Generic OIDC auth
james-atkins opened this issue · comments
It would be nice to specify a generic OIDC login provider rather than GitHub or Gitea. For example, I use Dex.
This is should be easy to implement Python-wise as both GiteaAuth
and GitHubAuth
are subclasses of buildbot.www.oauth2.OAuth2Auth
.
Is OIDC not a different protocol from Oauth2?
Maybe not, I am not super familiar with the specifics. What might already work today is oauth2-proxy: https://oauth2-proxy.github.io/oauth2-proxy/
There is https://github.com/buildbot/buildbot/blob/331121358ba547a6d445de8760c5c8d359171cf8/master/buildbot/www/auth.py#L102 so a proxy could set a header value pointing to the user.
Question is, how we handle permissions in this case? Treat all logged in people as admins?
OIDC is a protocol built on top of OAuth2. It standardises how user information is retrieved once they are authenticated. E.g. some of buildbot's built in authentication providers uses standard OIDC claims such as name
, email
and picture
.
I put this under the future milestone as for this to really make sense, #176 needs to be in place. If there are any objections to this, let me know.
Oauth actually does indeed not look that complicated: https://git.lix.systems/lix-project/buildbot-nix/src/commit/45135d249b47f95846854e0145028b6f6e30dea1/buildbot_nix/__init__.py#L46
I could also imagine someone else could pick this up as a first contribution.