vikunja
/
vikunja
6
43
Fork 71
Code Issues 150 Pull Requests 14 Packages Releases 32 Activity

OIDC Team Assignment - Feedback #2150

New Issue
Closed
opened 2024-03-02 14:09:55 +00:00 by waza-ari · 7 comments
waza-ari commented 2024-03-02 14:09:55 +00:00
Contributor
Copy Link

Description

Dear team,

after PR #1393 has been merged I was able to test this based with Keycloak - first of all, in general it works wonderfully. There's a few details that came up while testing, which we may want to address.

Team Display

Teams created via OIDC currently have the oidcID behind them, like this:

image

In our case, Keycloak automatically assigned a UUID4 to client roles, which are unique and not changing across the lifecycle of the client, making them a natural choice for an ID. They do make the UI clunky though.

Suggestion 1: Instead of showing the actual UUID, would it be sufficient to add a label indicating it's created through OIDC instead of having the the entire ID printed? E.g. use Bereichsleiter (OIDC) instead of Bereichsleiter (sso: 0d3c3bc7-b806-4d59-9963-8b953e4180f4)?

Team Display when sharing a project

Somehow going into the same direction, it might be useful to also indicate the fact that Team is created via OIDC in different spots, e.g. when sharing a project with Teams. In our case we had local teams with the same name as OIDC names (sure, this can easily be fixed by deleting the local Teams), but that results in something like this:

image

Suggestion 2: Add the (OIDC) indicator mentioned above also in the dropdown and potentially other places?

Doc improvements

It would be useful to include in the docs that the vikunja_groups claim is expected in the id token, not in the access token. While it does make sense, I believe it might be useful to explicitly highlight this.

Also we could extend the OpenID documentation a little bit by describing the scope parameter, which is currently only described in the example config.

If you agree to these statements I'm more than happy to contribute on the doc side of things, but I'm not too familiar with Go to support with the other two.

Tagging @viehlieb as original author of the PR. Thanks for your work!

Vikunja Version

unstable

Browser and version

No response

Can you reproduce the bug on the Vikunja demo site?

No

Screenshots

No response

### Description Dear team, after PR #1393 has been merged I was able to test this based with Keycloak - first of all, in general it works wonderfully. There's a few details that came up while testing, which we may want to address. ### Team Display Teams created via OIDC currently have the `oidcID` behind them, like this: ![image](/attachments/6cdbc409-06ec-4e99-a9a7-594eb4964d86) In our case, Keycloak automatically assigned a UUID4 to client roles, which are unique and not changing across the lifecycle of the client, making them a natural choice for an ID. They do make the UI clunky though. **Suggestion 1**: Instead of showing the actual UUID, would it be sufficient to add a label indicating it's created through OIDC instead of having the the entire ID printed? E.g. use `Bereichsleiter (OIDC)` instead of `Bereichsleiter (sso: 0d3c3bc7-b806-4d59-9963-8b953e4180f4)`? ### Team Display when sharing a project Somehow going into the same direction, it might be useful to also indicate the fact that Team is created via OIDC in different spots, e.g. when sharing a project with Teams. In our case we had local teams with the same name as OIDC names (sure, this can easily be fixed by deleting the local Teams), but that results in something like this: ![image](/attachments/6d21b46f-3a6a-4350-8987-ec04abb78b43) **Suggestion 2:** Add the `(OIDC)` indicator mentioned above also in the dropdown and potentially other places? ### Doc improvements It would be useful to include in the docs that the `vikunja_groups` claim is expected in the id token, not in the access token. While it does make sense, I believe it might be useful to explicitly highlight this. Also we could extend the OpenID documentation a little bit by describing the `scope` parameter, which is currently only described in the example config. If you agree to these statements I'm more than happy to contribute on the doc side of things, but I'm not too familiar with Go to support with the other two. Tagging @viehlieb as original author of the PR. Thanks for your work! ### Vikunja Version unstable ### Browser and version _No response_ ### Can you reproduce the bug on the Vikunja demo site? No ### Screenshots _No response_
image.png
114 KiB
image.png
32 KiB
waza-ari added the
kind/bug
 label 2024-03-02 14:09:56 +00:00
konrad commented 2024-03-02 14:29:12 +00:00
Owner
Copy Link

Wow, that was fast!

I've added the display changes in fc4303a778. Please check with the next unstable build (should be ready in ~45min, when the ci passed). You'll have to log out and log back in again to see the changes.

I'd love a PR for the docs.

Wow, that was fast! I've added the display changes in fc4303a7786fa2b78655b55763347eacb730d428. Please check with the next unstable build (should be ready in ~45min, [when the ci passed](https://drone.kolaente.de/vikunja/vikunja/6079)). You'll have to log out and log back in again to see the changes. I'd love a PR for the docs.
❤️ 1
konrad added
kind/feature
 and removed
kind/bug
 labels 2024-03-02 14:29:20 +00:00
waza-ari commented 2024-03-02 15:19:15 +00:00
Author
Contributor
Copy Link

Can only return this, that was fast! Tested it just now and that looks so much better. Thank you!

Working on a PR for the docs, should come through in the next hour or so.

Can only return this, that was fast! Tested it just now and that looks so much better. Thank you! Working on a PR for the docs, should come through in the next hour or so.
waza-ari commented 2024-03-02 16:21:39 +00:00
Author
Contributor
Copy Link

I've created #2151 to add more details about the OIDC implementation. One request for feedback:

The section in config.md currently only defines the entire auth.openid block, but doesn't describe the individual fields. I'm open to add details there as well, but would like to understand if there's environment variables for those settings and if so, how they're configured. Thanks!

I've created #2151 to add more details about the OIDC implementation. One request for feedback: The section in `config.md` currently only defines the entire `auth.openid` block, but doesn't describe the individual fields. I'm open to add details there as well, but would like to understand if there's environment variables for those settings and if so, how they're configured. Thanks!
waza-ari commented 2024-03-02 17:42:54 +00:00
Author
Contributor
Copy Link

@konrad I believe your change above broke the automatic team creation. During login, the code did a check if a team already exists, if not, the team is created. To check for existence, the code so far did compare both the oidcID and the name, which now obviously doesn't match anymore as you're adding the (OIDC) suffix.

IMHO oidcID checking should be enough (that's why we have this unique after all), therefore I'm proposing to change this in #2152, which should fix the issue introduced here.

@konrad I believe your change above broke the automatic team creation. During login, the code did a check if a team already exists, if not, the team is created. To check for existence, the code so far did compare both the `oidcID` and the `name`, which now obviously doesn't match anymore as you're adding the `(OIDC)` suffix. IMHO `oidcID` checking should be enough (that's why we have this unique after all), therefore I'm proposing to change this in #2152, which should fix the issue introduced here.
👍 1
konrad commented 2024-03-03 21:44:13 +00:00
Owner
Copy Link

The section in config.md currently only defines the entire auth.openid block, but doesn't describe the individual fields. I'm open to add details there as well, but would like to understand if there's environment variables for those settings and if so, how they're configured. Thanks!

Currently, it's not possible to configure this with environment variables. The documentation of the individual variables is configured from the config.yml.sample file and the comments it contained. You shouldn't edit the markdown file manually.

> The section in config.md currently only defines the entire auth.openid block, but doesn't describe the individual fields. I'm open to add details there as well, but would like to understand if there's environment variables for those settings and if so, how they're configured. Thanks! Currently, it's not possible to configure this with environment variables. The documentation of the individual variables is configured from the `config.yml.sample` file and the comments it contained. You shouldn't edit the markdown file manually.
waza-ari commented 2024-03-03 21:47:53 +00:00
Author
Contributor
Copy Link

Currently, it's not possible to configure this with environment variables. The documentation of the individual variables is configured from the config.yml.sample file and the comments it contained. You shouldn't edit the markdown file manually.

Yep I realised that after my first commit. The final state of the PR is however generated from config.yml.sample using mage generate-docs, so should be good from that perspective.

> Currently, it's not possible to configure this with environment variables. The documentation of the individual variables is configured from the `config.yml.sample` file and the comments it contained. You shouldn't edit the markdown file manually. Yep I realised that after my first commit. The final state of the PR is however generated from `config.yml.sample` using ` mage generate-docs`, so should be good from that perspective.
👍 1
waza-ari commented 2024-03-04 22:48:45 +00:00
Author
Contributor
Copy Link

Just for completeness, deployed new unstable build to our environment, works wonderfully now. Thanks for the support!

Just for completeness, deployed new unstable build to our environment, works wonderfully now. Thanks for the support!
❤️ 1
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
renovate/camel-case-5.x
renovate/go-1.x
renovate/lowlight-3.x
renovate/golang.org-x-sync-0.x
renovate/major-dev-dependencies
renovate/github.com-wneessen-go-mail-0.x
renovate/golangci-golangci-lint-1.x
feature/better-filter-syntax
fix/tiptap-task-list
renovate/flexsearch-0.x
feature/zod-schema
renovate/github.com-typesense-typesense-go-1.x
renovate/github.com-golang-jwt-jwt-v4-5.x
automatic-year-range-for-go-header-template
feature/hide-forbidden-related-tasks
renovate/golang-1.x
release/0.20
release/0.17
release/0.16
release/0.15
release/0.14
release/0.13
v0.23.0
v0.22.1
v0.22.0
v0.21.0
v0.20.4
v0.20.3
v0.20.2
v0.20.1
v0.20.0
v0.19.2
v0.19.1
v0.19.0
v0.18.1
v0.18.0
v0.17.1
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.1
v0.13
v0.12
v0.11
v0.10
v0.9
v0.8
v0.7
v0.6
v0.5
v0.4
v0.3
v0.2
v0.1
Labels
Clear labels   
dependencies

   
duplicate

This issue or pull request already exists

  
help wanted

Need some help

  
invalid

Something is wrong

  
kind/bug

Something is not working

  
kind/feature

New feature

  
needs reproduction

   
question

More information is needed

  
security

   
wontfix

This won't be fixed

No Label
dependencies
duplicate
help wanted
invalid
kind/bug
kind/feature
needs reproduction
question
security
wontfix
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: vikunja/vikunja#2150
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?