Add authentication via Openid connect#29
Merged
emanuelelaface merged 18 commits intomasterfrom Mar 3, 2025
Merged
Conversation
Project is abandonned. No update in 4 years. Need a patch to customize the default swagger UI.
Custom doc will be added in main app.
session is used
Allow to support old authentication method for the API even when OIDC is enabled. We need a period to support both until all clients are updated.
Allow to use the session cookie created when login via the web UI. No need to implement login via Authorize in Swagger UI. We load some custom javascript to inject a dummy bearer token that is required by most API endpoints. The session cookie is httponly and can't be retrieved from javascript. The token is only used to force the app to check the session to see if the user is logged in or not.
To use "| None", we need at least 3.10. We use 3.11 in the docker image. No need to support below.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Added authentication via OpenID Connect (Keycloak) both for the web UI and API.
This is enabled via the
OPENID_ENABLEDvariable (default toFalse).When enabled, login to the web UI can only be done via oidc. But it's still possible to use the old authentication for the API (via
/api/v2/login). This is required until all mobile clients have been updated.With some javascript, I inject a dummy token. When this token is received, the backend checks the session cookie instead to see if the user is logged in or not. Users logged in via the web UI don't have to authenticate again in Swagger UI.
To load some extra javascript, I had to patch fastapi-versioning to disable the doc endpoint and replace it with a custom one. I vendored that plugin as it hasn't been updated in 4 years.
/open_id_connectto receive the OIDC code and code_verifier from the mobile clients. It allows to retrieve an access_token and id_token. The id_token is validated as requested by the standard. We can the retrieve the user info (see the flow described here). Upon success, we create a JWT token that is valid for 30 days (same as before) so that mobile clients don't have to login everyday.This new backend was deployed at MAX IV. We updated the Android client and will deploy it soon to take advantage of the new
open_id_connectendpoint.If
OPENID_ENABLEDis set toFalse. Nothing should change.