Add OIDC login via social-auth #2550
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 13777604 | Triggered | Generic High Entropy Secret | 366ab54 | config/keycloak/realms/default-realm.json | View secret |
| 13777605 | Triggered | Generic High Entropy Secret | 366ab54 | config/keycloak/realms/default-realm.json | View secret |
| 13777606 | Triggered | Generic Private Key | 366ab54 | config/keycloak/tls/tls.key | View secret |
| 13777607 | Triggered | Generic High Entropy Secret | 366ab54 | config/keycloak/realms/default-realm.json | View secret |
| 13777608 | Triggered | Generic High Entropy Secret | 366ab54 | config/keycloak/realms/default-realm.json | View secret |
| 13777609 | Triggered | Generic Password | 366ab54 | config/keycloak/realms/default-realm.json | View secret |
| 13777610 | Triggered | Generic High Entropy Secret | 366ab54 | config/keycloak/realms/default-realm.json | View secret |
| 10259317 | Triggered | Generic Password | 366ab54 | docker-compose.yml | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
jkachel
force-pushed
the
jkachel/add-social-auth-keycloak
branch
from
bd5b54f to
d78e643
Compare
rhysyngsun
reviewed
Mar 14, 2025
authentication/views.py
Outdated
| ).first() | ||
|
|
||
| if not user_social_auth_record: | ||
| return False |
There was a problem hiding this comment.
This should probably be None.
There was a problem hiding this comment.
resolved in 647bf32
rhysyngsun
requested changes
Mar 17, 2025
docker-compose.yml
Outdated
Comment on lines
192
to
193
| - ${KEYCLOAK_PORT}:${KEYCLOAK_PORT} | ||
| - ${KEYCLOAK_SSL_PORT}:${KEYCLOAK_SSL_PORT} |
There was a problem hiding this comment.
Could you give these default values too? docker compose is requiring them even if I'm not using the keycloak file since it invalidates the config.
There was a problem hiding this comment.
resolved in 95dec4a
jkachel
force-pushed
the
jkachel/add-social-auth-keycloak
branch
from
56be789 to
a3e705d
Compare
- Adding in Keycloak instance stuff (mostly copied from UE/Learn but with some reworked documentation) - Added ol_open_id_connect backend, from Learn, but also captures the global_id (Keycloak ID) - Added global_id to the user model - Started in on situating the user for non-API-driven login requests - Added an interstitial to the login screen to allow the user to choose email or keycloak This is not particularly usable because OIDC needs feature-flagging. We don't want users trying to log in via Keycloak right yet. (It's also not done. Users get created, that's about it.) The existing custom parts of the pipeline check to make sure their backend is the one they expect before doing things, so the strategy is to add in basically the existing Python Social Auth pipeline things that would normally be there, but wrapping them so they only run if we're authenticating via OIDC. This should allow the existing email-based flow to work while also allowing OIDC to function alongside it.
- Fixed an issue with the global_id field; using _create_user should also fill it if it's a non-OIDC user - Added the promote_user command from UE - Added EXPOSE_OIDC_LOGIN; if this is not set, the OIDC workflow won't be shown on login (but isn't disabled) - Worked out bugs in the pipeline and now should create the user correctly (i.e. set is_active = True) when logging in via OIDC - Updating logout to bounce through Keycloak - Updated frontend to hide the first interstitial step if OIDC is disabled - Tested with external Keycloak - Added more docs for external Keycloak, override sample, and updates to the regular docs
for more information, see https://pre-commit.ci
- On logout, users without a social-auth (meaning local only) were getting redirected to Keycloak erroneously; the URL building process failed here so this just results in an error; now check to see if they're actually a social auth user and redirect appropriately - Remove choice option for login - if we're doing OIDC, then no email login at all; the buttons in the header both send you to keycloak - Updated some comments for is_active flag in User (we'll need to make some changes after fully rolling to SSO auth)
…d and tighten up the length of it Once users are migrated to Keycloak, we should probably add the unique back on global_id (and/or change it to a UUIDField).
for more information, see https://pre-commit.ci
jkachel
force-pushed
the
jkachel/add-social-auth-keycloak
branch
from
647bf32 to
7ad86b8
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What are the relevant tickets?
Closes mitodl/hq#6586
Description (What does it do?)
Configures the authentication pipeline to work with OIDC (Keycloak) based authentication.
A Keycloak instance is necessary for testing this. See the
README-keycloak.mdfor setup instructions. (It is not the same as it is elsewhere! Hopefully it's better/easier to follow.) The sample instance that exists elsewhere has been migrated here to make testing easier. Or, you can also use a different Keycloak instance, including one that is part of some other app (like Learn or Unified Ecommerce).When completed and enabled, users will be given the option of logging in via email or Keycloak:
We don't have design for this but the choice screen just gives you a couple buttons to direct the user.
This does not depend on APISIX at all. However, if this is sitting behind a correctly configured APISIX instance and the user's already logged in, the user should just get bounced straight back from Keycloak. But the app will not pick up an existing APISIX session.
Screenshots (if appropriate):
Login interstitial:
How can this be tested?
EXPOSE_OIDC_LOGINto True in your.env.README-keycloak.mdfor instructions.README-keycloak.mdif you're going to use a separate Keycloak instance on the same machine.Additional Context
This doesn't tackle grabbing an APISIX session. Different middleware is needed for this.