]>req.oidc.idTokenClaims[key]
if (key == groupClaim) {
for (const value in claims) {
if(userGroup == claims[value]) {
return true
}
}
}
}
throw new HttpError("Unauthorized", HttpCode.Unauthorized)
}

return false

default:
throw new Error(`Unsupported auth type ${req.args.auth}`)
}
Expand Down
Loading