authn-server icon indicating copy to clipboard operation
authn-server copied to clipboard

Published 20 hours ago verified publisher icon keratin

Support Generic OAuth2 Providers

Open alee792 opened this issue 2 years ago • 4 comments

Keratin supports generic OAuth2 providers here: https://github.com/keratin/authn-server/blob/master/lib/oauth/provider.go

However, there is no means to read configurations from the environment, or otherwise inject them. The credentials, scopes and endpoints required for an *oauth2.Config could be represented by:

CUSTOM_OAUTH_NAME (Used for HTTP path.) CUSTOM_OAUTH_CREDENTIALS CUSTOM_OAUTH_AUTH_URL CUSTOM_OAUTH_TOKEN_URL CUSTOM_OAUTH_SCOPES

Or, the env vars could be written to be easily pattern matchable to allow for multiple custom providers.

I see there are outstanding requests for Twitter and other providers. A generic provider would sidestep the need to PR for every requested provider. I believe the oauth2 library took the same tack and basically stopped accepting changes for what amounted to config as code: https://github.com/golang/oauth2#policy-for-new-packages

alee792 avatar Aug 06 '21 16:08 alee792

Sounds nice! I would really appreciate not needing custom code for each provider.

My only question is how to handle the UserInfoFetcher. Any thoughts?

cainlevy avatar Aug 06 '21 18:08 cainlevy

That does appear to be the crux...

Both OAuth2 Introspection and OIDC UserInfo can return an email.

For Introspection, the email could show up as either sub, username or some custom claim. The ID could also be either of those two fields.

For UserInfo, the email will likely be email, but there are several fields for which an ID could be returned.

The custom provider could be constrained to the OAuth2 and OIDC spec, with the expectation that a GET with a bearer token to a specified endpoint returns a JSON response with status 200. Reading the JWT could be done, but then we would have to manage keys for signature verification.

Whether it's OAuth2 or OIDC may be immaterial. The config could also specify which fields to map to ID and email.

So we could add:

CUSTOM_OAUTH_INTROSPECTION_URL CUSTOM_OIDC_USERINFO_URL (Or just a single field like CUSTOM_USERINFO_URL, then document that both OAuth2 Introspection and OIDC UserInfo work.) CUSTOM_OAUTH_USER_ID_FIELD CUSTOM_OAUTH_EMAIL_FIELD

alee792 avatar Aug 08 '21 18:08 alee792

Was trying to investigate how to integrate with oidc and I see this ticket didn't really progress?

c-nv-s avatar Apr 14 '23 16:04 c-nv-s

@c-nv-s That's correct. I'd be happy to review a pull request however!

cainlevy avatar Apr 14 '23 17:04 cainlevy