mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-02-10 03:12:20 +03:00
[PR #2169] [MERGED] OpenID Connect SSO #5953
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/BookStackApp/BookStack/pull/2169
Author: @jasperweyne
Created: 7/2/2020
Status: ✅ Merged
Merged: 10/16/2021
Merged by: @ssddanbrown
Base:
master← Head:openid📝 Commits (10+)
07a6d76First basic OpenID Connect implementation25144a1Deduplicated getOrRegisterUser method10c8909Token expiration and refreshing using the refresh_token flow5df7db5Ignore ID token expiry if unavailable97cde9cGeneralize refresh failure handling13d0260Configurable OpenID Connect services75b4a05Add OpenIdService to OpenIdSessionGuard constructor call46388a5AccessToken empty array parameter on null6feaf25Increase robustness of the refresh method23402aeInitial unit tests for OpenID📊 Changes
24 files changed (+888 additions, -40 deletions)
View changed files
📝
.env.example.complete(+8 -0)📝
app/Auth/Access/ExternalAuthService.php(+37 -0)➕
app/Auth/Access/Guards/OpenIdSessionGuard.php(+79 -0)➕
app/Auth/Access/OpenIdService.php(+301 -0)📝
app/Auth/Access/Saml2Service.php(+2 -30)📝
app/Config/auth.php(+4 -0)➕
app/Config/openid.php(+46 -0)➕
app/Exceptions/OpenIdException.php(+6 -0)📝
app/Http/Controllers/Auth/LoginController.php(+1 -2)➕
app/Http/Controllers/Auth/OpenIdController.php(+70 -0)📝
app/Http/Controllers/UserController.php(+2 -2)📝
app/Http/Middleware/VerifyCsrfToken.php(+2 -1)📝
app/Providers/AuthServiceProvider.php(+13 -0)📝
composer.json(+2 -1)📝
composer.lock(+176 -1)📝
resources/lang/en/errors.php(+4 -0)➕
resources/views/auth/forms/login/openid.blade.php(+11 -0)📝
resources/views/common/header.blade.php(+2 -0)📝
resources/views/settings/index.blade.php(+1 -1)📝
resources/views/settings/roles/form.blade.php(+1 -1)...and 4 more files
📄 Description
Current Status
A basic Authorization Code flow functions. Tokens are stored in the session and are refreshed upon expiration. Basic tests are implemented. Request for feedback on the CodeClimate issues.
Description
Currently, Bookstack support both LDAP and SAML 2.0 for SSO. This pull request intends to extend support to OpenID Connect providers as well. It's built on top of steverhoades' OpenID Connect provider. This pull request intends to supports only Authorization Code flow and the Refresh Token flow from OAuth2, given the nature of Bookstack. The additional code mimics the structure of the existing SAML implementation, to heighten code maintainability.
Benefits
Given that some systems solely support OpenID Connect, this would extend the support SSO solutions. Although this number is quite small at this point in time, the number is non-zero. Moreover, the reduced complexity compared to SAML suggests a possible shift in the future.
Risks
Although all extra code adds some technical debt by nature, the code is based on the already existing SAML integration. Therefore, the additional technical debt should be fairly limited. Moreover, additional dependencies are created. Currently, the code is built on top of steverhoades/oauth2-openid-connect-client. This seemed to be the most efficient approach. Alternatively, the code could potentially be migrated to be built on top of the jumbojett/OpenID-Connect-PHP library.
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.