Closed kamilkisiela closed 1 month ago
okay so people will put it into a form on the hive settings website http://brrrrrt/.well-known/openid-configuration we will fetch a JSON file from that and that will be used instead of the OAuth API Url that is now used by everything.
Things to touch:
oauth_api_url
)Right now we already introduced support for more granular configuration via the UI through https://github.com/kamilkisiela/graphql-hive/pull/835
Would this support OIDC login for any provider that uses oauth such as keycloak? Right now OIDC only supports google, okta, and github - https://the-guild.dev/graphql/hive/docs/self-hosting/oidc-login.
We currently use organization scoped SSO - https://the-guild.dev/graphql/hive/docs/management/sso-oidc-provider. This allows sso after sso integration was setup manually through the UI using the settings referenced at - https://github.com/kamilkisiela/graphql-hive/pull/835. It would be great if from the initial deployment we could use SSO.
@wethekings303 This issue tracks supporting OIDC Discovery documents for organizations. ANY OIDC Compliant provider can be connected to an organization (see https://the-guild.dev/graphql/hive/docs/management/sso-oidc-provider).
You are referring to a self-hosted OIDC login.
Regarding
It would be great if from the initial deployment we could use SSO.
This will be covered via the admin API https://github.com/kamilkisiela/graphql-hive/issues/2994
Spec: https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.4.2 User could provide a link to the doc, pass a client id and a secret.
Why? Not all OIDC providers follow the same convention for endpoints. Azure AD has
/userinfo
under a different host.