Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support compact Social Provider configuration in OIDC #20783

Closed
sberyozkin opened this issue Oct 14, 2021 · 3 comments · Fixed by #22572
Closed

Support compact Social Provider configuration in OIDC #20783

sberyozkin opened this issue Oct 14, 2021 · 3 comments · Fixed by #22572
Labels
area/oidc kind/enhancement New feature or request
Milestone
2.7.0.CR1

Comments

@sberyozkin
Copy link
Member

Description

As proposed by Pedro @pedroigor at #20707, it would be useful to have something like

quarkus.oidc.broker=github

instead of

quarkus.oidc.auth-server-url=https://github.com/login/oauth
quarkus.oidc.discovery-enabled=false
quarkus.oidc.authorization-path=authorize
quarkus.oidc.token-path=access_token
quarkus.oidc.user-info-path=https://api.github.com/user
quarkus.oidc.authentication.scopes=user:email
quarkus.oidc.authentication.user-info-required=true
quarkus.oidc.authentication.id-token-required=false

which would be a massive configuration improvement.
So quarkus.oidc.broker=github would be enough but users would be able to override specific properties.

Perhaps, to make it more useful, we should try to follow up with support for LinkedIn so that the whole improvement will not not be done for GitHub alone.

(I'd probably suggest quarkus.oidc.provider=github since we use OIDC Provider in the docs)

Implementation ideas

No response
@sberyozkin sberyozkin added the kind/enhancement New feature or request label Oct 14, 2021
@quarkus-bot
Copy link

quarkus-bot bot commented Oct 14, 2021

/cc @pedroigor

@sberyozkin sberyozkin mentioned this issue Oct 14, 2021
Merged
@sberyozkin sberyozkin mentioned this issue Nov 29, 2021
Merged
@FroMage
Copy link
Member

FroMage commented Dec 6, 2021

Well we can also make it easier to specify paths, for other providers such as google:

quarkus.oidc.broker=google
quarkus.oidc.application-type=web-app
quarkus.oidc.client-id=SECRET
quarkus.oidc.credentials.secret=SECRET
quarkus.oidc.authentication.scopes=openid,email,profile
quarkus.oidc.authentication.redirect-path=/Login/googleLoginSuccess

quarkus.oidc.github.broker=github
quarkus.oidc.github.application-type=web-app
quarkus.oidc.github.client-id=SECRET
quarkus.oidc.github.credentials.secret=SECRET
quarkus.oidc.github.authentication.scopes=user:email
quarkus.oidc.github.authentication.redirect-path=/Login/githubLoginSuccess

@FroMage
Copy link
Member

FroMage commented Dec 13, 2021

Let's give a more complete example, before:

# Note I have to specify a default because otherwise keycloak starts in dev mode
# Default=Google
quarkus.oidc.auth-server-url=https://accounts.google.com
quarkus.oidc.application-type=web-app
quarkus.oidc.client-id=SECRET
quarkus.oidc.credentials.secret=SECRET
quarkus.oidc.authentication.scopes=openid,email,profile
quarkus.oidc.authentication.redirect-path=/Login/oidcLoginSuccess

# Github
quarkus.oidc.github.auth-server-url=https://github.com/login/oauth
quarkus.oidc.github.application-type=web-app
quarkus.oidc.github.client-id=SECRET
quarkus.oidc.github.credentials.secret=SECRET
quarkus.oidc.github.discovery-enabled=false
quarkus.oidc.github.authorization-path=authorize
quarkus.oidc.github.token-path=access_token
quarkus.oidc.github.user-info-path=https://api.github.com/user
quarkus.oidc.github.authentication.scopes=user:email
quarkus.oidc.github.authentication.user-info-required=true
quarkus.oidc.github.authentication.id-token-required=false
quarkus.oidc.github.authentication.redirect-path=/Login/githubLoginSuccess

# MS
quarkus.oidc.microsoft.auth-server-url=https://login.microsoftonline.com/common/v2.0
quarkus.oidc.microsoft.application-type=web-app
quarkus.oidc.microsoft.client-id=SECRET
quarkus.oidc.microsoft.credentials.secret=SECRET
# Must be any because it appears to be a random UUID
quarkus.oidc.microsoft.token.issuer=any
quarkus.oidc.microsoft.authentication.scopes=openid,email,profile
quarkus.oidc.microsoft.authentication.redirect-path=/Login/oidcLoginSuccess

# Facebook
quarkus.oidc.facebook.auth-server-url=https://www.facebook.com
quarkus.oidc.facebook.application-type=web-app
quarkus.oidc.facebook.client-id=SECRET
quarkus.oidc.facebook.credentials.secret=SECRET
quarkus.oidc.facebook.authentication.scopes=email,public_profile
quarkus.oidc.facebook.authentication.redirect-path=/Login/facebookLoginSuccess
# Disable discovery because they're missing the token path
quarkus.oidc.facebook.discovery-enabled=false
quarkus.oidc.facebook.token-path=https://graph.facebook.com/v12.0/oauth/access_token
quarkus.oidc.facebook.token.issuer=facebook
quarkus.oidc.facebook.authorization-path=https://facebook.com/dialog/oauth/
quarkus.oidc.facebook.jwks-path=https://www.facebook.com/.well-known/oauth/openid/jwks/
quarkus.oidc.facebook.user-info-path=https://graph.facebook.com/me/?fields=id,name,email,first_name,last_name
quarkus.oidc.facebook.authentication.user-info-required=true
quarkus.oidc.facebook.authentication.id-token-required=false

# Apple
quarkus.oidc.apple.auth-server-url=https://appleid.apple.com/
quarkus.oidc.apple.application-type=web-app
quarkus.oidc.apple.client-id=SECRET
quarkus.oidc.apple.credentials.jwt.key-file=SECRET
quarkus.oidc.apple.credentials.jwt.key-algorithm=ES256
quarkus.oidc.apple.credentials.jwt.token-key-id=SECRET
quarkus.oidc.apple.credentials.jwt.signature-algorithm=ES256
quarkus.oidc.apple.credentials.jwt.audience=https://appleid.apple.com
quarkus.oidc.apple.credentials.jwt.issuer=SECRET
quarkus.oidc.apple.credentials.jwt.subject=SECRET
quarkus.oidc.apple.authentication.scopes=openid,email,name
quarkus.oidc.apple.authentication.redirect-path=/Login/oidcLoginSuccess
# FIXME: should come from auto-detect? or special flag
quarkus.oidc.apple.authentication.extra-params.response_mode=form_post
# FIXME: should not be needed
quarkus.oidc.apple.authentication.force-redirect-https-scheme=true
# FIXME: should come from auto-detect
quarkus.oidc.apple.credentials.client-secret.method=post

After:

# Note I have to specify a default because otherwise keycloak starts in dev mode
# Default=Google
quarkus.oidc.broker=google
quarkus.oidc.application-type=web-app
quarkus.oidc.client-id=SECRET
quarkus.oidc.credentials.secret=SECRET
quarkus.oidc.authentication.scopes=openid,email,profile
quarkus.oidc.authentication.redirect-path=/Login/oidcLoginSuccess

# Github
quarkus.oidc.github.broker=github
quarkus.oidc.github.application-type=web-app
quarkus.oidc.github.client-id=SECRET
quarkus.oidc.github.credentials.secret=SECRET
quarkus.oidc.github.authentication.scopes=user:email
quarkus.oidc.github.authentication.redirect-path=/Login/githubLoginSuccess

# MS
quarkus.oidc.microsoft.broker=microsoft
quarkus.oidc.microsoft.application-type=web-app
quarkus.oidc.microsoft.client-id=SECRET
quarkus.oidc.microsoft.credentials.secret=SECRET
quarkus.oidc.microsoft.authentication.scopes=openid,email,profile
quarkus.oidc.microsoft.authentication.redirect-path=/Login/oidcLoginSuccess

# Facebook
quarkus.oidc.facebook.broker=facebook
quarkus.oidc.facebook.application-type=web-app
quarkus.oidc.facebook.client-id=SECRET
quarkus.oidc.facebook.credentials.secret=SECRET
quarkus.oidc.facebook.authentication.scopes=email,public_profile
quarkus.oidc.facebook.authentication.redirect-path=/Login/facebookLoginSuccess
quarkus.oidc.facebook.user-info-path=https://graph.facebook.com/me/?fields=id,name,email,first_name,last_name

# Apple
quarkus.oidc.apple.broker=apple
quarkus.oidc.apple.application-type=web-app
quarkus.oidc.apple.client-id=SECRET
quarkus.oidc.apple.credentials.jwt.key-file=SECRET
quarkus.oidc.apple.credentials.jwt.token-key-id=SECRET
quarkus.oidc.apple.credentials.jwt.issuer=SECRET
quarkus.oidc.apple.credentials.jwt.subject=SECRET
quarkus.oidc.apple.authentication.scopes=openid,email,name
quarkus.oidc.apple.authentication.redirect-path=/Login/oidcLoginSuccess

Notes:

  • All my brokers are web-app. I could make this the default, but I guess other users may want other styles? It's a bit annoying to repeat the application type for every broker though. Perhaps we could have a setting that applied to every tenant? quarkus.oidc.*.application-type=web-app ?
  • All my brokers need email/name, but every broker does this in specific ways, via custom scopes values, or user-info-path query params. I'm not sure everyone needs email and name by default, so not sure we should make this the default, but perhaps a setting like quarkus.oidc.*.fields=email,name would generate the custom scopes/user-info-path?
  • The Apple settings require this commit: FroMage@554bc01

stuartwdouglas added a commit to stuartwdouglas/quarkus that referenced this issue Dec 14, 2021
@stuartwdouglas
Add support for known providers to OIDC
aa51984 
This adds specifc config to enable OIDC login for the main OIDC
providers. Having explicit config options like this makes it easy to
search the documentation/dev UI for it.

Fixes quarkusio#20783
@stuartwdouglas stuartwdouglas mentioned this issue Dec 14, 2021
Closed
@sberyozkin sberyozkin mentioned this issue Dec 14, 2021
Closed
@sberyozkin sberyozkin mentioned this issue Jan 1, 2022
Merged
@quarkus-bot quarkus-bot bot added this to the 2.7 - main milestone Jan 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/oidc kind/enhancement New feature or request
Projects
None yet
Milestone
2.7.0.CR1
2 participants
@FroMage @sberyozkin