OIDC support (#33)

Author: ciur

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+
+## 0.8.0 - 2024-03-03
+
+- OIDC support
+
 ## 0.7.0 - 2024-02-18
 
 - Refactoring - all sql functions to have session as first arg

README.md

@@ -8,8 +8,8 @@ Following authentication methods are supported:
 
 * database - authenticate against user credentials from the database's
   core_user table
-* google auth - authenticate against Google's user account credentials
-* github auth - authenticate against Github's user account credentials
+* oidc - authenticate against OIDC provider
+* ldap - authenticate with LDAP
 
 When authentication succeeds, auth server responds with a valid
 cryptographically signed JWT access token.
@@ -94,58 +94,23 @@ volumes:
   maria:
 ```
 
-In order to enable authentication via Google accounts you need to
+In order to enable authentication via OIDC provider you need to
 provide following environment variables:
 
-*  `PAPERMERGE__AUTH__GOOGLE_CLIENT_SECRET`
-*  `PAPERMERGE__AUTH__GOOGLE_CLIENT_ID`
-*  `PAPERMERGE__AUTH__GOOGLE_AUTHORIZE_URL`
-*  `PAPERMERGE__AUTH__GOOGLE_REDIRECT_URI`
+*  `PAPERMERGE__AUTH__OIDC_CLIENT_SECRET`
+*  `PAPERMERGE__AUTH__OIDC_CLIENT_ID`
+*  `PAPERMERGE__AUTH__OIDC_AUTHORIZE_URL`
+*  `PAPERMERGE__AUTH__OIDC_REDIRECT_URI`
 
-You need to provider all four values. First two, client_id and client_secret,
-you obtain when registering oauth2 client with Google.
+You need to provider all four values.
 
-`PAPERMERGE__AUTH__GOOGLE_AUTHORIZE_URL` is the URL of the Google authorization
-server. As of writing this documentation, its value is:
+`PAPERMERGE__AUTH__OIDC_REDIRECT_URI` should be:
 
-    https://accounts.google.com/o/oauth2/auth
-
-just keep in mind that it may change thus you need to check Google's oauth2
-documentation for its current value.
-
-`PAPERMERGE__AUTH__GOOGLE_REDIRECT_URI` should be:
-
-    <http|https>://<your domain>/google/callback
+    <http|https>://<your domain>/oidc/callback
 
 Above value should be same as in field "Authorized redirect URI" when
 registering oauth2 client.
 
-To enable authentication via Github accounts you need to provider following env
-variables:
-
-* `PAPERMERGE__AUTH__GITHUB_CLIENT_SECRET`
-* `PAPERMERGE__AUTH__GITHUB_CLIENT_ID`
-* `PAPERMERGE__AUTH__GITHUB_AUTHORIZE_URL`
-* `PAPERMERGE__AUTH__GITHUB_REDIRECT_URI`
-
-Similarely with Google's oauth2 case, you need to provide all four values.
-Client secret and client id you get when registering oauth2 client.
-
-Current value for `PAPERMERGE__AUTH__GITHUB_AUTHORIZE_URL`, is
-
-  https://github.com/login/oauth/authorize
-
-Keep in mind to double check GitHub's documentation for up-to-date GitHub
-oauth2 authentication server URL.
-
-Value for `PAPERMERGE__AUTH__GITHUB_REDIRECT_URI` should be:
-
-    <http|https>://<your domain>/github/callback
-
-Above value should be same as in field "Authorized callback URI" when
-registering Github oauth2 client.
-
-
 You can also start the auth server with poetry:
 
     $ poetry run uvicorn auth_server.main:app \
@@ -218,20 +183,11 @@ which means that many scheme described in sqlalchemy docs will not
 work for papermerge-core.
 
 
-### Google Auth
-
-Either all four values should be provided or none.
-
-* `PAPERMERGE__AUTH__GOOGLE_CLIENT_SECRET`
-* `PAPERMERGE__AUTH__GOOGLE_CLIENT_ID`
-* `PAPERMERGE__AUTH__GOOGLE_AUTHORIZE_URL`
-* `PAPERMERGE__AUTH__GOOGLE_REDIRECT_URI`
-
-### Github Auth
+### OIDC Auth
 
 Either all four values should be provided or none.
 
-* `PAPERMERGE__AUTH__GITHUB_CLIENT_SECRET`
-* `PAPERMERGE__AUTH__GITHUB_CLIENT_ID`
-* `PAPERMERGE__AUTH__GITHUB_AUTHORIZE_URL`
-* `PAPERMERGE__AUTH__GITHUB_REDIRECT_URI`
+* `PAPERMERGE__AUTH__OIDC_CLIENT_SECRET`
+* `PAPERMERGE__AUTH__OIDC_CLIENT_ID`
+* `PAPERMERGE__AUTH__OIDC_AUTHORIZE_URL`
+* `PAPERMERGE__AUTH__OIDC_REDIRECT_URI`

auth_server/auth.py

@@ -13,10 +13,7 @@
 from .database.models import User
 from . import schemas
 from .config import Settings
-from .backends import (
-    GoogleAuth,
-    GithubAuth,
-)
+from .backends import OIDCAuth
 from .backends import ldap
 from .utils import raise_on_empty
 
@@ -33,42 +30,26 @@ async def authenticate(
     provider: schemas.AuthProvider = schemas.AuthProvider.DB,
     client_id: str | None = None,
     code: str | None = None,
-    redirect_uri: str | None = None
+    redirect_url: str | None = None
 ) -> schemas.User | None:
 
     # provider = DB
     if username and password and provider == schemas.AuthProvider.DB:
         # password based authentication against database
         return db_auth(db, username, password)
 
-    if provider == schemas.AuthProvider.GOOGLE:
-        # provider = GOOGLE (oauth2/google)
+    if provider == schemas.AuthProvider.OIDC:
         raise_on_empty(
             code=code,
             client_id=client_id,
             provider=provider,
-            redirect_uri=redirect_uri
+            redirect_url=redirect_url
         )
-        # oauth 2.0, google provider
-        return await google_auth(
+        return await oidc_auth(
             db,
             client_id=client_id,
             code=code,
-            redirect_uri=redirect_uri
-        )
-    elif provider == schemas.AuthProvider.GITHUB:
-        # provider = GitHub (oauth2/github)
-        raise_on_empty(
-            code=code,
-            client_id=client_id,
-            provider=provider,
-            redirect_uri=redirect_uri
-        )
-        return await github_auth(
-            db,
-            client_id=client_id,
-            code=code,
-            redirect_uri=redirect_uri
+            redirect_url=redirect_url
         )
     elif provider == schemas.AuthProvider.LDAP:
         # provider = ldap
@@ -163,69 +144,33 @@ async def ldap_auth(
     return get_or_create_user_by_email(db, email)
 
 
-async def google_auth(
+async def oidc_auth(
     db: Session,
     client_id: str,
     code: str,
-    redirect_uri: str
+    redirect_url: str
 ) -> User | None:
-    if settings.papermerge__auth__google_client_secret is None:
-        raise HTTPException(
-            status_code=400,
-            detail = "Google client secret is empty"
-        )
-
-    client = GoogleAuth(
-        client_secret = settings.papermerge__auth__google_client_secret,
-        client_id=client_id,
-        code=code,
-        redirect_uri = redirect_uri
-    )
-
-    logger.debug("Auth:google: sign in")
-
-    try:
-        await client.signin()
-    except Exception as ex:
-        logger.warning(f"Auth:google: sign in failed with {ex}")
-
-        raise HTTPException(
-            status_code=401,
-            detail = f"401 Unauthorized. Auth provider error: {ex}."
-        )
-
-    email = await client.user_email()
-
-    return get_or_create_user_by_email(db, email)
-
-
-async def github_auth(
-    db: Session,
-    client_id: str,
-    code: str,
-    redirect_uri: str
-) -> User:
-
-    logger.info("Auth:Github: sign in")
-    if settings.papermerge__auth__github_client_secret is None:
+    if settings.papermerge__auth__oidc_client_secret is None:
         raise HTTPException(
             status_code=400,
-            detail = "Github client secret is empty"
+            detail = "OIDC client secret is empty"
         )
 
-    client = GithubAuth(
-        client_secret = settings.papermerge__auth__github_client_secret,
+    client = OIDCAuth(
+        client_secret=settings.papermerge__auth__oidc_client_secret,
+        access_token_url=settings.papermerge__auth__oidc_access_token_url,
+        user_info_url=settings.papermerge__auth__oidc_user_info_url,
         client_id=client_id,
         code=code,
-        redirect_uri = redirect_uri
+        redirect_url=redirect_url
     )
 
-    logger.debug("Auth:Github: sign in")
+    logger.debug("Auth:oidc: sign in")
 
     try:
         await client.signin()
     except Exception as ex:
-        logger.warning(f"Auth:Github: sign in failed with {ex}")
+        logger.warning(f"Auth:oidc: sign in failed with {ex}")
 
         raise HTTPException(
             status_code=401,

auth_server/backends/__init__.py

@@ -1,3 +1,2 @@
-from .google import GoogleAuth
-from .github import GithubAuth
+from .oidc import OIDCAuth
 from .ldap import LDAPAuth