feat(auth): oauth2proxy (#2014)

Co-authored-by: Tal <[email protected]>

.gitignore

@@ -198,6 +198,8 @@ tempo-data/
 # docs
 docs/node_modules/
 
+oauth2.cfg
+
 
 scripts/automatic_extraction_rules.py
 
@@ -209,3 +211,4 @@ ee/experimental/ai_temp/*
 
 oauth2.cfg
 scripts/keep_slack_bot.py
+keepnew.db

docs/deployment/authentication/oauth2proxy-auth.mdx

@@ -0,0 +1,32 @@
+---
+title: "OAuth2Proxy Authentication"
+---
+
+Delegate authentication to Oauth2Proxy.
+
+
+### When to Use
+
+- **oauth2-proxy user:** Use this authentication method if you want to delegate authentication to an external Oauth2Proxy service.
+
+### Setup Instructions
+
+To start Keep with Oauth2Proxy authentication, set the following environment variables:
+
+#### Frontend Environment Variables
+
+| Environment Variable | Description | Required | Default Value |
+|--------------------|-----------|:--------:|:-------------:|
+| AUTH_TYPE | Set to 'OAUTH2PROXY' for OAUTH2PROXY authentication | Yes | - |
+
+#### Backend Environment Variables
+
+| Environment Variable | Description | Required | Default Value |
+|--------------------|-----------|:--------:|:-------------:|
+| AUTH_TYPE | Set to 'OAUTH2PROXY' for OAUTH2PROXY authentication | Yes | - |
+| KEEP_OAUTH2_PROXY_USER_HEADER | Header for the authenticated user's email | Yes | x-forwarded-email |
+| KEEP_OAUTH2_PROXY_ROLE_HEADER | Header for the authenticated user's role | Yes | x-forwarded-groups |
+| KEEP_OAUTH2_PROXY_AUTO_CREATE_USER | Automatically create user if not exists | No | true |
+| KEEP_OAUTH2_PROXY_ADMIN_ROLE | Role name for admin users | No | admin |
+| KEEP_OAUTH2_PROXY_NOC_ROLE | Role name for NOC (Network Operations Center) users | No | noc |
+| KEEP_OAUTH2_PROXY_WEBHOOK_ROLE | Role name for webhook users | No | webhook |

docs/deployment/authentication/overview.mdx

@@ -20,12 +20,13 @@ Choosing the right authentication strategy depends on your specific use case, se
 
 ### Authentication Features Comparison
 
-| Identity Provider | RBAC | SAML/OIDC | SSO | LDAP | Resource-based permission | User Management | Group Management | On Prem | License |
-|:---:|:----:|:---------:|:---:|:----:|:-------------------------:|:----------------:|:-----------------:|:-------:|:-------:|
-| **No Auth** | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | **OSS** |
-| **DB** | ✅ <br />(Predefiend roles) | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ | **OSS** |
-| **Auth0** | ✅ <br />(Predefiend roles) | ✅ | ✅ | 🚧 | 🚧 | ✅ | 🚧 | ❌ | **EE** |
-| **Keycloak** | ✅ <br />(Custom roles) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | **EE** |
+| Identity Provider | RBAC | SAML/OIDC/SSO | LDAP | Resource-based permission | User Management | Group Management | On Prem | License |
+|:---:|:----:|:---------:|:----:|:-------------------------:|:----------------:|:-----------------:|:-------:|:-------:|
+| **No Auth** | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | **OSS** |
+| **DB** | ✅ <br />(Predefiend roles) | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ | **OSS** |
+| **Auth0** | ✅ <br />(Predefiend roles) | ✅ | 🚧 | 🚧 | ✅ | 🚧 | ❌ | **EE** |
+| **Keycloak** | ✅ <br />(Custom roles) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | **EE** |
+| **Oauth2Proxy** | ✅ <br />(Predefiend roles) | ✅ | ❌ | ❌ | N/A | N/A | ✅ | **OSS** |
 ### How To Configure
 <Tip>
 Some authentication providers require additional environment variables. These will be covered in detail on the specific authentication provider pages.
@@ -39,5 +40,6 @@ The authentication scheme on Keep is controlled with environment variables both
 | **DB** | `AUTH_TYPE=DB` | `KEEP_JWT_SECRET` |
 | **Auth0** | `AUTH_TYPE=AUTH0` | `AUTH0_DOMAIN`, `AUTH0_CLIENT_ID`, `AUTH0_CLIENT_SECRET` |
 | **Keycloak** | `AUTH_TYPE=KEYCLOAK` | `KEYCLOAK_URL`, `KEYCLOAK_REALM`, `KEYCLOAK_CLIENT_ID`, `KEYCLOAK_CLIENT_SECRET` |
+| **Oauth2Proxy** | `AUTH_TYPE=OAUTH2PROXY` | `OAUTH2_PROXY_USER_HEADER`, `OAUTH2_PROXY_ROLE_HEADER`, `OAUTH2_PROXY_AUTO_CREATE_USER` |
 
 For more details on each authentication strategy, including setup instructions and implications, refer to the respective sections.

docs/mint.json

@@ -63,7 +63,8 @@
  "deployment/authentication/no-auth",
  "deployment/authentication/db-auth",
  "deployment/authentication/auth0-auth",
- "deployment/authentication/keycloak-auth"
+ "deployment/authentication/keycloak-auth",
+ "deployment/authentication/oauth2proxy-auth"
  ]
  },
  {

keep-ui/pages/api/auth/[...nextauth].ts

@@ -331,6 +331,7 @@ export const authOptions =
  ? singleTenantAuthOptions
  : authType === AuthenticationType.KEYCLOAK
  ? keycloakAuthOptions
+ // oauth2proxy same configuration as noauth
  : noAuthOptions;
 
 export default NextAuth(authOptions);

keep-ui/utils/authenticationType.ts

@@ -4,6 +4,7 @@ export enum AuthenticationType {
  AUTH0 = "AUTH0",
  DB = "DB",
  KEYCLOAK = "KEYCLOAK",
+ OAUTH2PROXY = "OAUTH2PROXY",
  NOAUTH = "NOAUTH" // Default
 }
 

keep/api/api.py

@@ -29,7 +29,6 @@
  KEEP_ARQ_TASK_POOL_BASIC_PROCESSING,
  KEEP_ARQ_TASK_POOL_NONE,
 )
-from keep.api.core.config import AuthenticationType
 from keep.api.core.db import get_api_key
 from keep.api.core.dependencies import SINGLE_TENANT_UUID
 from keep.api.logging import CONFIG as logging_config
@@ -59,7 +58,10 @@
 from keep.api.routes.auth import groups as auth_groups
 from keep.api.routes.auth import permissions, roles, users
 from keep.event_subscriber.event_subscriber import EventSubscriber
-from keep.identitymanager.identitymanagerfactory import IdentityManagerFactory
+from keep.identitymanager.identitymanagerfactory import (
+ IdentityManagerFactory,
+ IdentityManagerTypes,
+)
 from keep.posthog.posthog import get_posthog_client
 
 # load all providers into cache
@@ -77,7 +79,7 @@
 SCHEDULER = os.environ.get("SCHEDULER", "true") == "true"
 CONSUMER = os.environ.get("CONSUMER", "true") == "true"
 
-AUTH_TYPE = os.environ.get("AUTH_TYPE", AuthenticationType.NO_AUTH.value)
+AUTH_TYPE = os.environ.get("AUTH_TYPE", IdentityManagerTypes.NOAUTH.value).lower()
 PROVISION_RESOURCES = os.environ.get("PROVISION_RESOURCES", "true") == "true"
 try:
  KEEP_VERSION = metadata.version("keep")
@@ -178,7 +180,7 @@ async def dispatch(self, request: Request, call_next):
 
 
 def get_app(
- auth_type: AuthenticationType = AuthenticationType.NO_AUTH.value,
+ auth_type: IdentityManagerTypes = IdentityManagerTypes.NOAUTH.value,
 ) -> FastAPI:
  if not os.environ.get("KEEP_API_URL", None):
  os.environ["KEEP_API_URL"] = f"http://{HOST}:{PORT}"
@@ -344,6 +346,11 @@ async def log_middleware(request: Request, call_next):
  f"Request started: {request.method} {request.url.path}",
  extra={"tenant_id": identity},
  )
+
+ # for debugging purposes, log the payload
+ if os.environ.get("LOG_AUTH_PAYLOAD", "false") == "true":
+ logger.info(f"Request headers: {request.headers}")
+
  start_time = time.time()
  request.state.tenant_id = identity
  response = await call_next(request)

keep/api/config.py

@@ -3,9 +3,9 @@
 
 import keep.api.logging
 from keep.api.api import AUTH_TYPE
-from keep.api.core.config import AuthenticationType
 from keep.api.core.db_on_start import migrate_db, try_create_single_tenant
 from keep.api.core.dependencies import SINGLE_TENANT_UUID
+from keep.identitymanager.identitymanagerfactory import IdentityManagerTypes
 
 PORT = int(os.environ.get("PORT", 8080))
 
@@ -16,15 +16,24 @@
 def on_starting(server=None):
  """This function is called by the gunicorn server when it starts"""
  logger.info("Keep server starting")
- 
+
  migrate_db()
 
  # Create single tenant if it doesn't exist
  if AUTH_TYPE in [
- AuthenticationType.SINGLE_TENANT.value,
- AuthenticationType.NO_AUTH.value,
+ IdentityManagerTypes.DB.value,
+ IdentityManagerTypes.NOAUTH.value,
+ IdentityManagerTypes.OAUTH2PROXY.value,
+ "no_auth", # backwards compatibility
+ "single_tenant", # backwards compatibility
  ]:
- try_create_single_tenant(SINGLE_TENANT_UUID)
+ # for oauth2proxy, we don't want to create the default user
+ try_create_single_tenant(
+ SINGLE_TENANT_UUID,
+ create_default_user=(
+ False if AUTH_TYPE == IdentityManagerTypes.OAUTH2PROXY.value else True
+ ),
+ )
 
  if os.environ.get("USE_NGROK", "false") == "true":
  from pyngrok import ngrok

keep/api/core/config.py

@@ -1,5 +1,4 @@
 import pathlib
-from enum import Enum
 
 from starlette.config import Config
 
@@ -10,10 +9,3 @@
  config = Config(BASE_DIR / ".env")
 except FileNotFoundError:
  config = Config()
-
-
-class AuthenticationType(Enum):
- MULTI_TENANT = "MULTI_TENANT"
- SINGLE_TENANT = "SINGLE_TENANT"
- KEYCLOAK = "KEYCLOAK"
- NO_AUTH = "NO_AUTH"

keep/api/core/db.py

@@ -1421,6 +1421,38 @@ def create_user(tenant_id, username, password, role):
  return user
 
 
+def update_user_last_sign_in(tenant_id, username):
+ from keep.api.models.db.user import User
+
+ with Session(engine) as session:
+ user = session.exec(
+ select(User)
+ .where(User.tenant_id == tenant_id)
+ .where(User.username == username)
+ ).first()
+ if user:
+ user.last_sign_in = datetime.utcnow()
+ session.add(user)
+ session.commit()
+ return user
+
+
+def update_user_role(tenant_id, username, role):
+ from keep.api.models.db.user import User
+
+ with Session(engine) as session:
+ user = session.exec(
+ select(User)
+ .where(User.tenant_id == tenant_id)
+ .where(User.username == username)
+ ).first()
+ if user and user.role != role:
+ user.role = role
+ session.add(user)
+ session.commit()
+ return user
+
+
 def save_workflow_results(tenant_id, workflow_execution_id, workflow_results):
  with Session(engine) as session:
  workflow_execution = session.exec(

keep/api/core/db_on_start.py

@@ -42,7 +42,7 @@
 engine = create_db_engine()
 
 
-def try_create_single_tenant(tenant_id: str) -> None:
+def try_create_single_tenant(tenant_id: str, create_default_user=True) -> None:
  """
  Creates the single tenant and the default user if they don't exist.
  """
@@ -71,7 +71,7 @@ def try_create_single_tenant(tenant_id: str) -> None:
  # check if at least one user exists:
  user = session.exec(select(User)).first()
  # if no users exist, let's create the default user
- if not user:
+ if not user and create_default_user:
  logger.info("Creating default user")
  default_username = os.environ.get("KEEP_DEFAULT_USERNAME", "keep")
  default_password = hashlib.sha256(
@@ -150,7 +150,7 @@ def try_create_single_tenant(tenant_id: str) -> None:
  pass
  logger.info(f"Api key {api_key_name} provisioned")
  logger.info("Api keys provisioned")
- 
+
  # commit the changes
  session.commit()
  logger.info("Single tenant created")
@@ -181,4 +181,4 @@ def migrate_db():
  os.path.dirname(os.path.abspath(__file__)) + "/../models/db/migrations",
  )
  alembic.command.upgrade(config, "head")
- logger.info("Finished migrations")
+ logger.info("Finished migrations")

keep/api/routes/settings.py

@@ -1,7 +1,6 @@
 import io
 import json
 import logging
-import os
 import smtplib
 from email.mime.text import MIMEText
 from typing import Optional, Tuple
@@ -11,11 +10,10 @@
 from pydantic import BaseModel, Field
 from sqlmodel import Session
 
-from keep.api.core.config import AuthenticationType, config
+from keep.api.core.config import config
 from keep.api.core.db import get_session
 from keep.api.models.alert import AlertDto
 from keep.api.models.smtp import SMTPSettings
-from keep.api.models.user import User
 from keep.api.models.webhook import WebhookSettings
 from keep.api.utils.tenant_utils import (
  create_api_key,
@@ -35,8 +33,6 @@
 
 logger = logging.getLogger(__name__)
 
-auth_type = os.environ.get("AUTH_TYPE", AuthenticationType.NO_AUTH.value)
-
 
 class CreateUserRequest(BaseModel):
  email: str = Field(alias="username")
@@ -83,63 +79,6 @@ def webhook_settings(
  )
 
 
-@router.get("/users", description="Get all users")
-def get_users(
- authenticated_entity: AuthenticatedEntity = Depends(
- IdentityManagerFactory.get_auth_verifier(["read:settings"])
- ),
-) -> list[User]:
- tenant_id = authenticated_entity.tenant_id
- identity_manager = IdentityManagerFactory.get_identity_manager(
- tenant_id=tenant_id,
- identity_manager_type=auth_type,
- context_manager=ContextManager(tenant_id=tenant_id),
- )
- users = identity_manager.get_users()
- return users
-
-
-@router.delete("/users/{user_email}", description="Delete a user")
-def delete_user(
- user_email: str,
- authenticated_entity: AuthenticatedEntity = Depends(
- IdentityManagerFactory.get_auth_verifier(["delete:settings"])
- ),
-):
- tenant_id = authenticated_entity.tenant_id
- identity_manager = IdentityManagerFactory.get_identity_manager(
- tenant_id=tenant_id,
- identity_manager_type=auth_type,
- context_manager=ContextManager(tenant_id=tenant_id),
- )
-
- return identity_manager.delete_user(user_email)
-
-
-@router.post("/users", description="Create a user")
-async def create_user(
- request_data: CreateUserRequest,
- authenticated_entity: AuthenticatedEntity = Depends(
- IdentityManagerFactory.get_auth_verifier(["write:settings"])
- ),
-):
- tenant_id = authenticated_entity.tenant_id
- user_email = request_data.email
- password = request_data.password
- role = request_data.role
-
- if not user_email:
- raise HTTPException(status_code=400, detail="Email is required")
-
- identity_manager = IdentityManagerFactory.get_identity_manager(
- tenant_id=tenant_id,
- identity_manager_type=auth_type,
- context_manager=ContextManager(tenant_id=tenant_id),
- )
- user = identity_manager.create_user(user_email, password, role)
- return user
-
-
 @router.post("/smtp", description="Install or update SMTP settings")
 async def update_smtp_settings(
  smtp_settings: SMTPSettings = Body(...),
@@ -430,7 +369,6 @@ async def get_sso_settings(
 ):
  identity_manager = IdentityManagerFactory.get_identity_manager(
  tenant_id=authenticated_entity.tenant_id,
- identity_manager_type=auth_type,
  context_manager=ContextManager(tenant_id=authenticated_entity.tenant_id),
  )
 

keep/identitymanager/identity_managers/db/db_authverifier.py

@@ -17,6 +17,7 @@ def _verify_bearer_token(self, token: str) -> AuthenticatedEntity:
  # validate the token
  jwt_secret = os.environ.get("KEEP_JWT_SECRET")
  if not jwt_secret:
+ self.logger.warning("missing KEEP_JWT_SECRET environment variable")
  raise HTTPException(status_code=401, detail="Missing JWT secret")
 
  try: