Merge pull request #1 from torbenraab/feat/oidc-auth-with-godmode

feat: OpenID Connect for Self Hosted Instance with God-Mode Implementation
torbenraab · Jan 12, 2024 · 7b2b385 · 7b2b385
2 parents ee2c7c5 + a481572
commit 7b2b385
Show file tree

Hide file tree

Showing 17 changed files with 1,063 additions and 11 deletions.
diff --git a/apiserver/.env.example b/apiserver/.env.example
@@ -58,6 +58,17 @@ ENABLE_EMAIL_PASSWORD="1"
 # Enable Magic link Login
 ENABLE_MAGIC_LINK_LOGIN="0"
 
+# Enable OpenID Connect Login - You can set the Issuer to get the Enpoints (URLs) automatically or set them manually
+# If you set the Endpoints manually the issuer should be empty to avoid overriding the endpoints
+OIDC_AUTO="0"
+OIDC_CLIENT_ID=""
+OIDC_CLIENT_SECRET=""
+OIDC_ISSUER=""
+OIDC_URL_AUTHORIZATION=""
+OIDC_URL_TOKEN=""
+OIDC_URL_USERINFO=""
+OIDC_URL_ENDSESSION=""
+
 # Email redirections and minio domain settings
 WEB_URL="http://localhost"
 

diff --git a/apiserver/plane/app/urls/authentication.py b/apiserver/plane/app/urls/authentication.py
@@ -10,6 +10,7 @@
     MagicGenerateEndpoint,
     MagicSignInEndpoint,
     OauthEndpoint,
+    OIDCEndpoint,
     EmailCheckEndpoint,
     ## End Authentication
     # Auth Extended
@@ -27,6 +28,7 @@
     #  Social Auth
     path("email-check/", EmailCheckEndpoint.as_view(), name="email"),
     path("social-auth/", OauthEndpoint.as_view(), name="oauth"),
+    path("oidc-auth/", OIDCEndpoint.as_view(), name="oidc"),
     # Auth
     path("sign-in/", SignInEndpoint.as_view(), name="sign-in"),
     path("sign-out/", SignOutEndpoint.as_view(), name="sign-out"),

diff --git a/apiserver/plane/app/views/__init__.py b/apiserver/plane/app/views/__init__.py
@@ -22,6 +22,8 @@
 
 from .oauth import OauthEndpoint
 
+from .oidc import OIDCEndpoint
+
 from .base import BaseAPIView, BaseViewSet, WebhookMixin
 
 from .workspace import (

diff --git a/apiserver/plane/app/views/config.py b/apiserver/plane/app/views/config.py
@@ -25,6 +25,13 @@ def get(self, request):
             GOOGLE_CLIENT_ID,
             GITHUB_CLIENT_ID,
             GITHUB_APP_NAME,
+            OIDC_AUTO,
+            OIDC_CLIENT_ID,
+            OIDC_CLIENT_SECRET,
+            OIDC_URL_AUTHORIZATION,
+            OIDC_URL_TOKEN,
+            OIDC_URL_USERINFO,
+            OIDC_URL_ENDSESSION,
             EMAIL_HOST_USER,
             EMAIL_HOST_PASSWORD,
             ENABLE_MAGIC_LINK_LOGIN,
@@ -48,6 +55,34 @@ def get(self, request):
                     "key": "GITHUB_APP_NAME",
                     "default": os.environ.get("GITHUB_APP_NAME", None),
                 },
+                {
+                    "key": "OIDC_AUTO",
+                    "default": os.environ.get("OIDC_AUTO", None),
+                },
+                {
+                    "key": "OIDC_CLIENT_ID",
+                    "default": os.environ.get("OIDC_CLIENT_ID", None),
+                },
+                {
+                    "key": "OIDC_CLIENT_SECRET",
+                    "default": os.environ.get("OIDC_CLIENT_SECRET", None),
+                },
+                {
+                    "key": "OIDC_URL_AUTHORIZATION",
+                    "default": os.environ.get("OIDC_URL_AUTHORIZATION", None),
+                },
+                {
+                    "key": "OIDC_URL_TOKEN",
+                    "default": os.environ.get("OIDC_URL_TOKEN", None),
+                },
+                {
+                    "key": "OIDC_URL_USERINFO",
+                    "default": os.environ.get("OIDC_URL_USERINFO", None),
+                },
+                {
+                    "key": "OIDC_URL_ENDSESSION",
+                    "default": os.environ.get("OIDC_URL_ENDSESSION", None),
+                },
                 {
                     "key": "EMAIL_HOST_USER",
                     "default": os.environ.get("EMAIL_HOST_USER", None),
@@ -96,6 +131,18 @@ def get(self, request):
             GITHUB_CLIENT_ID if GITHUB_CLIENT_ID and GITHUB_CLIENT_ID != '""' else None
         )
         data["github_app_name"] = GITHUB_APP_NAME
+        data["oidc_auto"] = (
+            bool(OIDC_CLIENT_ID) and 
+            bool(OIDC_CLIENT_SECRET) and 
+            bool(OIDC_URL_AUTHORIZATION) and 
+            bool(OIDC_URL_TOKEN) and 
+            bool(OIDC_URL_USERINFO)
+        ) and OIDC_AUTO == "1"
+        data["oidc_client_id"] = (
+            OIDC_CLIENT_ID if OIDC_CLIENT_ID and OIDC_CLIENT_ID != '""' else None
+        )
+        data["oidc_url_authorize"] = OIDC_URL_AUTHORIZATION
+        data["oidc_url_endsession"] = OIDC_URL_ENDSESSION
         data["magic_login"] = (
             bool(EMAIL_HOST_USER) and bool(EMAIL_HOST_PASSWORD)
         ) and ENABLE_MAGIC_LINK_LOGIN == "1"