buildbot-nix icon indicating copy to clipboard operation
buildbot-nix copied to clipboard

Published 20 hours ago verified publisher icon nix-community

Generic OIDC auth

Open james-atkins opened this issue 1 year ago • 7 comments

It would be nice to specify a generic OIDC login provider rather than GitHub or Gitea. For example, I use Dex.

This is should be easy to implement Python-wise as both GiteaAuth and GitHubAuth are subclasses of buildbot.www.oauth2.OAuth2Auth.

james-atkins avatar Jun 25 '24 14:06 james-atkins

Is OIDC not a different protocol from Oauth2?

Mic92 avatar Jun 25 '24 14:06 Mic92

Maybe not, I am not super familiar with the specifics. What might already work today is oauth2-proxy: https://oauth2-proxy.github.io/oauth2-proxy/

Mic92 avatar Jun 25 '24 14:06 Mic92

There is https://github.com/buildbot/buildbot/blob/331121358ba547a6d445de8760c5c8d359171cf8/master/buildbot/www/auth.py#L102 so a proxy could set a header value pointing to the user.

Mic92 avatar Jun 25 '24 14:06 Mic92

Question is, how we handle permissions in this case? Treat all logged in people as admins?

Mic92 avatar Jun 25 '24 14:06 Mic92

OIDC is a protocol built on top of OAuth2. It standardises how user information is retrieved once they are authenticated. E.g. some of buildbot's built in authentication providers uses standard OIDC claims such as name , email and picture.

james-atkins avatar Jun 25 '24 15:06 james-atkins

I put this under the future milestone as for this to really make sense, #176 needs to be in place. If there are any objections to this, let me know.

MagicRB avatar Jul 08 '24 11:07 MagicRB

Oauth actually does indeed not look that complicated: https://git.lix.systems/lix-project/buildbot-nix/src/commit/45135d249b47f95846854e0145028b6f6e30dea1/buildbot_nix/init.py#L46 I could also imagine someone else could pick this up as a first contribution.

Mic92 avatar Jul 08 '24 11:07 Mic92