hydra icon indicating copy to clipboard operation
hydra copied to clipboard
verified publisher icon NixOS

Implement generic OIDC-based authentication

Open lheckemann opened this issue 2 years ago • 4 comments

lheckemann avatar Aug 20 '23 17:08 lheckemann

I would like to host Hydra in an environment where not having custom SSO is a blocker, so I am quite keen on this change. What can we do to push it through? @lheckemann if you're not working on this anymore, can I take it over?

I've rebased against master here: https://github.com/ners/hydra/tree/oidc

ners avatar Aug 17 '25 13:08 ners

It's on my "one day" pile; if you have a bit more time pressure on it, you're very welcome to take over :)

lheckemann avatar Aug 18 '25 10:08 lheckemann

i tried using @ners's rebased patch but couldn't get role mapping to work (with kanidm)... not quite sure if its my configuration issue or the support isn't there yet?

  • https://github.com/stepbrobd/dotfiles/blob/fe89a87fc3781f929639f0632969adde3e1d5063/hosts/server/odake/hydra.nix#L43
  • https://github.com/stepbrobd/dotfiles/blob/fe89a87fc3781f929639f0632969adde3e1d5063/modules/nixos/kanidm/default.nix#L118

also, kanidm is complaining about PKCE:

No PKCE code challenge was provided with client in enforced PKCE mode. | event_tag_id: 12 | o2rs.name: "hydra"

so i had to set allowInsecureClientDisablePkce = true in oauth client configuration. since i really don't know much about security side of oidc, i'm not sure if this is a big risk or not

stepbrobd avatar Sep 01 '25 09:09 stepbrobd

apparently i don't know how oidc role mapping work :-0 @ners resolved this for me at nixcon (nice)

example with kanidm:

services.hydra.extraConfig = ''
        enable_hydra_login = 0
        enable_oidc_login = 1
        oidc_client_id = "hydra"
        oidc_scope = "openid email profile groups"
        oidc_auth_uri = "https://kanidm.example.com/ui/oauth2"
        oidc_token_uri = "https://kanidm.example.com/oauth2/token"
        oidc_userinfo_uri = "https://kanidm.example.com/oauth2/openid/hydra/userinfo"
        include ${config.sops.secrets.hydra.path} # oidc_client_secret = ...

        <oidc_role_mapping>
          <my hydra admin role>@<kanidm tenant domain> = admin
          <my hydra admin role>@<kanidm tenant domain> = bump-to-front
          <my hydra user role>@<kanidm tenant domain> = cancel-build
          <my hydra user role>@<kanidm tenant domain> = eval-jobset
          <my hydra user role>@<kanidm tenant domain> = create-projects
          <my hydra user role>@<kanidm tenant domain> = restart-jobs
        </oidc_role_mapping>
'';

the only drawback of the current implementation is that we are missing PKCE support, otherwise patch lgtm (i can add docs if needed)

maybe this is the wrong place to approve pr since i'm testing against https://github.com/ners/hydra/tree/oidc, but i'll do it anyways

stepbrobd avatar Sep 07 '25 15:09 stepbrobd