[test]: Test OIDC with different Providers #9

Open torbenraab opened 9 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Summary

[x] Authentik
[ ] Keycloak -> #30
[x] Authelia -> #24
[x] Azure AD
[ ] Zitadel
[x] GitLab -> #28 Now officially available in Plane!
[ ] ...

Why should this be worked on?

Check Compatibility. Should be working as everything is done according to the OIDC Spec

Please comment here if your provider is not working out of the box so we can work something out and adapt the documentation.

Azure AD as per https://github.com/makeplane/plane/issues/3381

Thank you again for your continued efforts supporting this functionality! It is absolutely critical for our team's use case.

Azure AD confirmed working on the helm deployed variant, set to preview/stable, using the provided god-mode fields

helm

planeVersion: preview
  images:
    frontend: ghcr.io/torbenraab/plane/plane-frontend
    backend: ghcr.io/torbenraab/plane/plane-backend
    space: ghcr.io/torbenraab/plane/plane-space

field values

Authorization URL: https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize

Client ID: Taken from azure app registration properties - application ID 

Token URL: https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token

Userinfo URL: https://graph.microsoft.com/oidc/userinfo

Client Secret: generated secret value from azure app registration

Redirect URL: https://site.example.com/ (autogenerated) - in the azure app registration page this translates to the Web Redirect URI (remove the ):

https://site.example.com/

When we initially configured these options, we made it all the way through the microsoft portal authentication process without issue, but upon returning to the authentication page a huge spam of "Required Key not found" errors looped up.

Debugging showed that WEB_URL is being called as part of the auth token return. In the plane-ce helm chart config-map, app-env.yaml, this value is hard-coded as http:

  WEB_URL: "http://{{ .Values.ingress.appHost }}"

Changing the config-map/environment variable to https resolved the issue. Existing user accounts mapped 1 to 1 based on email without any further changes.

Please let me know if there's any further information required, and I'd be happy to assist.

On Azure AD, returning to the authentication page shows "Required Key not found" errors as looped and also first error message shown as payload is not valid. @torbenraab @jake-ef

I looked at the WEB_URL, and it's in the https format.

Been able to reproduce the same issue in Azure, things properly configured (I think), weirdly enough I was able to invite 2 users and then no dice, while it's true that the auth fails and repeatedly calls the oidc endpoint failing every time with the key not found error, the first error is actually New account creation is disabled. Please contact your site administrator, I've checked and the database does have the right emails in the workspace_member_invites table, which all seems quite odd to me since well, that being the case should mean this error wouldn't happen, unless somehow the email in the request data is wrong.

@torbenraab can you also check with zitadel(https://zitadel.com/)?

I am curently getting this error once I am redirected back to plane instance

Been able to reproduce the same issue in Azure, things properly configured (I think), weirdly enough I was able to invite 2 users and then no dice, while it's true that the auth fails and repeatedly calls the oidc endpoint failing every time with the key not found error, the first error is actually New account creation is disabled. Please contact your site administrator, I've checked and the database does have the right emails in the workspace_member_invites table, which all seems quite odd to me since well, that being the case should mean this error wouldn't happen, unless somehow the email in the request data is wrong.

Try setting ENABLE_SIGNUP to 1

@poudelprakash and @sats268842

I will get back to you shortly. In the meantime please check if the issue is resolved in version 0.15.4

@torbenraab I tried it just now, this issue is not resolved in 0.15.4

@poudelprakash and @sats268842

I will get back to you shortly. In the meantime please check if the issue is resolved in version 0.15.4

Not resolved after upgrading to 0.15.4 version

@sats268842 I tried to replicate your issue but it works on my site. Here is my config:

OIDC_AUTO=1
OIDC_CLIENT_ID=<clientid>
OIDC_CLIENT_SECRET=<secret>
OIDC_DISCOVERY=https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration
OIDC_URL_AUTHORIZATION=https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize
OIDC_URL_TOKEN=https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
OIDC_URL_USERINFO=https://graph.microsoft.com/oidc/userinfo

If you want I can send you a complete config. Maybe you can find the missing part and post it here

@poudelprakash Let's wait for his reply. Maybe it helps you too. I don't have Zitadel running currently but I think it is the same issue, as I have seen the issue in development.

@torbenraab The problem is still present. Is there anything we're lacking from our AD setup, or could you share your configuration?

@torbenraab thanks for the update,

you can also signup with zitadel on their hosted version for quick access..

@poudelprakash Thanks for the info, I will try it out

Here is a sample config for Azure AD in the meantime:

Azure AD Config

``` APP_RELEASE=v0.16-dev DOCKERHUB_USER=ghcr.io/torbenraab/plane WEB_REPLICAS=1 SPACE_REPLICAS=1 API_REPLICAS=1 NGINX_PORT=8080 WEB_URL= DEBUG=1 NEXT_PUBLIC_DEPLOY_URL= SENTRY_DSN="" SENTRY_ENVIRONMENT="production" GOOGLE_CLIENT_ID="" GITHUB_CLIENT_ID="" GITHUB_CLIENT_SECRET="" DOCKERIZED=1 # deprecated CORS_ALLOWED_ORIGINS= #DB SETTINGS PGHOST=plane-db PGDATABASE=plane POSTGRES_USER=plane POSTGRES_PASSWORD=plane POSTGRES_DB=plane PGDATA=/var/lib/postgresql/data DATABASE_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${PGHOST}/${PGDATABASE} # REDIS SETTINGS REDIS_HOST=plane-redis REDIS_PORT=6379 REDIS_URL=redis://${REDIS_HOST}:6379/ # EMAIL SETTINGS EMAIL_HOST= EMAIL_HOST_USER= EMAIL_HOST_PASSWORD= EMAIL_PORT=465 EMAIL_FROM="Plane" EMAIL_USE_TLS=1 EMAIL_USE_SSL=0 # OPENAI SETTINGS OPENAI_API_BASE=https://api.openai.com/v1 # deprecated OPENAI_API_KEY="sk-" # deprecated GPT_ENGINE="gpt-3.5-turbo" # deprecated # LOGIN/SIGNUP SETTINGS ENABLE_SIGNUP=1 ENABLE_EMAIL_PASSWORD=1 ENABLE_MAGIC_LINK_LOGIN=0 SECRET_KEY="" # Enable OpenID Connect Login - You can set the Issuer to get the Enpoints (URLs) automatically or set them manually # If you set the Endpoints manually the issuer should be empty to avoid overriding the endpoints OIDC_AUTO=1 OIDC_CLIENT_ID= OIDC_CLIENT_SECRET= OIDC_DISCOVERY=https://login.microsoftonline.com//v2.0/.well-known/openid-configuration OIDC_URL_AUTHORIZATION=https://login.microsoftonline.com//oauth2/v2.0/authorize OIDC_URL_TOKEN=https://login.microsoftonline.com//oauth2/v2.0/token OIDC_URL_USERINFO=https://graph.microsoft.com/oidc/userinfo #OIDC_URL_ENDSESSION=https://auth.lila.systems/application/o/plane-so/end-session/ # DATA STORE SETTINGS USE_MINIO=0 AWS_REGION="" AWS_ACCESS_KEY_ID="" AWS_SECRET_ACCESS_KEY="" AWS_S3_ENDPOINT_URL= AWS_S3_BUCKET_NAME= MINIO_ROOT_USER="access-key" MINIO_ROOT_PASSWORD="secret-key" BUCKET_NAME=uploads FILE_SIZE_LIMIT=5242880 # Gunicorn Workers GUNICORN_WORKERS=2 ```

This config is currently working in a testing environment.

@torbenraab I refferred above AD config to configure OIDC but above isssue "The required key does not exist" is stil an issue..

also waiting for v0.17-dev version :)

@poudelprakash Will test it intensively before releasing the new v0.17-dev as im having some issues with the build. And will also address #24 with the v0.17-dev. So please be patient. I hope I can get most of the work done in the evening tomorrow or on the weekend

Hey @torbenraab, I think I found the problem with Required key does not exist. (at least for Keycloak). The error is thrown due to this line: https://github.com/torbenraab/plane/blob/0ec9de51711ea3fffffb7de79d46b443bfe2411e/apiserver/plane/app/views/oidc.py#L140

The reason why the request fails lies here: https://github.com/torbenraab/plane/blob/0ec9de51711ea3fffffb7de79d46b443bfe2411e/apiserver/plane/app/views/oidc.py#L128 Keycloak seems to be more strict with the redirect_uri. When using https://<domain>/*, it expects a trailing slash.

The solution is quite simple:

# This adds a trailing slash when one does not exist
"redirect_uri": os.path.join(WEB_URL, ''),

If you want, I can open a PR. While I was debugging, I improved the get_access_token function with better logging and error handling.

First of all I'm sorry that there wasn't a release or fix until now. I got ill again.

@halilbahar I would be great if you do a PR. Just do the PR on the preview branch. Than I can add the fixes for the build.

Hey!

I just tested GitLab as an OIDC provider and encountered some issues when starting the backend with OIDC Discovery URL as it was getting stuck on "Waiting for API Service to Start". After some digging in logs I find out that GitLab OpenID configuration does not include the 'end_session_endpoint'. Instead, the 'revocation_endpoint' is provided.

I mocked the GitLab OpenID configuration with an 'end_session_endpoint' providing the URL for the 'revocation_endpoint', and then the backend started without issues. However, logging out is still not possible.

Hope this helps! Thanks for your great work!

@sq3tle Thanks for Testing! I will look into it. The end_session_endpoint should be optional

Hello @torbenraab 👋 Thank you for all your efforts! I'm interested in adopting your fork, as we want to use SSO with our OIDC provider (ORY Hydra) in our setup.

I have a few questions, if you don’t mind:

Has anyone tested this fork with ORY Hydra?
Which branch should we use?
If it hasn't been tested, I'd be happy to test and contribute to supporting it. It would be incredibly helpful if you could point me to a contribution guide, if available.

Thank you!

torbenraab / plane