search

bmarsh9 / gapps

Security compliance platform - SOC2, CMMC, ASVS, ISO27001, HIPAA, NIST CSF, NIST 800-53, CSC CIS 18, PCI DSS, SSF tracking. https://gapps.darkbanner.com
Other
438 stars 99 forks source link

Generic OIDC Authentication and Session Management #114

Closed Eric-TPS closed 9 months ago

Eric-TPS commented 9 months ago

Description: This pull request introduces generic OIDC (OpenID Connect) authentication support to enhance identity provider compatibility. The changes are designed to accommodate various identity providers, including Google, Microsoft, Facebook, and more. Key changes include:

  1. OIDC Configuration: The introduction of essential environment variables to configure OIDC authentication. These variables are as follows:

    • ENFORCE_OIDC_AUTH: Enforces OIDC authentication (defaults to "0" if not set).
    • ENABLE_OIDC_AUTH: Enables OIDC authentication (defaults to "0" if not set).
    • IDENTITY_PROVIDER_NAME: Sets the Identity Provider name (defaults to "AzureAD" if not set).
    • OIDC_CLIENT_ID: OIDC client ID.
    • OIDC_CLIENT_SECRET: OIDC client secret.
    • OIDC_DISCOVERY_URL: OIDC discovery URL (e.g., https://login.IDP.com/.well-known/openid-configuration).
    • OIDC_LOGOUT_URL: OIDC logout URL.

  2. Session Management: Implementation of Flask session management features to ensure consistent login sessions across pages.

  3. Login Template Enhancement: The login template has been updated to display the OIDC login method only when it is "Enforced" using the ENFORCE_OIDC_AUTH variable. Additionally, the OIDC login button is enabled if OIDC authentication is enabled via the ENABLE_OIDC_AUTH variable.

These changes aim to make the authentication process more flexible and extend support for various identity providers while maintaining a secure and streamlined user experience.

Eric-TPS commented 9 months ago

This pull request not only add OIDC authentication but also introduces a database migrations. The migration is requred to set up the required tables for OIDC support and future improvements.

Steps to Enable OIDC Authentication:

Connect to your instance. Execute the following commands: flask db migrate: Initiates the migration process. flask db upgrade: Applies the migration changes. By following these steps, you ensure that your database is ready for OIDC authentication and future enhancements, providing a seamless login experience.

Integration with Kubernetes Deployment (Pending Review): Once the Kubernetes deployment option is reviewed and approved, I will include this migration as an "init" container. An "init" container will handle future migrations automatically in a Kubernetes environment. This eliminates the need for manual migration runs, ensuring a hassle-free setup and maintenance.

bmarsh9 commented 9 months ago

@Eric-TPS I definitely am not opposed to federated login - thanks for starting this. Have you looked at https://github.com/singingwolfboy/flask-dance?

Eric-TPS commented 9 months ago

I have not, but I do like the setup. I'm going to cancel this PR as I've discovered a number of issues that need to be resolved before going forward.

bmarsh9 commented 9 months ago

@Eric-TPS ok - let me know if you need any assistance