Skip to content

providers/oauth2: Add provider federation between OAuth2 Providers#12083

Merged
BeryJu merged 12 commits intomainfrom
providers/oauth2/int-fed
Dec 3, 2024
Merged

providers/oauth2: Add provider federation between OAuth2 Providers#12083
BeryJu merged 12 commits intomainfrom
providers/oauth2/int-fed

Conversation

@BeryJu
Copy link
Member

@BeryJu BeryJu commented Nov 19, 2024

Details

REPLACE ME

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make website)

@BeryJu BeryJu requested review from a team as code owners November 19, 2024 18:57
@netlify
Copy link

netlify bot commented Nov 19, 2024
edited
Loading

Deploy Preview for authentik-storybook ready!

Name Link
🔨 Latest commit 2743bd3
🔍 Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/674e21f9d556570008c074be
😎 Deploy Preview https://deploy-preview-12083--authentik-storybook.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@netlify
Copy link

netlify bot commented Nov 19, 2024
edited
Loading

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit 2743bd3
🔍 Latest deploy log https://app.netlify.com/sites/authentik-docs/deploys/674e21f9c25acb000863f5bd
😎 Deploy Preview https://deploy-preview-12083--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@codecov
Copy link

codecov bot commented Nov 19, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 96.89922% with 4 lines in your changes missing coverage. Please review.

Project coverage is 92.68%. Comparing base (e077a5c) to head (2743bd3).
Report is 2 commits behind head on main.

✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
authentik/providers/oauth2/views/token.py 89.74% 4 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #12083      +/-   ##
==========================================
+ Coverage   92.67%   92.68%   +0.01%     
==========================================
  Files         761      762       +1     
  Lines       38050    38151     +101     
==========================================
+ Hits        35263    35362      +99     
- Misses       2787     2789       +2
Flag Coverage Δ
e2e 49.09% <4.65%> (-0.13%) ⬇️
integration 24.76% <2.32%> (-0.07%) ⬇️
unit 90.22% <96.89%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 19, 2024

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-f888d395b50e2a0834ce41f73eef6de4521eb3ef
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-f888d395b50e2a0834ce41f73eef6de4521eb3ef-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-f888d395b50e2a0834ce41f73eef6de4521eb3ef

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-f888d395b50e2a0834ce41f73eef6de4521eb3ef-arm64

Afterwards, run the upgrade commands from the latest release notes.

@BeryJu BeryJu changed the title providers/oauth2: Add provider between OAuth2 Providers providers/oauth2: Add provider federation between OAuth2 Providers Nov 21, 2024
@BeryJu BeryJu force-pushed the providers/oauth2/int-fed branch from f888d39 to 8688a61 Compare November 22, 2024 13:25
tanberry
tanberry reviewed Nov 22, 2024
View reviewed changes
website/docs/add-secure-apps/providers/oauth2/client_credentials.md
You can authenticate and get a token using an existing JWT. For readability we will refer to the JWT issued by the external issuer/platform as input JWT, and the resulting JWT from authentik as the output JWT.

To configure this, the certificate used to sign the input JWT must be created in authentik. The certificate is enough, a private key is not required. Afterwards, configure the certificate in the OAuth2 provider settings under _Verification certificates_.
To configure this, define a JWKS URL/raw JWKS data in OAuth Sources. If a JWKS URL is specified, authentik will fetch the data and store it in the source, and then select the source in the OAuth2 Provider that will be authenticated against.
Copy link
Contributor

@tanberry tanberry Nov 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

data source? "...define a JWKS URL/raw JWKS data in OAuth Sources." is an incomplete sentence, needs the noun.

tanberry
tanberry reviewed Nov 22, 2024
View reviewed changes
tanberry
tanberry reviewed Nov 22, 2024
View reviewed changes
tanberry
tanberry reviewed Nov 22, 2024
View reviewed changes
tanberry
tanberry reviewed Nov 22, 2024
View reviewed changes
tanberry
tanberry approved these changes Nov 22, 2024
View reviewed changes
Copy link
Contributor

@tanberry tanberry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some suggested edits, but approving so that I am not the roadblock. ;-)

BeryJu added 9 commits December 2, 2024 15:31
@BeryJu
rename + add field
48e2b12 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
initial implementation
c3b5516 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix
e239e7c 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix
54ea65f 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
refactor
c594ca5 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
rework source cc tests
507f867 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add tests
82e37b2 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
update docs
34c0719 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
re-migrate
1e275e4 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu force-pushed the providers/oauth2/int-fed branch from d3114d9 to 1e275e4 Compare December 2, 2024 13:33
BeryJu and others added 3 commits December 2, 2024 17:08
@BeryJu
fix a
acf8a12 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu @tanberry
Apply suggestions from code review
ebc4d45 
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>
@BeryJu
Merge branch 'main' into providers/oauth2/int-fed
2743bd3 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>

# Conflicts:
#	web/src/admin/applications/wizard/methods/oauth/ak-application-wizard-authentication-by-oauth.ts
#	web/src/admin/applications/wizard/methods/proxy/AuthenticationByProxyPage.ts
#	web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
#	web/src/admin/providers/proxy/ProxyProviderForm.ts
@BeryJu BeryJu merged commit 19488b7 into main Dec 3, 2024
@BeryJu BeryJu deleted the providers/oauth2/int-fed branch December 3, 2024 09:57
kensternberg-authentik added a commit that referenced this pull request Jan 8, 2025
@kensternberg-authentik
Merge branch 'main' into dev
9cc440e 
* main:
  web: simplify `?inline` handler for Storybook (#12246)
  website/docs: Update Traefik middleware example to reflect latest version of Traefik (#12267)
  website/docs: add . in https://netbird.company* (#12166)
  core: bump goauthentik.io/api/v3 from 3.2024104.1 to 3.2024104.2 (#12263)
  core: bump pydantic from 2.10.2 to 2.10.3 (#12262)
  core: bump github.com/getsentry/sentry-go from 0.29.1 to 0.30.0 (#12264)
  core, web: update translations (#12268)
  website: bump @types/react from 18.3.12 to 18.3.13 in /website (#12269)
  website: bump prettier from 3.4.1 to 3.4.2 in /website (#12270)
  ci: bump actions/attest-build-provenance from 1 to 2 (#12271)
  core: bump golang.org/x/sync from 0.9.0 to 0.10.0 (#12272)
  core: bump django from 5.0.9 to 5.0.10 (#12273)
  core: bump webauthn from 2.3.0 to 2.4.0 (#12274)
  website/integrations: add The Lounge (#11971)
  core: bump python-kadmin-rs from 0.3.0 to 0.4.0 (#12257)
  root: fix health status code (#12255)
  ci: fix should_push always being false (#12252)
  web: bump API Client version (#12251)
  providers/oauth2: Add provider federation between OAuth2 Providers (#12083)
  website/integrations: mastodon: set correct uid field (#11945)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tanberry tanberry tanberry approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BeryJu @tanberry