FEAT: Add Open ID Connect authentication method

* add `oidc-config` setting allowing an admin user to configure parameters * modify login page to show another button when oidc is configured * add dependency `openid-client` `v5.4.0` * add backend route to process "OAuth2 Authorization Code" flow initialisation * add backend route to process callback of above flow * sign in the authenticated user with internal jwt token if internal user with email matching the one retrieved from oauth claims exists Note: Only Open ID Connect Discovery is supported which most modern Identity Providers offer. Tested with Authentik 2023.2.2 and Keycloak 18.0.2
2025-06-18 18:16:26 +00:00 · 2023-02-24 08:39:21 +00:00
parent 5920b0cf5e
commit caeb2934f0
17 changed files with 441 additions and 7 deletions
--- a/frontend/js/login/ui/login.js
+++ b/frontend/js/login/ui/login.js
@ -3,17 +3,22 @@ const Mn       = require('backbone.marionette');
 const template = require('./login.ejs');
 const Api      = require('../../app/api');
 const i18n     = require('../../app/i18n');
+const Tokens   = require('../../app/tokens');

 module.exports = Mn.View.extend({
    template:  template,
    className: 'page-single',

    ui: {
-        form:     'form',
-        identity: 'input[name="identity"]',
-        secret:   'input[name="secret"]',
-        error:    '.secret-error',
-        button:   'button'
+        form:         'form',
+        identity:     'input[name="identity"]',
+        secret:       'input[name="secret"]',
+        error:        '.secret-error',
+        button:       'button[type=submit]',
+        oidcLogin:    'div.login-oidc',
+        oidcButton:   'button#login-oidc',
+        oidcError:    '.oidc-error',
+        oidcProvider: 'span.oidc-provider'
    },

    events: {
@ -30,6 +35,56 @@ module.exports = Mn.View.extend({
                    this.ui.error.text(err.message).show();
                    this.ui.button.removeClass('btn-loading').prop('disabled', false);
                });
+        },
+        'click @ui.oidcButton': function(e) {
+            this.ui.identity.prop('disabled', true);
+            this.ui.secret.prop('disabled', true);
+            this.ui.button.prop('disabled', true);
+            this.ui.oidcButton.addClass('btn-loading').prop('disabled', true);
+            // redirect to initiate oauth flow
+            document.location.replace('/api/oidc/');
+        },
+    },
+
+    async onRender() {
+        // read oauth callback state cookies
+        let cookies = document.cookie.split(';'),
+            token, expiry, error;
+        for (cookie of cookies) {
+            let raw  = cookie.split('='),
+                name = raw[0].trim(),
+                value = raw[1];
+            if (name === 'npm_oidc') {
+                let v = value.split('---');
+                token = v[0];
+                expiry = v[1];
+            }
+            if (name === 'npm_oidc_error') {
+                console.log(' ERROR 000 > ', value);
+                error = decodeURIComponent(value);
+            }
+        }
+
+        console.log('login.js event > render', expiry, token);
+        // register a newly acquired jwt token following successful oidc authentication
+        if (token && expiry && (new Date(Date.parse(decodeURIComponent(expiry)))) > new Date() ) {
+            console.log('login.js event > render >>>');
+            Tokens.addToken(token);
+            document.location.replace('/');
+        }
+
+        // show error message following a failed oidc authentication
+        if (error) {
+            console.log(' ERROR > ', error);
+            this.ui.oidcError.html(error);
+        }
+
+        // fetch oidc configuration and show alternative action button if enabled
+        let response = await Api.Settings.getById("oidc-config");
+        if (response && response.meta && response.meta.enabled === true) {
+            this.ui.oidcProvider.html(response.meta.name);
+            this.ui.oidcLogin.show();
+            this.ui.oidcError.show();
        }
    },