netbox-docker icon indicating copy to clipboard operation
netbox-docker copied to clipboard
verified publisher icon netbox-community

Add SSO variables to configuration file, so they can be added to the environment files

Open SaschaSchwarzK opened this issue 1 year ago • 2 comments

Desired Behavior

We are using the docker version of netbox and SSO with a Okta backend.

We have to change configuration.py to get the authentication settings from the environment variables.

I think it would be much more convenient for all users if they can simply add the settings for SSO(at least for the integrations outlined in the netbox documentation) in the environment variables, instead of editing the configuration.py. Just like this is done for most other settings as well.

Contrast to Current Behavior

Currently only the basic REMOTE_AUTH settings can be set in the environment variables.

Required Changes

I suggest to change the file configurations.py and add the lines below to support at least the SSO integrations outlined in the documentation.

SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY = environ.get('SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY')
SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET = environ.get('SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET')
SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL = environ.get('SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL')
SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = environ.get('SOCIAL_AUTH_AZUREAD_OAUTH2_KEY')
SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = environ.get('SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET')

Discussion: Benefits and Drawbacks

No response

SaschaSchwarzK avatar Jan 20 '24 14:01 SaschaSchwarzK

In case some one would like to pass python dict SOCIAL_AUTH_BACKEND_ATTRS as environment variable to customize SSO display name and icon, here is the solution by adding to extra.py. I'm using Keycloak

from os import environ
import base64
import pickle

# Use ENV
REMOTE_AUTH_BACKEND=environ.get('REMOTE_AUTH_BACKEND')
#SOCIAL_AUTH_BACKEND_ATTRS=environ.get('SOCIAL_AUTH_BACKEND_ATTRS')
if environ.get('SOCIAL_AUTH_BACKEND_ATTRS_BASE64') is not None:
    SOCIAL_AUTH_BACKEND_ATTRS=pickle.loads(base64.b64decode(environ.get('SOCIAL_AUTH_BACKEND_ATTRS_BASE64')))
    #print("Debug SOCIAL_AUTH_BACKEND_ATTRS")
    #print(SOCIAL_AUTH_BACKEND_ATTRS)

#import base64
#import pickle
#To pass below python dict
#SOCIAL_AUTH_BACKEND_ATTRS={
#    'keycloak': ("Login with Keycloak", "https://www.svgrepo.com/show/331455/keycloak.svg"),
#}
#}
#print(base64.b64encode(pickle.dumps(SOCIAL_AUTH_BACKEND_ATTRS)))
# Pass the result of base64.b64encode(pickle.dumps(SOCIAL_AUTH_BACKEND_ATTRS)) as AWS ECS Environment Variable(ENV).
# ENV name SOCIAL_AUTH_BACKEND_ATTRS_BASE64
# ENV value gASVWgAAAAAAAAB9lIwIa2V5Y2xvYWuUjBNMb2dpbiB3aXRoIEtleWNsb2FrlIwwaHR0cHM6Ly93d3cuc3ZncmVwby5jb20vc2hvdy8zMzE0NTUva2V5Y2xvYWsuc3ZnlIaUcy4=
# https://stackoverflow.com/questions/76248652/how-to-add-in-aws-env-variable-which-is-not-a-simple-string-contains-nested-br
# https://stackoverflow.com/questions/24508726/how-to-encode-python-dictionary

SOCIAL_AUTH_KEYCLOAK_KEY=environ.get('SOCIAL_AUTH_KEYCLOAK_KEY')
SOCIAL_AUTH_KEYCLOAK_SECRET=environ.get('SOCIAL_AUTH_KEYCLOAK_SECRET')
SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL=environ.get('SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL')
SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL=environ.get('SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL')
SOCIAL_AUTH_KEYCLOAK_ID_KEY=environ.get('SOCIAL_AUTH_KEYCLOAK_ID_KEY')
SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY=environ.get('SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY')

More https://stackoverflow.com/questions/76248652/how-to-add-in-aws-env-variable-which-is-not-a-simple-string-contains-nested-br https://stackoverflow.com/questions/24508726/how-to-encode-python-dictionary

marsteel avatar Oct 08 '24 07:10 marsteel

Can you please add GOOGLE SSO variables as well:

SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = _read_secret('SOCIAL_AUTH_GOOGLE_OAUTH2_KEY', environ.get('SOCIAL_AUTH_GOOGLE_OAUTH2_KEY', ''))
SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = _read_secret('SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET', environ.get('SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET', ''))

Thank you 🙏

Jurka007 avatar Dec 06 '24 07:12 Jurka007

This feature has been submitted in PR #1475 which adds support for configuring SSO providers through environment variables and Docker secrets.

What's Added

OKTA OpenID Connect: (thanks @SaschaSchwarzK)

  • SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY (environment variable)
  • SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET (environment variable + Docker secret: okta_openidconnect_secret)
  • SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL (environment variable)

Google OAuth2: (thanks @Jurka007)

  • SOCIAL_AUTH_GOOGLE_OAUTH2_KEY (environment variable)
  • SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET (environment variable + Docker secret: google_oauth2_secret)

Usage Examples

The PR includes updated documentation in:

  • env/netbox.env - commented configuration examples
  • docker-compose.override.yml.example - environment variables and Docker secrets usage

Implementation Details

  • Secrets can be provided via Docker secrets or environment variables
  • No more need to modify configuration.py or extra.py for these common SSO providers

This addresses the original request and can be extended for additional SSO providers using the same pattern.

skyefugate avatar Jul 03 '25 18:07 skyefugate