Is SSO really optional ?
Nexyro opened this issue · comments
When starting Firefighter from scratch, I'm surprised to see errors about OIDC_* variables
Steps to reproduce
- Keeps the default OIDC_* variables:
## SSO settings (optional)
OIDC_OP_DISCOVERY_DOCUMENT_URL=https://oauth.mycompany.local/auth/realms/realm/.well-known/openid-configuration
OIDC_RP_CLIENT_ID=firefighter-incident
OIDC_RP_CLIENT_SECRET=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
OIDC_MIDDLEWARE_LOGIN_REQUIRED_REDIRECT=False
- Run application
- See stack trace:
Traceback (most recent call last):
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/django/core/handlers/exception.py", line 55, in inner
response = get_response(request)
^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/django/core/handlers/base.py", line 197, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/django/views/generic/base.py", line 104, in view
return self.dispatch(request, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/django/utils/decorators.py", line 46, in _wrapper
return bound_method(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/django/views/decorators/cache.py", line 62, in _wrapper_view_func
response = view_func(request, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/oauth2_authcodeflow/views.py", line 51, in dispatch
self._set_cache(request)
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/oauth2_authcodeflow/views.py", line 58, in _set_cache
for key, value in self.get_oidc_urls(request.session).items():
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/oauth2_authcodeflow/utils.py", line 36, in get_oidc_urls
doc_resp = request_get(settings.OIDC_OP_DISCOVERY_DOCUMENT_URL)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.local/share/mise/installs/checkov/3.2.73/requests/api.py", line 73, in get
return request("get", url, params=params, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.local/share/mise/installs/checkov/3.2.73/requests/api.py", line 59, in request
return session.request(method=method, url=url, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.local/share/mise/installs/checkov/3.2.73/requests/sessions.py", line 589, in request
resp = self.send(prep, **send_kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.local/share/mise/installs/checkov/3.2.73/requests/sessions.py", line 703, in send
r = adapter.send(request, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.local/share/mise/installs/checkov/3.2.73/requests/adapters.py", line 519, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='oauth.mycompany.local', port=443): Max retries exceeded with url: /auth/realms/realm/.well-known/openid-configuration (Caused by NameResolutionError("<urllib3.connection.HTTPSConnection object at 0x777fb5a6a570>: Failed to resolve 'oauth.mycompany.local' ([Errno -3] Temporary failure in name resolution)"))
If I try to remove these variables, I have another error:
Traceback (most recent call last):
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/bin/ff-web", line 8, in <module>
sys.exit(main())
^^^^^^
File "/home/x2035933@ratpsmart.local/Documents/projects/firefighter-incident/src/main.py", line 36, in main
setup()
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/django/__init__.py", line 19, in setup
configure_logging(settings.LOGGING_CONFIG, settings.LOGGING)
^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/django/conf/__init__.py", line 102, in __getattr__
self._setup(name)
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/django/conf/__init__.py", line 89, in _setup
self._wrapped = Settings(settings_module)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/django/conf/__init__.py", line 217, in __init__
mod = importlib.import_module(self.SETTINGS_MODULE)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.local/share/mise/installs/python/latest/lib/python3.12/importlib/__init__.py", line 90, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "<frozen importlib._bootstrap>", line 1387, in _gcd_import
File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
File "<frozen importlib._bootstrap>", line 1310, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
File "<frozen importlib._bootstrap>", line 1387, in _gcd_import
File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
File "<frozen importlib._bootstrap_external>", line 995, in exec_module
File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
File "/home/x2035933@ratpsmart.local/Documents/projects/firefighter-incident/src/firefighter/firefighter/__init__.py", line 24, in <module>
from firefighter.firefighter.celery_client import app as celery_app
File "/home/x2035933@ratpsmart.local/Documents/projects/firefighter-incident/src/firefighter/firefighter/celery_client.py", line 27, in <module>
app.config_from_object(settings.CELERY_SETTINGS)
^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/django/conf/__init__.py", line 102, in __getattr__
self._setup(name)
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/django/conf/__init__.py", line 89, in _setup
self._wrapped = Settings(settings_module)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/django/conf/__init__.py", line 217, in __init__
mod = importlib.import_module(self.SETTINGS_MODULE)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.local/share/mise/installs/python/latest/lib/python3.12/importlib/__init__.py", line 90, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/Documents/projects/firefighter-incident/src/firefighter/firefighter/settings/__init__.py", line 41, in <module>
from firefighter.firefighter.settings.settings_builder import *
File "/home/x2035933@ratpsmart.local/Documents/projects/firefighter-incident/src/firefighter/firefighter/settings/settings_builder.py", line 10, in <module>
from firefighter.firefighter.settings.components.celery import *
File "/home/x2035933@ratpsmart.local/Documents/projects/firefighter-incident/src/firefighter/firefighter/settings/components/celery.py", line 5, in <module>
from firefighter.firefighter.settings.components.common import TIME_ZONE, USE_TZ
File "/home/x2035933@ratpsmart.local/Documents/projects/firefighter-incident/src/firefighter/firefighter/settings/components/common.py", line 244, in <module>
OIDC_OP_DISCOVERY_DOCUMENT_URL = config("OIDC_OP_DISCOVERY_DOCUMENT_URL")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/decouple.py", line 248, in __call__
return self.config(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/decouple.py", line 107, in __call__
return self.get(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/x2035933@ratpsmart.local/.config/mise/.venv/lib/python3.12/site-packages/decouple.py", line 92, in get
raise UndefinedValueError('{} not found. Declare it as envvar or define a default value.'.format(option))
decouple.UndefinedValueError: OIDC_OP_DISCOVERY_DOCUMENT_URL not found. Declare it as envvar or define a default value.
Hello @Nexyro!
FireFighter was developed with SSO through OIDC in mind. This setup is currently not optional.
There is a dev setting FF_DEBUG_NO_SSO_REDIRECT to disable the SSO redirect, but you may still need to provide a valid configuration URL. You can then go to /admin/ to login using Django built-in username/password system.
While it's commonly used in entreprise and using standards, we acknowledge that's it's not a universal setup. Hoewever, we currently don't have the resources to implement a more generic auth system, but we will happily accept contributions that allow FireFighter to work with other auth methods.
If you want to try to replace the auth system manually, here are some hints:
- OIDC app is loaded in
settings/components/common.pyinINSTALLED_APPSunder the nameoauth2_authcodeflow - Middleware is loaded in the same file, with
oauth2_authcodeflow.middleware.LoginRequiredMiddleware - OIDC URLs are loaded in
firefighter/urls.py, whereoauth2_authcodeflow.urlsis included. - There are multiple OIDC urls links included in templates, notably
oidc_authenticationandoidc_logout
A full text search of OIDC might help you spot other places where OIDC usage is assumed.
Thank you for the help, FF_DEBUG_NO_SSO_REDIRECT resolved my issue although the variables are still mandatory
I will create a PR to add more precision once my local setup is good.