Skip to content

feat: added OAuth login#200

Open
edospadoni wants to merge 9 commits into
masterfrom
oauth_identity
Open

feat: added OAuth login#200
edospadoni wants to merge 9 commits into
masterfrom
oauth_identity

Conversation

@edospadoni

@edospadoni edospadoni commented Sep 10, 2025

Copy link
Copy Markdown
Member

@edospadoni edospadoni requested a review from Amygos September 10, 2025 14:42
@edospadoni edospadoni marked this pull request as ready for review September 10, 2025 14:42
@Amygos Amygos requested a review from Copilot September 11, 2025 08:57

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements OAuth (specifically OIDC) login functionality for the sun-ui application. It adds comprehensive support for authenticating users through an external OIDC provider (like Logto or My Nethesis) as an alternative to traditional username/password authentication.

Key Changes:

  • Added OIDC client-side integration with login button and callback handling
  • Implemented secure backend OIDC authentication flow with state validation and token exchange
  • Added comprehensive error handling and internationalization support

Reviewed Changes

Copilot reviewed 11 out of 12 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
sun/sun-ui/src/styles/main.css Added CSS styles for OIDC login UI components including buttons, separators, and responsive design
sun/sun-ui/src/services/login.js Added OIDC login methods for initiating authentication and fetching provider configuration
sun/sun-ui/src/routes/router.js Added login callback route handler for processing OIDC authentication responses
sun/sun-ui/src/i18n/locale-it.json Added Italian translations for OIDC login messages and error states
sun/sun-ui/src/i18n/locale-en.json Added English translations for OIDC login messages and error states
sun/sun-ui/src/App.vue Updated login UI to include OIDC authentication option and error handling
sun/sun-api/methods/authentication.go Implemented complete OIDC authentication backend with secure state management and token exchange
sun/sun-api/main.go Added OIDC API endpoints to the router configuration
sun/sun-api/configuration/configuration.go Added OIDC configuration structure for provider settings
go.mod Added required OIDC and OAuth2 dependencies
deploy/ansible/roles/sun/templates/sun-api-conf.j2 Added OIDC configuration template for deployment

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread sun/sun-ui/src/routes/router.js Outdated
Comment thread sun/sun-ui/src/routes/router.js Outdated
Comment thread sun/sun-ui/src/routes/router.js Outdated
Comment thread sun/sun-ui/src/routes/router.js Outdated
Comment thread sun/sun-api/methods/authentication.go Outdated
Comment thread sun/sun-api/methods/authentication.go Outdated
Comment thread sun/sun-api/methods/authentication.go Outdated
@Amygos Amygos requested a review from Copilot September 11, 2025 13:53

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 11 out of 12 changed files in this pull request and generated 5 comments.


Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread sun/sun-ui/src/i18n/locale-en.json Outdated
Comment thread sun/sun-ui/src/routes/router.js
Comment thread sun/sun-api/methods/authentication.go Outdated
Comment thread sun/sun-api/methods/authentication.go
Comment thread sun/sun-api/methods/authentication.go Outdated
edospadoni and others added 2 commits September 11, 2025 16:17
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@Amygos Amygos requested a review from Copilot September 18, 2025 08:43

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 11 out of 12 changed files in this pull request and generated 1 comment.


Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread sun/sun-api/methods/authentication.go Outdated
Fixes CVE-2025-22868 (golang.org/x/oauth2) and the go-jose CVEs pulled
in by go-oidc v3.5.0. CI updated to Go 1.25 accordingly.
Login with My Nethesis now works at company level: users holding the
Admin global role in a My reseller organization log in as the Icaro
account linked through the new accounts.logto_org_id column (never
matched by email). Super admins keep mapping to the Icaro admin.

Flow hardening: state bound to the browser via HttpOnly cookie, nonce
and PKCE S256 on the authorization request, capped state store, cached
OIDC provider, crypto/rand session tokens, no error details leaked to
clients, audit of the actual My user in the token description.

First login of an unlinked reseller organization is verified against
the My API and provisions the company account just in time (default
subscription plan, org name/email), replacing the legacy My
"Get credentials" action. scripts/ contains the one-time bootstrap
that links existing accounts, with its runbook.
Units obtain a session token through the browser OIDC login without
sharing an origin with the frontend: /auth/oidc/device/start creates a
pairing (secret device_code held by the unit + public pair_id), the
login flow carries ?pair= and the callback attaches the minted token
to the pairing instead of redirecting to the SPA, rendering a themed
result page with account, user and unit. The unit polls
/auth/oidc/device/poll and receives the token exactly once; callback
failures reach the poll instead of timing out. Pairing tokens record
the unit name in the token description for auditing.
@edospadoni

Copy link
Copy Markdown
Member Author

Added OIDC device pairing for NethSecurity units (2bdda86): POST /api/auth/oidc/device/start creates a pairing (secret device_code held by the unit + public pair_id), the login flow carries ?pair= and the callback hands the minted token to the pairing instead of the SPA (themed result page with account/user/unit); the unit polls POST /api/auth/oidc/device/poll and receives the token exactly once. Pairing tokens are audited via the token description ("OIDC device pairing by , unit: "). Validated e2e on staging with a real NethSecurity unit (NethServer/nethsecurity#1609 + NethServer/nethsecurity-ui#746).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants