codechecker icon indicating copy to clipboard operation
codechecker copied to clipboard
verified publisher icon Ericsson

OpenID Connect based authentication (oauth)

Open vodorok opened this issue 1 year ago • 0 comments

Authentication with OpenID Connect (OIDC) would be a useful addition to CodeChecker authentication methods. https://openid.net/developers/how-connect-works/

Currently, only PAM and LDAP authentication methods are supported, but there are cases where these methods are not flexible enough, for example, in the demo server (https://codechecker-demo.eastus.cloudapp.azure.com), only a few predefined users exist, the viewing and administration must be done by using those, instead of using the proper users and permissions.

Phase I.

Requirements:

  • The feature must be implemented with https://github.com/lepture/authlib, https://docs.authlib.org/en/latest/index.html.
  • It should be possible to authenticate the user using the GitHub/Google (user-selectable) accounts over the web login screen.
  • Two-factor authentication should be supported if required by GitHub, or Google.
  • After successful authentication the user should be let in based on server settings (see below).
  • If the user authenticates once with GitHub, and in another case with Google, the same (user entity) should be used based on the email address.
  • If the user is not allowed to log in yet, bring the user to a landing page where she/he is informed that she/he must ask for permission to access the CodeChecker server. The CodeChecker admin can add the user manually to the allowed_users list.
  • Extend the CodeChecker authentication configuration https://github.com/Ericsson/codechecker/blob/master/docs/web/authentication.md with a new authentication method method_oauth and define the configuration parameters needed for the github and google external authenticators

The user entry should be restricted in two methods:

  • Let in everyone after successful authentication. (Phase I.)
  • Only let in those who are members of the predefined allowed_users group (Phase II.)

Phase II.

Group membership assignment based on Microsoft Entra Authentication domain.

#4349

Phase III.

Group membership managment using the internal db specified in ticket #4302

vodorok avatar Jan 26 '24 11:01 vodorok