Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenID Connect Support and Strict Mode #2144

Open
wants to merge 5 commits into
base: dev
Choose a base branch
from
Open

OpenID Connect Support and Strict Mode #2144

wants to merge 5 commits into from
+5,978 −204

Conversation

Cyberboss
Copy link
Member

@Cyberboss Cyberboss commented Mar 10, 2025
edited
Loading

Closes #2097

🆑 Configuration
The new configuration version is 5.6.0.
Added Security:OpenIDConnect entries and Security:OidcStrictMode. See the README for details.
Security:OAuth:Keycloak has been deprecated. Please migrate to an OIDC provider.
Security:OAuth:TGForums has been removed as the service is no longer provided.
/🆑

🆑
Added OpenID Connect support. See the README for details.
TGForums OAuth has been removed as the service is no longer provided.
/🆑

🆑 REST API
Added oidcProviderInfos to server information model. These list a friendlyName, user definable themeColour, and user definable themeIconUrl for indicating how to display OIDC providers. The schemeKey property is how authentication is performed. Send users to /oidc/{schemeKey}/signin to start the OIDC flow. Users will be returned to a configured endpoint (/app by default) with the query parameter state set to oidc.{schemeKey} and either a code indicating a TGS bearer token to use or a user readable error.
Added oidcConnections to users, similar to oAuthConnections with the only difference being that the provider is replaced with a schemeKey string. Modifiable with the same right.
/:cl:

🆑 GraphQL API
Added OIDC related fields.
Renamed adminUserCannotOAuth to adminUserCannotHaveServiceConnection.
Renamed editOwnOAuthConnections to editOwnServiceConnections.
/:cl:

🆑 Nuget: API
Added UserApiBase.OidcConnections.
Renamed ErrorCode.AdminUserCannotOAuth to AdminUserCannotHaveServiceConnection.
Renamed AdministrationRights.EditOwnOAuthConnections to EditOwnServiceConnections.
Made deprecated OAuthProviders Obsolete.
Added OidcProviderInfos and OidcStrictMode to ServerInformationResponse.
/:cl:

🆑 Nuget: Client
Updated to API library version 18.0.0.
/:cl:

TODO:

  • Server deny password change in strict mode
  • Server deny OAuth change in strict mode
  • Server deny group changes in strict mode
  • Webpanel handle OAuth in strict mode.
  • Webpanel handle Password Change in strict mode.
  • Webpanel handle group changes in strict mode.
  • README

@Cyberboss Cyberboss added Client Issue with the .NET client library Feature New functionality Security Issue pertaining to Authentication/Authorization or NTC (Never Trust the Client) REST The JSON REST API for server control Configuration Regarding the server setup JSON Migration Requires or performs a database migration GraphQL The GraphQL API for server control labels Mar 10, 2025
@Cyberboss Cyberboss added this to the v6.15.0 milestone Mar 10, 2025
@Cyberboss Cyberboss marked this pull request as ready for review March 10, 2025 22:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Client Issue with the .NET client library Configuration Regarding the server setup JSON Feature New functionality GraphQL The GraphQL API for server control Migration Requires or performs a database migration REST The JSON REST API for server control Security Issue pertaining to Authentication/Authorization or NTC (Never Trust the Client) size/XXL
Projects
None yet
Milestone
v6.15.0
Development

Successfully merging this pull request may close these issues.

Proper OpenID Connect support
1 participant
@Cyberboss