From 93e779581dc716372294f960058767678026b90a Mon Sep 17 00:00:00 2001 From: Asen Lekov Date: Sat, 21 Jan 2023 15:16:59 +0200 Subject: [PATCH 1/5] feat(auth-provider): add support for oidc auth provider closes #253, #218 --- .changeset/olive-dancers-lie.md | 7 +++++++ migrations/00012_add_oidc_auth_provider.sql | 8 ++++++++ src/routes/oauth/config.ts | 21 +++++++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 .changeset/olive-dancers-lie.md create mode 100644 migrations/00012_add_oidc_auth_provider.sql diff --git a/.changeset/olive-dancers-lie.md b/.changeset/olive-dancers-lie.md new file mode 100644 index 000000000..7a3ef9605 --- /dev/null +++ b/.changeset/olive-dancers-lie.md @@ -0,0 +1,7 @@ +--- +'hasura-auth': patch +--- + +Added support for OpenID Connect auth provider + +Tested with [Keycloak](http://keycloak.org/) but other OIDC providers should be working as well. diff --git a/migrations/00012_add_oidc_auth_provider.sql b/migrations/00012_add_oidc_auth_provider.sql new file mode 100644 index 000000000..eb1efaecf --- /dev/null +++ b/migrations/00012_add_oidc_auth_provider.sql @@ -0,0 +1,8 @@ +-- start a transaction +BEGIN; + +INSERT INTO auth.providers (id) VALUES ('oidc'); + +-- commit the change (or roll it back later) +COMMIT; + diff --git a/src/routes/oauth/config.ts b/src/routes/oauth/config.ts index c1d32fc3d..525a9e63c 100644 --- a/src/routes/oauth/config.ts +++ b/src/routes/oauth/config.ts @@ -385,4 +385,25 @@ export const PROVIDERS_CONFIG: Record< next(); }, }, + oidc: { + grant: { + oauth: 2, + nonce: true, + scope_delimiter: ' ', + scope: ['openid', 'profile', 'email'], + pkce: process.env.AUTH_PROVIDER_OIDC_PKCE === 'true', + authorize_url: `${process.env.AUTH_PROVIDER_OIDC_HOST}/auth`, + access_url: `${process.env.AUTH_PROVIDER_OIDC_HOST}/token`, + profile_url: `${process.env.AUTH_PROVIDER_OIDC_HOST}/userinfo`, + client_id: process.env.AUTH_PROVIDER_OIDC_CLIEND_ID, + client_secret: process.env.AUTH_PROVIDER_OIDC_CLIENT_SECRET, + }, + profile: ({ profile }) => ({ + id: profile.sub, + email: profile.email, + emailVerified: profile.email_verified, + displayName: profile.name && profile.nickname, + avatarUrl: profile.picture, + }), + }, }; From 0c0aa9cf7873cee3caf86b40ab17cb0ba94a2ef6 Mon Sep 17 00:00:00 2001 From: Asen Lekov Date: Sat, 21 Jan 2023 15:59:40 +0200 Subject: [PATCH 2/5] docs(auth-provider): update docs regarding OIDC --- .changeset/olive-dancers-lie.md | 4 +++- docs/environment-variables.md | 7 +++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.changeset/olive-dancers-lie.md b/.changeset/olive-dancers-lie.md index 7a3ef9605..277ddee68 100644 --- a/.changeset/olive-dancers-lie.md +++ b/.changeset/olive-dancers-lie.md @@ -4,4 +4,6 @@ Added support for OpenID Connect auth provider -Tested with [Keycloak](http://keycloak.org/) but other OIDC providers should be working as well. +Tested with [Keycloak](http://keycloak.org/) but other OIDC providers should be working as well. It uses Authorization Code Flow. +In addition you can enable PKCE (Proof Key for Code Exchange) via the env variable `AUTH_PROVIDER_OIDC_PKCE`. + diff --git a/docs/environment-variables.md b/docs/environment-variables.md index 0208d32bf..a112b1900 100644 --- a/docs/environment-variables.md +++ b/docs/environment-variables.md @@ -116,3 +116,10 @@ | AUTH_PROVIDER_AZUREAD_CLIENT_ID | | | AUTH_PROVIDER_AZUREAD_CLIENT_SECRET | | | AUTH_PROVIDER_AZUREAD_TENANT | | +| AUTH_PROVIDER_OIDC_ENABLED | `false` | +| AUTH_PROVIDER_OIDC_HOST\* | | +| AUTH_PROVIDER_OIDC_CLIENT_ID\* | | +| AUTH_PROVIDER_OIDC_CLIENT_SECRET\* | | +| AUTH_PROVIDER_OIDC_SCOPE | `openid profile email` | +| AUTH_PROVIDER_OIDC_PKCE | `false` | + From 9dd9185c84646841014df235aca705dd07eb1937 Mon Sep 17 00:00:00 2001 From: Asen Lekov Date: Sat, 21 Jan 2023 16:30:48 +0200 Subject: [PATCH 3/5] refactor: make migration more robust --- migrations/00012_add-oidc-auth-provider.sql | 7 +++++++ migrations/00012_add_oidc_auth_provider.sql | 8 -------- 2 files changed, 7 insertions(+), 8 deletions(-) create mode 100644 migrations/00012_add-oidc-auth-provider.sql delete mode 100644 migrations/00012_add_oidc_auth_provider.sql diff --git a/migrations/00012_add-oidc-auth-provider.sql b/migrations/00012_add-oidc-auth-provider.sql new file mode 100644 index 000000000..3f4030992 --- /dev/null +++ b/migrations/00012_add-oidc-auth-provider.sql @@ -0,0 +1,7 @@ +-- start a transaction +BEGIN; +INSERT INTO auth.providers (id) + VALUES ('oidc') +ON CONFLICT + DO NOTHING; +COMMIT; diff --git a/migrations/00012_add_oidc_auth_provider.sql b/migrations/00012_add_oidc_auth_provider.sql deleted file mode 100644 index eb1efaecf..000000000 --- a/migrations/00012_add_oidc_auth_provider.sql +++ /dev/null @@ -1,8 +0,0 @@ --- start a transaction -BEGIN; - -INSERT INTO auth.providers (id) VALUES ('oidc'); - --- commit the change (or roll it back later) -COMMIT; - From 7b39e6b97ead03ee166c50bd1fc9e4ef916940ac Mon Sep 17 00:00:00 2001 From: Asen Lekov Date: Wed, 25 Jan 2023 20:40:47 +0200 Subject: [PATCH 4/5] refactor: make oidc provider more flexible and configurable --- docs/environment-variables.md | 4 +++- src/routes/oauth/config.ts | 6 +++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/environment-variables.md b/docs/environment-variables.md index a112b1900..bd26d3cfb 100644 --- a/docs/environment-variables.md +++ b/docs/environment-variables.md @@ -117,7 +117,9 @@ | AUTH_PROVIDER_AZUREAD_CLIENT_SECRET | | | AUTH_PROVIDER_AZUREAD_TENANT | | | AUTH_PROVIDER_OIDC_ENABLED | `false` | -| AUTH_PROVIDER_OIDC_HOST\* | | +| AUTH_PROVIDER_OIDC_AUTH_URL\* | | +| AUTH_PROVIDER_OIDC_TOKEN_URL\* | | +| AUTH_PROVIDER_OIDC_USERINFO_URL\* | | | AUTH_PROVIDER_OIDC_CLIENT_ID\* | | | AUTH_PROVIDER_OIDC_CLIENT_SECRET\* | | | AUTH_PROVIDER_OIDC_SCOPE | `openid profile email` | diff --git a/src/routes/oauth/config.ts b/src/routes/oauth/config.ts index 525a9e63c..a75e2ef91 100644 --- a/src/routes/oauth/config.ts +++ b/src/routes/oauth/config.ts @@ -392,9 +392,9 @@ export const PROVIDERS_CONFIG: Record< scope_delimiter: ' ', scope: ['openid', 'profile', 'email'], pkce: process.env.AUTH_PROVIDER_OIDC_PKCE === 'true', - authorize_url: `${process.env.AUTH_PROVIDER_OIDC_HOST}/auth`, - access_url: `${process.env.AUTH_PROVIDER_OIDC_HOST}/token`, - profile_url: `${process.env.AUTH_PROVIDER_OIDC_HOST}/userinfo`, + authorize_url: `${process.env.AUTH_PROVIDER_OIDC_AUTH_URL}`, + access_url: `${process.env.AUTH_PROVIDER_OIDC_TOKEN_URL}`, + profile_url: `${process.env.AUTH_PROVIDER_OIDC_USER_INFO_URL}`, client_id: process.env.AUTH_PROVIDER_OIDC_CLIEND_ID, client_secret: process.env.AUTH_PROVIDER_OIDC_CLIENT_SECRET, }, From a8df22029fd997917ee1f67200235d88668770b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Szil=C3=A1rd=20D=C3=B3r=C3=B3?= Date: Thu, 4 May 2023 14:49:35 +0200 Subject: [PATCH 5/5] chore: update migration number --- ...dd-oidc-auth-provider.sql => 00014_add-oidc-auth-provider.sql} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename migrations/{00012_add-oidc-auth-provider.sql => 00014_add-oidc-auth-provider.sql} (100%) diff --git a/migrations/00012_add-oidc-auth-provider.sql b/migrations/00014_add-oidc-auth-provider.sql similarity index 100% rename from migrations/00012_add-oidc-auth-provider.sql rename to migrations/00014_add-oidc-auth-provider.sql