-
Notifications
You must be signed in to change notification settings - Fork 315
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(auth): add support for oauth2 with openid connect discovery #4618
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
axiomofjoy
force-pushed
the
xander/oauth
branch
2 times, most recently
from
September 15, 2024 20:04
98b3b7e
to
5edbf5e
Compare
axiomofjoy
changed the title
feat(auth): support oauth
feat(auth): add support for oauth2 with openid connect discovery
Sep 18, 2024
axiomofjoy
force-pushed
the
xander/oauth
branch
from
September 18, 2024 01:24
4d063e6
to
b8729b5
Compare
dosubot
bot
added
the
size:XL
This PR changes 500-999 lines, ignoring generated files.
label
Sep 18, 2024
axiomofjoy
force-pushed
the
xander/oauth
branch
from
September 19, 2024 03:01
c143665
to
3783a4a
Compare
dosubot
bot
added
size:XXL
This PR changes 1000+ lines, ignoring generated files.
and removed
size:XL
This PR changes 500-999 lines, ignoring generated files.
labels
Sep 19, 2024
RogerHYang
reviewed
Sep 19, 2024
RogerHYang
approved these changes
Sep 19, 2024
axiomofjoy
force-pushed
the
xander/oauth
branch
from
September 20, 2024 01:00
d825938
to
69a5a91
Compare
RogerHYang
pushed a commit
that referenced
this pull request
Sep 21, 2024
Co-authored-by: Mikyo King <[email protected]> Co-authored-by: Dustin Ngo <[email protected]>
This was referenced Sep 25, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds initial support for OAuth2 identity providers that support the OpenID Connect Discovery standard. From the standard:
OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer. The syntax and semantics of .well-known are defined in [RFC 5785](https://openid.net/specs/openid-connect-discovery-1_0.html#RFC5785) [RFC5785] and apply to the Issuer value when it contains no path component. openid-configuration MUST point to a JSON document compliant with this specification and MUST be returned using the application/json content type. The openid-configuration endpoint SHOULD support the use of [Cross-Origin Resource Sharing (CORS)](https://openid.net/specs/openid-connect-discovery-1_0.html#CORS) [CORS] and/or other methods as appropriate to enable JavaScript Clients and other Browser-Based Clients to access it.
This means that we can use environment variables to point Phoenix to the configuration at
/.well-known/openid-configuration
in order to know authorization server metadata such as the authorize and access token urls.The environment variables currently required are:
PHOENIX_OAUTH2_<idp>_CLIENT_ID
PHOENIX_OAUTH2_<idp>_CLIENT_SECRET
PHOENIX_OAUTH2_<idp>_SERVER_METADATA_URL
For the following IDPs, we provide logos on the login page:
GOOGLE
MICROSOFT_ENTRA_ID
(previously known as Azure Active Directory)AWS_COGNITO
As a follow-up, we can add IDP-specific environment variables to help construct the server metadata url (e.g., using a tenant ID for Microsoft Entra ID).
resolves #4649
resolves #4653
resolves #4657
resolves #4654