Generic OIDC auth

[james-atkins]

It would be nice to specify a generic OIDC login provider rather than GitHub or Gitea. For example, I use Dex.

This is should be easy to implement Python-wise as both GiteaAuth and GitHubAuth are subclasses of buildbot.www.oauth2.OAuth2Auth.

[Mic92]

Is OIDC not a different protocol from Oauth2?

[Mic92]

Maybe not, I am not super familiar with the specifics. What might already work today is oauth2-proxy: https://oauth2-proxy.github.io/oauth2-proxy/

[Mic92]

There is https://github.com/buildbot/buildbot/blob/331121358ba547a6d445de8760c5c8d359171cf8/master/buildbot/www/auth.py#L102 so a proxy could set a header value pointing to the user.

[Mic92]

Question is, how we handle permissions in this case? Treat all logged in people as admins?

[james-atkins]

OIDC is a protocol built on top of OAuth2. It standardises how user information is retrieved once they are authenticated. E.g. some of buildbot's built in authentication providers uses standard OIDC claims such as name , email and picture.