feat: added OAuth login#200
Conversation
9d0357e to
da04a22
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR implements OAuth (specifically OIDC) login functionality for the sun-ui application. It adds comprehensive support for authenticating users through an external OIDC provider (like Logto or My Nethesis) as an alternative to traditional username/password authentication.
Key Changes:
- Added OIDC client-side integration with login button and callback handling
- Implemented secure backend OIDC authentication flow with state validation and token exchange
- Added comprehensive error handling and internationalization support
Reviewed Changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| sun/sun-ui/src/styles/main.css | Added CSS styles for OIDC login UI components including buttons, separators, and responsive design |
| sun/sun-ui/src/services/login.js | Added OIDC login methods for initiating authentication and fetching provider configuration |
| sun/sun-ui/src/routes/router.js | Added login callback route handler for processing OIDC authentication responses |
| sun/sun-ui/src/i18n/locale-it.json | Added Italian translations for OIDC login messages and error states |
| sun/sun-ui/src/i18n/locale-en.json | Added English translations for OIDC login messages and error states |
| sun/sun-ui/src/App.vue | Updated login UI to include OIDC authentication option and error handling |
| sun/sun-api/methods/authentication.go | Implemented complete OIDC authentication backend with secure state management and token exchange |
| sun/sun-api/main.go | Added OIDC API endpoints to the router configuration |
| sun/sun-api/configuration/configuration.go | Added OIDC configuration structure for provider settings |
| go.mod | Added required OIDC and OAuth2 dependencies |
| deploy/ansible/roles/sun/templates/sun-api-conf.j2 | Added OIDC configuration template for deployment |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 11 out of 12 changed files in this pull request and generated 5 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 11 out of 12 changed files in this pull request and generated 1 comment.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Fixes CVE-2025-22868 (golang.org/x/oauth2) and the go-jose CVEs pulled in by go-oidc v3.5.0. CI updated to Go 1.25 accordingly.
Login with My Nethesis now works at company level: users holding the Admin global role in a My reseller organization log in as the Icaro account linked through the new accounts.logto_org_id column (never matched by email). Super admins keep mapping to the Icaro admin. Flow hardening: state bound to the browser via HttpOnly cookie, nonce and PKCE S256 on the authorization request, capped state store, cached OIDC provider, crypto/rand session tokens, no error details leaked to clients, audit of the actual My user in the token description. First login of an unlinked reseller organization is verified against the My API and provisions the company account just in time (default subscription plan, org name/email), replacing the legacy My "Get credentials" action. scripts/ contains the one-time bootstrap that links existing accounts, with its runbook.
Units obtain a session token through the browser OIDC login without sharing an origin with the frontend: /auth/oidc/device/start creates a pairing (secret device_code held by the unit + public pair_id), the login flow carries ?pair= and the callback attaches the minted token to the pairing instead of redirecting to the SPA, rendering a themed result page with account, user and unit. The unit polls /auth/oidc/device/poll and receives the token exactly once; callback failures reach the poll instead of timing out. Pairing tokens record the unit name in the token description for auditing.
|
Added OIDC device pairing for NethSecurity units ( |
Reference: