Implement OIDC

[pizkaz]

Fixes #300

Type (Highlight the corresponding type)

• Bugfix
• Feature
• Documentation
• Refactoring (e.g. Style updates, Test implementation, etc.)
• Other (please describe):

Checklist

• [x] Code updated to current develop branch head
• [ ] Passes CI checks
• [x] Is a part of an issue
• [ ] Tests added for the bugfix or newly implemented feature, describe below why if not
• [ ] Changelog is updated
• [x] Documentation of code and features exists

Changes

• Implements OIDC authentication via OpenID-Connect-PHP

Other information

Summary by CodeRabbit

• New Features

  • Added support for OpenID Connect (OIDC) as an external authentication provider, including login, logout, and session management.
  • Introduced a new OIDC authentication tab and localized UI elements in the login view.
  • Configuration options and documentation for OIDC integration are now available.
  • OIDC authentication method is selectable in user management and authentication workflows.
  • Added routes and session handling tailored for OIDC.

• Bug Fixes

  • Logout flow enhanced to display a warning if OIDC logout is incomplete.

• Documentation

  • Expanded documentation with setup and configuration instructions for OIDC authentication.

• Chores

  • Added new dependency for OIDC support.
  • Updated language files to include OIDC translations in English, German, and French.

[codecov[bot]]

Codecov Report

Attention: Patch coverage is 44.44444% with 5 lines in your changes missing coverage. Please review.

Project coverage is 97.34%. Comparing base (de89cca) to head (46911b5). Report is 27 commits behind head on develop.

Files with missing lines	Patch %	Lines
resources/js/views/Login.vue	28.57%	5 Missing :warning:

Additional details and impacted files

@@              Coverage Diff              @@
##             develop    #1205      +/-   ##
=============================================
+ Coverage      96.73%   97.34%   +0.60%     
=============================================
  Files            405      177     -228     
  Lines          11642     6216    -5426     
  Branches        2062     2066       +4     
=============================================
- Hits           11262     6051    -5211     
+ Misses           380      165     -215     

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:

• :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[samuelwei]

Should be build from scratch using https://github.com/jumbojett/OpenID-Connect-PHP, as this implementation is missing most security checks

[pizkaz]

Hmm how can I convice GitHub that the requested changes were indeed addressed? :monocle_face:

[cypress[bot]]

PILOS    Run #2411

Run Properties:   Passed #2411  •  a45db280db: 4.4.0 Release

Project	PILOS
Branch Review	4.x
Run status	Passed #2411
Run duration	05m 05s
Commit	a45db280db: 4.4.0 Release
Committer	Samuel Weirich
View all properties for this run ↗︎

---

Test results
Failures	0
Flaky	0
Pending	0
Skipped	0
Passing	555
View all changes introduced in this branch ↗︎

[pizkaz]

OIDC conformance testing:

• https://openid.net/how-to-certify-your-implementation/
• https://openid.net/certification/connect_rp_testing/
• https://www.certification.openid.net/
• Test plans (probably):
  • OIDC Core: Basic Certification Profile RP Tests
  • OIDC Core: Back Channel Logout RP Certification Profile RP Tests
  • OIDC Core: Front Channel Logout RP Certification Profile RP Tests
  • OIDC Core: RP Initiated Logout RP Certification Profile RP Tests

[Pierre-Lannoy]

Hello! Do you know how I can help on this?

[samuelwei]

Hello! Do you know how I can help on this?

Absolutely, we wanted to write this based on the popular https://github.com/jumbojett/OpenID-Connect-PHP PHP library. However when testing it using the official OpenID connect certification tests, we noticed many missing security checks that should prevent malicious requests. This has to be fixed in the library itself - your more than welcome to contribute to the OpenID-Connect-PHP project. @pizkaz wanted to work on it, but priorities have shifted, I‘m not sure if he worked on resolving to open issues

[Pierre-Lannoy]

OK, thanks for this explanation. I will see if I can find time (and knowledge, haha) to contribute to OpenID-Connect-PHP project…

[pizkaz]

I did not do anything yet. Just as I had everything set up to get started, things started to catch fire elsewhere.

[coderabbitai[bot]]

Walkthrough

This change introduces OpenID Connect (OIDC) as a new external authentication provider for the application. It adds the necessary backend controller, user model, and OpenID Connect client integration, as well as updates to configuration, environment variable templates, and language files. New routes are conditionally registered for OIDC authentication and logout flows, and the frontend is updated to support OIDC login and logout feedback. Documentation is expanded to guide administrators on configuring and mapping OIDC attributes. The logout logic is enhanced to handle OIDC-specific flows, and the CSRF middleware is updated to exclude OIDC logout routes.

Changes

File(s)	Change Summary
app/Auth/OIDC/OIDCController.php app/Auth/OIDC/OIDCUser.php app/Auth/OIDC/OpenIDConnectClient.php app/Auth/OIDC/AccessTokenHashChecker.php app/Auth/OIDC/EventsChecker.php app/Auth/OIDC/IssuerChecker.php app/Auth/OIDC/OIDCProvider.php app/Auth/OIDC/OIDCServiceProvider.php app/Auth/OIDC/OpenIDConnectClientException.php app/Auth/OIDC/OpenIDConnectCodeMissingException.php app/Auth/OIDC/OpenIDConnectNetworkException.php app/Auth/OIDC/OpenIDConnectProviderException.php app/Auth/OIDC/OpenIDConnectValidationException.php	Added OIDC controller, user, client, claim checkers, provider, service provider, and exception classes to handle OIDC authentication, user mapping, session management, and token validation.
app/Http/Controllers/api/v1/auth/LoginController.php	Enhanced logout method to support OIDC, including redirect logic and messaging.
app/Http/Middleware/VerifyCsrfToken.php	Excluded 'auth/oidc/logout' from CSRF verification.
app/Http/Resources/Config.php	Added OIDC enabled flag to API config resource.
composer.json	Added dependency on "web-token/jwt-framework" and a path repository; changed minimum stability to "dev".
config/services.php	Added OIDC service configuration, including mapping and environment variables.
routes/web.php	Registered new OIDC authentication and logout routes, guarded by OIDC enabled config.
.env.example	Added OIDC-related environment variable placeholders.
docs/docs/administration/08-advanced/01-external-authentication.md	Documented OIDC setup, configuration, and mapping.
lang/en/admin.php lang/de/admin.php lang/fr/admin.php	Added OIDC to user authenticator translation lists.
lang/en/auth.php lang/de/auth.php lang/fr/auth.php	Added OIDC authentication UI translation strings.
resources/js/views/Login.vue	Added OIDC login tab and redirect logic in the frontend login view.
resources/js/views/Logout.vue	Added OIDC-specific logout warning message.
resources/js/components/MainNav.vue	Modified logout to support passing logout messages via query parameters.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Frontend
    participant OIDCController
    participant OIDCProvider
    participant AppAuth

    User->>Frontend: Clicks "Log in with OIDC"
    Frontend->>OIDCController: GET /auth/oidc/redirect
    OIDCController->>OIDCProvider: Redirect to OIDC authorization endpoint
    OIDCProvider->>User: User authenticates and consents
    OIDCProvider->>OIDCController: Redirect back with code to /auth/oidc/callback
    OIDCController->>OIDCProvider: Exchange code for tokens, fetch user info
    OIDCController->>AppAuth: Find or create user, log in
    OIDCController->>Frontend: Redirect to application or error page

sequenceDiagram
    participant User
    participant Frontend
    participant OIDCController
    participant OIDCProvider

    User->>Frontend: Clicks "Logout"
    Frontend->>OIDCController: GET/POST /auth/oidc/logout
    OIDCController->>OIDCProvider: Initiate logout at OIDC provider (frontchannel/backchannel)
    OIDCProvider->>OIDCController: Confirm logout (backchannel)
    OIDCController->>Frontend: Redirect to logout confirmation or show warning if incomplete

Assessment against linked issues

Objective	Addressed	Explanation
Implement OIDC as an alternative to LDAP, including SSO/SLO flows (#300)	✅

Suggested labels

enhancement

✨ Finishing Touches

• [ ] 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[samuelwei]

Superseded by #2281, to make PR more readable