feat(oidc): be more compatible with okta
This commit is contained in:
firest
parent
ddb197951e
commit
892420e2c6
|
|
@ -5,5 +5,5 @@
|
|||
{emqx_ldap, {path, "../../apps/emqx_ldap"}},
|
||||
{emqx_dashboard, {path, "../../apps/emqx_dashboard"}},
|
||||
{esaml, {git, "https://github.com/emqx/esaml", {tag, "v1.1.3"}}},
|
||||
{oidcc, {git, "https://github.com/erlef/oidcc.git", {tag, "v3.2.0"}}}
|
||||
{oidcc, {git, "https://github.com/emqx/oidcc.git", {branch, "ev3.2.0"}}}
|
||||
]}.
|
||||
|
|
|
|||
|
|
@ -91,6 +91,38 @@ fields(oidc) ->
|
|||
desc => ?DESC(require_pkce),
|
||||
default => false
|
||||
})},
|
||||
{preferred_auth_methods,
|
||||
?HOCON(
|
||||
?ARRAY(
|
||||
?ENUM([
|
||||
private_key_jwt,
|
||||
client_secret_jwt,
|
||||
client_secret_post,
|
||||
client_secret_basic,
|
||||
none
|
||||
])
|
||||
),
|
||||
#{
|
||||
desc => ?DESC(preferred_auth_methods),
|
||||
default => [
|
||||
client_secret_post,
|
||||
client_secret_basic,
|
||||
none
|
||||
]
|
||||
}
|
||||
)},
|
||||
{provider,
|
||||
?HOCON(?ENUM([okta, generic]), #{
|
||||
mapping => "oidcc.provider",
|
||||
desc => ?DESC(provider),
|
||||
default => generic
|
||||
})},
|
||||
{fallback_methods,
|
||||
?HOCON(?ARRAY(binary()), #{
|
||||
mapping => "oidcc.fallback_methods",
|
||||
desc => ?DESC(fallback_methods),
|
||||
default => [<<"RS256">>]
|
||||
})},
|
||||
{client_jwks,
|
||||
%% TODO: add url JWKS
|
||||
?HOCON(?UNION([none, ?R_REF(client_file_jwks)]), #{
|
||||
|
|
@ -155,6 +187,7 @@ destroy(State) ->
|
|||
emqx_dashboard_sso_oidc_session:stop(),
|
||||
try_delete_jwks_file(State).
|
||||
|
||||
-dialyzer({nowarn_function, login/2}).
|
||||
login(
|
||||
_Req,
|
||||
#{
|
||||
|
|
@ -163,7 +196,8 @@ login(
|
|||
clientid := ClientId,
|
||||
secret := Secret,
|
||||
scopes := Scopes,
|
||||
require_pkce := RequirePKCE
|
||||
require_pkce := RequirePKCE,
|
||||
preferred_auth_methods := AuthMethods
|
||||
}
|
||||
} = Cfg
|
||||
) ->
|
||||
|
|
@ -182,7 +216,11 @@ login(
|
|||
?PROVIDER_SVR_NAME,
|
||||
ClientId,
|
||||
Secret,
|
||||
Opts#{state => State, client_jwks => ClientJwks}
|
||||
Opts#{
|
||||
state => State,
|
||||
client_jwks => ClientJwks,
|
||||
preferred_auth_methods => AuthMethods
|
||||
}
|
||||
)
|
||||
of
|
||||
{ok, [Base, Delimiter, Params]} ->
|
||||
|
|
|
|||
|
|
@ -117,7 +117,11 @@ retrieve_token(
|
|||
#{
|
||||
name := Name,
|
||||
client_jwks := ClientJwks,
|
||||
config := #{clientid := ClientId, secret := Secret}
|
||||
config := #{
|
||||
clientid := ClientId,
|
||||
secret := Secret,
|
||||
preferred_auth_methods := AuthMethods
|
||||
}
|
||||
} = Cfg,
|
||||
Data
|
||||
) ->
|
||||
|
|
@ -129,7 +133,8 @@ retrieve_token(
|
|||
Secret,
|
||||
Data#{
|
||||
redirect_uri => make_callback_url(Cfg),
|
||||
client_jwks => ClientJwks
|
||||
client_jwks => ClientJwks,
|
||||
preferred_auth_methods => AuthMethods
|
||||
}
|
||||
)
|
||||
of
|
||||
|
|
@ -165,6 +170,7 @@ retrieve_userinfo(Token, #{
|
|||
Error
|
||||
end.
|
||||
|
||||
-dialyzer({nowarn_function, ensure_user_exists/1}).
|
||||
ensure_user_exists(<<>>) ->
|
||||
{error, <<"Username can not be empty">>};
|
||||
ensure_user_exists(<<"undefined">>) ->
|
||||
|
|
|
|||
|
|
@ -33,4 +33,13 @@ client_file_jwks_type.desc:
|
|||
client_file_jwks_file.desc:
|
||||
"""The content of the JWKS."""
|
||||
|
||||
preferred_auth_methods.desc:
|
||||
"""Set the valid authentication methods and their priority."""
|
||||
|
||||
provider.desc:
|
||||
"""The OIDC provider."""
|
||||
|
||||
fallback_methods.desc:
|
||||
"""Some providers do not provide all the method items in the provider configuration, set this value as a fallback for those items."""
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue