Skip to content

Commit 3e69ece

Browse files
committed
Initial commit of OIDC auth driver module, implementation of AuthenticationProvider interface
1 parent a2514d7 commit 3e69ece

8 files changed

Lines changed: 749 additions & 2 deletions

File tree

core/config/docs/core.toml

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -193,6 +193,38 @@ StartTimeout = '15s' # Default
193193
# ListenIP specifies the IP to bind the HTTP server to
194194
ListenIP = '0.0.0.0' # Default
195195

196+
# Optional OIDC config if WebServer.AuthenticationMethod is set to 'oidc'
197+
[WebServer.OIDC]
198+
# Expected audience of the token, usually expected to be the ID of the client
199+
# that initialized the login flow/the auth client application ID
200+
ClientID = ""
201+
# ProviderDomain is the URL identifier for the provider service.
202+
ProviderDomain = 'accounts[.]example[.]com'
203+
# OAuth2ProviderRouteSuffix is route suffix appended to the ProviderDomain, varies per provider
204+
OAuth2ProviderRouteSuffix = '/oauth2/default' # Default
205+
# OIDCCallbackURL is the URL (FQDN) that this running instance of the chainlink application listens on
206+
# for the OIDC provider callback containing the authenticated user's claims. This should be the domain
207+
# that the user accesses the operator UI from. OIDCCallbackURLSuffix is appended to the end
208+
OIDCCallbackURL = 'http://localhost:8080/'
209+
# OIDCCallbackURLSuffix is the API route name suffix used when registering the router endpoint
210+
OIDCCallbackURLSuffix = '/auth/oidc-callback' # Default
211+
# HTTPPort of the OIDC self contained HTTP router used to listen for the provider callback request
212+
HTTPPort = 6689 # Default
213+
# AdminUserGroupClaim is string label of the group returned by the OIDC claim that maps the core node's 'Admin' role
214+
AdminUserGroupClaim = 'NodeAdmins' # Default
215+
# EditUserGroupClaim is string label of the group returned by the OIDC claim that maps the core node's 'Edit' role
216+
EditUserGroupClaim = 'NodeEditors' # Default
217+
# RunUserGroupClaim is string label of the group returned by the OIDC claim that maps the core node's 'Run' role
218+
RunUserGroupClaim = 'NodeRunners' # Default
219+
# ReadUserGroupClaim is string label of the group returned by the OIDC claim that maps the core node's 'Read' role
220+
ReadUserGroupClaim = 'NodeReadOnly' # Default
221+
# SessionTimeout determines the amount of idle time to elapse before session cookies expire. This signs out GUI users from their sessions.
222+
SessionTimeout = '15m0s' # Default
223+
# UserApiTokenEnabled enables the users to issue API tokens with the same access of their role
224+
UserApiTokenEnabled = false # Default
225+
# UserAPITokenDuration is the duration of time an API token is active for before expiring
226+
UserAPITokenDuration = '240h0m0s' # Default
227+
196228
# Optional LDAP config if WebServer.AuthenticationMethod is set to 'ldap'
197229
# LDAP queries are all parameterized to support custom LDAP 'dn', 'cn', and attributes
198230
[WebServer.LDAP]

core/config/docs/secrets.toml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,11 @@ BackupURL = "postgresql://user:pass@read-replica.example.com:5432/dbname?sslmode
1414
# Environment variable: `CL_DATABASE_ALLOW_SIMPLE_PASSWORDS`
1515
AllowSimplePasswords = false # Default
1616

17+
# Optional OIDC config
18+
[WebServer.OIDC]
19+
# Auth client application secret
20+
clientSecret = "secret" # Example
21+
1722
# Optional LDAP config
1823
[WebServer.LDAP]
1924
# ServerAddress is the full ldaps:// address of the ldap server to authenticate with and query

core/config/web_config.go

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,23 @@ type LDAP interface {
5555
UpstreamSyncRateLimit() commonconfig.Duration
5656
}
5757

58+
type OIDC interface {
59+
ClientID() string
60+
ClientSecret() string
61+
ProviderDomain() string
62+
OAuth2ProviderRouteSuffix() string
63+
OIDCCallbackURL() string
64+
OIDCCallbackURLSuffix() string
65+
HTTPPort() uint16
66+
AdminUserGroupClaim() string
67+
EditUserGroupClaim() string
68+
RunUserGroupClaim() string
69+
ReadUserGroupClaim() string
70+
SessionTimeout() commonconfig.Duration
71+
UserApiTokenEnabled() bool
72+
UserAPITokenDuration() commonconfig.Duration
73+
}
74+
5875
type WebServer interface {
5976
AuthenticationMethod() string
6077
AllowOrigins() string
@@ -74,4 +91,5 @@ type WebServer interface {
7491
RateLimit() RateLimit
7592
MFA() MFA
7693
LDAP() LDAP
94+
OIDC() OIDC
7795
}

core/services/chainlink/application.go

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,7 @@ import (
7474
"github.com/smartcontractkit/chainlink/v2/core/sessions"
7575
"github.com/smartcontractkit/chainlink/v2/core/sessions/ldapauth"
7676
"github.com/smartcontractkit/chainlink/v2/core/sessions/localauth"
77+
"github.com/smartcontractkit/chainlink/v2/core/sessions/oidcauth"
7778
"github.com/smartcontractkit/chainlink/v2/core/static"
7879
"github.com/smartcontractkit/chainlink/v2/plugins"
7980
)
@@ -351,7 +352,7 @@ func NewApplication(opts ApplicationOpts) (Application, error) {
351352
localAdminUsersORM := localauth.NewORM(opts.DS, cfg.WebServer().SessionTimeout().Duration(), globalLogger, auditLogger)
352353

353354
// Initialize Sessions ORM based on environment configured authenticator
354-
// localDB auth or remote LDAP auth
355+
// localDB auth, LDAP auth, or OIDC auth
355356
authMethod := cfg.WebServer().AuthenticationMethod()
356357
var authenticationProvider sessions.AuthenticationProvider
357358
var sessionReaper *utils.SleeperTask
@@ -365,7 +366,16 @@ func NewApplication(opts ApplicationOpts) (Application, error) {
365366
if err != nil {
366367
return nil, errors.Wrap(err, "NewApplication: failed to initialize LDAP Authentication module")
367368
}
368-
sessionReaper = ldapauth.NewLDAPServerStateSync(opts.DS, cfg.WebServer().LDAP(), globalLogger)
369+
sessionReaper = ldapauth.NewLDAPServerStateSync(opts.DS, cfg.Database(), cfg.WebServer().LDAP(), globalLogger)
370+
case sessions.OIDCAuth:
371+
var err error
372+
authenticationProvider, err = oidcauth.NewOIDCAuthenticator(
373+
opts.DS, cfg.Database(), cfg.WebServer().OIDC(), globalLogger, auditLogger,
374+
)
375+
if err != nil {
376+
return nil, errors.Wrap(err, "NewApplication: failed to initialize OIDC Authentication module")
377+
}
378+
sessionReaper = oidcauth.NewSessionReaper(opts.DS, cfg.WebServer(), globalLogger)
369379
case sessions.LocalAuth:
370380
authenticationProvider = localauth.NewORM(opts.DS, cfg.WebServer().SessionTimeout().Duration(), globalLogger, auditLogger)
371381
sessionReaper = localauth.NewSessionReaper(opts.DS, cfg.WebServer(), globalLogger)

core/sessions/authentication.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ type AuthenticationProviderName string
1515
const (
1616
LocalAuth AuthenticationProviderName = "local"
1717
LDAPAuth AuthenticationProviderName = "ldap"
18+
OIDCAuth AuthenticationProviderName = "oidc"
1819
)
1920

2021
// ErrUserSessionExpired defines the error triggered when the user session has expired

0 commit comments

Comments
 (0)