cvat
cvat copied to clipboard
cvat-ai
Delegate authentication to OAuth 2.0 / OpenID Connect
We have our own OpenID Connect (OIDC) identity provider and would like users of our CVAT instance to log in using their identity from that provider. Can we configure CVAT to delegate auth to our OIDC provider? Thanks.
@brucehoff , you need to wait while we change our auth mechanism. Current plans are to use Keycloak (https://www.keycloak.org) and it has the feature as far as I know.
We are familiar with Keycloak. It would work perfectly for us. The "1.0.0 Beta milestone" you link has a date of March 31. If the work is done by then it would be very helpful.
Would the integration include fine grained authorization? That is, would it allow users to access just their own videos and not to see others' (and/or link videos to Keycloak 'roles')? Or is it only an authentication mechanism (allowing select users to log in but afterwards not isolate resources)?
We are going to have fine grained authorization. All our milestones are approximate (best effort).
Note: If you really want to get something on time it is better to contribute and invest some development resources.
@nmanovic Do we want to integrate with Google SSO in the future ? The project already has django-allauth dependency which we can use for that purpose.
@lakshmikantdeshpande , it should be possible. We are going to use KeyCloak for auth purpose in the nearest future.
Hi, I am implementing google sign in but it does not work and simply redirects to login page. I think somehow the authorisation of the user is not happening. It looks like there are some conditions in the code because of which it is failing.
Can someone please help me in implementing it or provide any direction to go forward.
Thanks in advance
Hey @arvindcyclist, I've implemented Google Sign in. Let me know if you nee help.
@lakshmikantdeshpande Do you mind sharing the source code of your implementation?
Hey @arvindcyclist, I've implemented Google Sign in. Let me know if you nee help.
@lakshmikantdeshpande I would like help implementing Google Sign-in. How did you set it up?
There's this PR: https://github.com/openvinotoolkit/cvat/pull/4646 but it hasn't been reviewed. Any update on this issue?
I like the idea of #4646 but it implements DataWiza Access as only solution. There are other solutions which should be possible as well (especially because supporting them only requires not hard coding logout path and header names), like oauth2-proxy, vouch-proxy and, in general, e.g. nginx can delegate authentication to any third party using auth_request (implemented this with oauth2-proxy and works like a charm for other services).
@nmanovic Are planning to integrate OIDC directly into CVAT? Would it then be feasible to merge #4646 (after allowing support for different header names for oauth2-proxy, …) to add that support now (and to other auth proxy's as well, there may be proxies for other auth protocols like SAML or LDAP as well) or would that be rejected any way because of an upcoming OIDC integration?
@Zocker1999NET , I'm going to review and merge #4646 as soon as I have permissions to do that.
@nmanovic Hey any updates on plans to integrate OIDC into the application? I've been working to standup CVAT on our K8s cluster and got most of the kinks worked out. We'd like to leverage an internal SP and IdP as well, so along the lines of @Zocker1999NET concerns supporting mechanisms other than Datawiz would be appreciated.
Ah sorry, jumped the gun on my comment about Social Auth being removed. Looks like OIDC was recently merged https://github.com/opencv/cvat/pull/5684. Excited for this functionality!
@tvanderwal-lmco , social accounts and OIDC will be a part of our enterprise subscription. The features are not necessary for small AI startups and data scientists. If you want to have them, please look at our https://www.cvat.ai/pricing/on-prem