cardoe
commented
3 days ago I put OAuth2/OIDC in the comments but I think it'll work for SAML as well. I just don't know.
Closed cardoe closed 17 hours ago
cardoe
commented
3 days ago I put OAuth2/OIDC in the comments but I think it'll work for SAML as well. I just don't know.
cardoe
commented
20 hours ago Kicked the tires locally on the final commit. Let me know if there's anything further you'd like me to do @glennmatthews. I'm getting much closer to having the stock nautobot_config.py with this. Most of what I've got to configure is the PLUGINS and the PLUGINS_CONFIG and like I mentioned somewhere else I'm loading the PLUGINS_CONFIG via yaml and I'll look to provide that upstream. The last config piece I've got is:
def _read_cred(filename):
try:
with open(filename) as cred:
return cred.read().strip()
except FileNotFoundError:
return None
SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = _read_cred("/opt/nautobot/sso/issuer") or os.getenv(
"SOCIAL_AUTH_OIDC_OIDC_ENDPOINT"
)
SOCIAL_AUTH_OIDC_KEY = _read_cred("/opt/nautobot/sso/client-id") or "nautobot"
SOCIAL_AUTH_OIDC_SECRET = _read_cred("/opt/nautobot/sso/client-secret")
# The “openid”, “profile” and “email” are requested by default,
# below *adds* scope.
SOCIAL_AUTH_OIDC_SCOPE = [
scope for scope in os.getenv("SOCIAL_AUTH_OIDC_SCOPE", "").split(_CONFIG_SETTING_SEPARATOR) if scope != ""
]We're using Kubernetes and our secrets are injected into the containers via file so I am using the _read_cred() currently.
glennmatthews
commented
20 hours ago Thanks! Looks solid to me, I should be able to merge it today.
cardoe
commented
20 hours ago That failure doesn't seem related to this. Duplicate during an alembic migration on app_label.
glennmatthews
commented
20 hours ago Yeah, it's an intermittent failure we haven't been able to figure out yet. Should pass on a rerun.
Defined a generic SSO group authentication module that can be shared by any OAuth2/OIDC backend.
Closes #6543
What's Changed
nautobot.extras.group_syncso that we can use any generic authentication backend.TODO