feat: add generic OIDC authentication support#202
Open
Conversation
Add support for any OpenID Connect provider (Okta, Auth0, Keycloak, Azure AD, etc.) similar to how Coder handles OIDC. Changes: - Add OIDC bindings to Bindings interface (OIDC_ISSUER_URL, OIDC_CLIENT_ID, etc.) - Extend provider type in schema to include 'oidc' - Implement OIDC discovery with caching (.well-known/openid-configuration) - Add initiateOIDCFlow() and handleOIDCCallback() functions - Add configurable claim mapping for email/username extraction - Add routes: GET /signin/oidc and GET /callback/oidc - Update /providers endpoint to conditionally include OIDC when configured - Wire up OIDC env vars in packages/server for self-hosted mode - Add 14 comprehensive tests for OIDC functionality Configuration: OIDC_ISSUER_URL - OIDC provider's issuer URL (required) OIDC_CLIENT_ID - OAuth client ID (required) OIDC_CLIENT_SECRET - OAuth client secret (required) OIDC_SCOPES - Custom scopes (default: 'openid profile email') OIDC_EMAIL_FIELD - Claim for email (default: 'email') OIDC_USERNAME_FIELD - Claim for username (default: 'preferred_username') OIDC_AUTH_URL_PARAMS - Extra auth URL params as JSON OIDC_IGNORE_EMAIL_VERIFIED - Skip email verification check OIDC_SIGN_IN_TEXT - Custom button text OIDC_ICON_URL - Custom button icon Callback URL: https://<domain>/api/auth/callback/oidc
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
- Dynamically fetch OIDC provider from /api/auth/providers - Show OIDC sign-in button when provider is configured - Support custom button text and icon from OIDC_SIGN_IN_TEXT/OIDC_ICON_URL - Add error messages for OIDC-specific error codes - Track 'oidc' as last login provider
…fallback - Add OIDC_AUTH_ENDPOINT, OIDC_TOKEN_ENDPOINT, OIDC_USERINFO_ENDPOINT env vars - These override auto-discovery when set, useful for OAuth2 servers without OIDC - Add fallback to /.well-known/oauth-authorization-server (RFC 8414) - Supports Coder and other OAuth2-only providers
Coder and other OAuth2 providers return 'id' instead of OIDC's 'sub' claim
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add support for any OpenID Connect provider (Okta, Auth0, Keycloak, Azure AD, etc.) similar to how Coder handles OIDC.
Changes
Bindingsinterface (OIDC_ISSUER_URL,OIDC_CLIENT_ID, etc.)'oidc'.well-known/openid-configuration)initiateOIDCFlow()andhandleOIDCCallback()functionsGET /signin/oidcandGET /callback/oidc/providersendpoint to conditionally include OIDC when configuredpackages/serverfor self-hosted modeConfiguration
OIDC_ISSUER_URLOIDC_CLIENT_IDOIDC_CLIENT_SECRETOIDC_SCOPESopenid profile email)OIDC_EMAIL_FIELDemail)OIDC_USERNAME_FIELDpreferred_username)OIDC_IGNORE_EMAIL_VERIFIEDOIDC_AUTH_URL_PARAMSOIDC_SIGN_IN_TEXTOIDC_ICON_URLCallback URL
Testing
Added 14 tests covering:
All new OIDC tests pass locally.