omni icon indicating copy to clipboard operation
omni copied to clipboard

Published 20 hours ago verified publisher icon siderolabs

[feature] Add OIDC support

Open Simon-Boyer opened this issue 1 year ago • 8 comments
trafficstars

Problem Description

I'm trying to use an identity provider which currently only supports OIDC, it would be nice if it was one of the supported options for omni.

Solution

Add OIDC as a third option to omni auth providers methods (currently only auth0 and saml).

Alternative Solutions

Tried to use this thing, but I cant make it work: https://github.com/IdentityPython/SATOSA/tree/master

Notes

No response

Simon-Boyer avatar Mar 28 '24 22:03 Simon-Boyer

Having recently spent time migrating a bunch of our SAML k8s apps over to OpenID connect I could really use this to help pitch the omni case in my org

We're using pinniped.dev

MAHDTech avatar Apr 26 '24 12:04 MAHDTech

Add OIDC as a third option to omni auth providers methods (currently only auth0 and saml).

OIDC as in OpenID Connect?

samip5 avatar May 28 '24 22:05 samip5

Add OIDC as a third option to omni auth providers methods (currently only auth0 and saml).

OIDC as in OpenID Connect?

Yes

Simon-Boyer avatar May 29 '24 12:05 Simon-Boyer

Is there any progress here? It looks like #126 addressed this problem but I cannot find any documentation on how to use it, yet.

Generic OIDC support would really be a huge benefit since it would allow us to use, e.g., Dex as an adapter to pretty much any corporate ID Provider (Dex might also serve as a good OIDC example in the docs with its "Mock" provider).

I tried to use Auth0/OIDC auth with Keycloak but Omni always appends /authorize to the auth endpoint which does not match the correct path in Keycloak. I assume it does not look up the .well-known/openid-configuration OIDC endpoint, where all endpoints are discoverable.

bauerjs1 avatar Aug 02 '24 15:08 bauerjs1

+1 for Dex support as that would enable some other identity providers and more complex setups via adapters.

stereobutter avatar Aug 13 '24 17:08 stereobutter

Any updates on this? Am I missing some configuration?

bauerjs1 avatar Nov 06 '24 10:11 bauerjs1

This would be an awesome improvement! Currently I had to sign-up with Auth0 to be able to use GitHub as my auth provider. Which is no big deal, but cumbersome and now I get emails from Auth0 for their commercial plans, etc. It would be nice if we can directly create an OAuth2 app on GitHub and just use their OIDC flow directly.

I guess the same goes for Google, Microsoft, etc.

lion7 avatar Jan 15 '25 09:01 lion7

@rothgar from our Convo on discord, here's how OpenUnison does multi-cluster SSO https://openunison.github.io/multi_cluster_sso/

mlbiam avatar Feb 13 '25 23:02 mlbiam