yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(oidc): be more compatible with okta

This commit is contained in:
firest 2024-06-21 22:38:20 +08:00
parent ddb197951e
commit 892420e2c6
4 changed files with 58 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apps/emqx_dashboard_sso/rebar.config
View File

@ -5,5 +5,5 @@
{emqx_ldap, {path, "../../apps/emqx_ldap"}}, {emqx_ldap, {path, "../../apps/emqx_ldap"}},
{emqx_dashboard, {path, "../../apps/emqx_dashboard"}}, {emqx_dashboard, {path, "../../apps/emqx_dashboard"}},
{esaml, {git, "https://github.com/emqx/esaml", {tag, "v1.1.3"}}}, {esaml, {git, "https://github.com/emqx/esaml", {tag, "v1.1.3"}}},
{oidcc, {git, "https://github.com/erlef/oidcc.git", {tag, "v3.2.0"}}} {oidcc, {git, "https://github.com/emqx/oidcc.git", {branch, "ev3.2.0"}}}
]}. ]}.

42
apps/emqx_dashboard_sso/src/emqx_dashboard_sso_oidc.erl
View File

@ -91,6 +91,38 @@ fields(oidc) ->
desc => ?DESC(require_pkce), desc => ?DESC(require_pkce),
default => false default => false
})}, })},
{preferred_auth_methods,
?HOCON(
?ARRAY(
?ENUM([
private_key_jwt,
client_secret_jwt,
client_secret_post,
client_secret_basic,
none
])
),
#{
desc => ?DESC(preferred_auth_methods),
default => [
client_secret_post,
client_secret_basic,
none
]
}
)},
{provider,
?HOCON(?ENUM([okta, generic]), #{
mapping => "oidcc.provider",
desc => ?DESC(provider),
default => generic
})},
{fallback_methods,
?HOCON(?ARRAY(binary()), #{
mapping => "oidcc.fallback_methods",
desc => ?DESC(fallback_methods),
default => [<<"RS256">>]
})},
{client_jwks, {client_jwks,
%% TODO: add url JWKS %% TODO: add url JWKS
?HOCON(?UNION([none, ?R_REF(client_file_jwks)]), #{ ?HOCON(?UNION([none, ?R_REF(client_file_jwks)]), #{
@ -155,6 +187,7 @@ destroy(State) ->
emqx_dashboard_sso_oidc_session:stop(), emqx_dashboard_sso_oidc_session:stop(),
try_delete_jwks_file(State). try_delete_jwks_file(State).
-dialyzer({nowarn_function, login/2}).
login( login(
_Req, _Req,
#{ #{
@ -163,7 +196,8 @@ login(
clientid := ClientId, clientid := ClientId,
secret := Secret, secret := Secret,
scopes := Scopes, scopes := Scopes,
require_pkce := RequirePKCE require_pkce := RequirePKCE,
preferred_auth_methods := AuthMethods
} }
} = Cfg } = Cfg
) -> ) ->
@ -182,7 +216,11 @@ login(
?PROVIDER_SVR_NAME, ?PROVIDER_SVR_NAME,
ClientId, ClientId,
Secret, Secret,
Opts#{state => State, client_jwks => ClientJwks} Opts#{
state => State,
client_jwks => ClientJwks,
preferred_auth_methods => AuthMethods
}
) )
of of
{ok, [Base, Delimiter, Params]} -> {ok, [Base, Delimiter, Params]} ->

10
apps/emqx_dashboard_sso/src/emqx_dashboard_sso_oidc_api.erl
View File

@ -117,7 +117,11 @@ retrieve_token(
#{ #{
name := Name, name := Name,
client_jwks := ClientJwks, client_jwks := ClientJwks,
config := #{clientid := ClientId, secret := Secret} config := #{
clientid := ClientId,
secret := Secret,
preferred_auth_methods := AuthMethods
}
} = Cfg, } = Cfg,
Data Data
) -> ) ->
@ -129,7 +133,8 @@ retrieve_token(
Secret, Secret,
Data#{ Data#{
redirect_uri => make_callback_url(Cfg), redirect_uri => make_callback_url(Cfg),
client_jwks => ClientJwks client_jwks => ClientJwks,
preferred_auth_methods => AuthMethods
} }
) )
of of
@ -165,6 +170,7 @@ retrieve_userinfo(Token, #{
Error Error
end. end.
-dialyzer({nowarn_function, ensure_user_exists/1}).
ensure_user_exists(<<>>) -> ensure_user_exists(<<>>) ->
{error, <<"Username can not be empty">>}; {error, <<"Username can not be empty">>};
ensure_user_exists(<<"undefined">>) -> ensure_user_exists(<<"undefined">>) ->

9
rel/i18n/emqx_dashboard_sso_oidc.hocon
View File

@ -33,4 +33,13 @@ client_file_jwks_type.desc:
client_file_jwks_file.desc: client_file_jwks_file.desc:
"""The content of the JWKS.""" """The content of the JWKS."""
preferred_auth_methods.desc:
"""Set the valid authentication methods and their priority."""
provider.desc:
"""The OIDC provider."""
fallback_methods.desc:
"""Some providers do not provide all the method items in the provider configuration, set this value as a fallback for those items."""
} }