server: refactor: introduce AuthUser interface
#838
Conversation
|
Note that there seems to be an issue with formatting in this project... I'm using VS Code along its Java extension to develop and it often feels like reorganizing or cleaning up imports. I'd be in favor of keeping the cleanup as part of these changes. It would be good to look into making auto-formatting part of the build step, maybe as a gradle plugin of some kind? |
server/src/main/java/org/eclipse/openvsx/security/DefaultAuthUser.java
Outdated
Show resolved
Hide resolved
|
Rebased my branch. |
server/src/main/java/org/eclipse/openvsx/security/AuthUserFactory.java
Outdated
Show resolved
Hide resolved
|
@HeikoBoettger Can you share which additional identity provider you were able to implement using this PR? |
@amvanbaren Somehow I lost my comment. The PR didn't help completely, what is missing is basically a mapping of the login-attribute. One could add a GitLab specific mapping to the code, what I did based on this merge request adding a completely new generic provider type which uses additional setting from the application.yaml file defining for the web-interface what provider to use for the login-link and how to map the login (supporting mapping any of the attributes in the AuthUserFactory). If the code could be changed to use spring.security.oauth2.client.provider.[providerId].user-name-attribute / providerDetails.userInfoEndpoint.userNameAttributeName as described in https://docs.spring.io/spring-security/reference/servlet/oauth2/login/core.html#oauth2login-sample-application-config. Instead of login I could abuse the GitHub provider entry. To fully support other providers the UI would require a change to select the login method and the AuthToken inside the UserData class need to be contain a map from provider to token: Or the code gets simplified to just store an AuthToken for one provider at a time. I don't know why there are two fields in the UserData when there is only one provider-String. |
|
@paul-marechal Is it possible to rebase this branch on to the latest master? |
The |
Replace the references to `OAuth2User` by `AuthUser`. This allows downstream extenders to more easily contribute alternative OAuth2 providers: If the expected data is stored in different attributes it will be possible to bridge it by implementing the proper `AuthUser`.
paul-marechal
force-pushed
the
auth-user
branch
from
8f65be8 to
0e07da9
Compare
Introduce a configuration to define attribute names to use when mapping attributes from an auth provider.
Allow configuring the auth for arbitrary providers (other than github).
|
Ok so I initially didn't want to bother implementing the configuration of attributes because it adds a decent amount of complexity... I changed my mind figuring it might make someone else's life easier. The configuration may look like this: ovsx:
auth:
attribute-names:
gitlab:
avatar-url: awdawd
email: awdawd
full-name: awdawd
login-name: awdawd
provider-url: awdawdWe don't need to define mappings for |
|
@paul-marechal Thanks for providing the configuration. I'll try to configure Google OAuth using this PR. |
|
I want to apologize for forgetting to transpose code to handle Second, there's still a need to manually edit the webui code to change the OAuth2 authorization endpoint used from This PR is slowly growing bigger than what we required on our fork so I hope this will help. |
Yes, the login url is hardcoded in the webui: openvsx/webui/src/extension-registry-service.ts Lines 27 to 29 in 0f5315d The openvsx/server/src/main/java/org/eclipse/openvsx/UserAPI.java Lines 72 to 77 in 0f5315d |
|
I implemented the dynamic redirection based on a server configuration, I didn't encounter a CORS error? ovsx:
auth:
provider: azureopenvsx/server/src/main/java/org/eclipse/openvsx/UserAPI.java Lines 75 to 80 in 1abe659 |
|
Using the latest commit I can now assert that no more code changes are required to configure a custom provider (following our use cases) as I was able to completely configure authentication to Azure using only the server spring config. I initially forgot to include a few modifications... |
|
@paul-marechal Just to give an early feedback. I compared your changes with the modifications I did on my local branch I was thinking of contributing and it's more or less the same. One thing I wonder is, do you use the githubToken to store the token in the database (UserData)? The TokenService also contains a switch block with the providers. |
|
I didn't find it required to store anything in |
server/src/main/java/org/eclipse/openvsx/security/OAuth2UserServices.java
Outdated
Show resolved
Hide resolved
|
Note sure whether I did something wrong but I get an error message: "Missing configuration: ovsx.auth.attribute-names.gitlab". |
|
@paul-marechal First of all thank you for this awesome work.
I used the following values for gitlab: ovsx:
auth:
attribute-names:
gitlab:
avatar-url: avatar_url
email: email
full-name: name
login-name: usernameI don't know what to set for the For |
|
For completeness this is the configuration inside |
|
I noticed that there's another PR opened which allows to auth users without oauth2, so I renamed the configuration I introduced from I also updated the main PR description with a configuration example I took from @HeikoBoettger-KarlStorz :) |
Replace the references to
OAuth2UserbyAuthUser. This allows downstream extenders to more easily contribute alternative OAuth2 providers: If the expected data is stored in different attributes it will be possible to bridge it by implementing the properAuthUser.New configuration example: