-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft: Implement OIDC #3170
Draft: Implement OIDC #3170
Conversation
BundleMonUnchanged files (7)
No change in files bundle size Final result: ✅ View report in BundleMon website ➡️ |
Still working on this? |
@jannismilz I am currently using this as-is, as I said in the PR I wanted to get some feedback from the developers on the general approach before investing more time into it. What features do you need? |
@lorenz Tbh I don't have specific needs I was just looking for a SSO login option. The method doesn't matter too much since I can use a IdP to handle that right? |
I might be interested in this. I'm evaluating Plausible and having OIDC would be one selling point. I have two questions:
|
I'l look into it today or sunday.
Currently yes, but it should be relatively easy to automatically create users from OIDC userinfo. Basically instead of bailing when the user is not found, it needs to call Plausible.Auth.User.new/Repo.insert. |
Tried a image built in this branch but after initialization, it crashed:
Sadly, I can't easily get |
Is this with an OIDC provider set up? I think I see why it crashes if you don't. I'll get to fixing that at some point. |
The error means that the worker is started with |
Ops my bad, I assumed the configuration was optional and I could add it later. Ok now everything starts but when I try to log in I get some good requests back and forth with our idp and then a 500 error from plausible. Here's the exeception raised in the log:
Did I configure our IDP in the wrong way? |
The error means that I don't know anything about OIDC but from just looking at the code, the IDP didn't respond with all the required scopes. |
exactly the problem was that zitadel (our idp) didn't send the user details by the defult in the token. You have to manually enable it in the project dashboard. Works like a charm now! The only thing left for me is user creation. I'm struggling to find a sort of admin dashboard where I can manually create users. Is it there? meanwhile I'll try to navigate the docs. |
I don't think there is an admin dashboard like that. |
UpdateI was able to get users to automatically register when using our IDP. As you might have guessed I've never coded in Elixir, so I had to kinda guess how it works (plus a little help from chatGPT - to be honest this time it got me sideway multiple times). For reference this is how the function coded by @lorenz looks now: def oidc_callback(conn, %{"code" => code}) do
if !Application.get_env(:plausible, :use_oidc) do
render_error(
conn,
400,
"OIDC is not active"
)
else
with {:ok, tokens} <- OpenIDConnect.fetch_tokens(:default, %{code: code}),
{:ok, claims} <- OpenIDConnect.verify(:default, tokens["id_token"]),
{{:ok, user}, claims} <- {find_user(claims["email"]), claims} do
login_dest = get_session(conn, :login_dest) || Routes.site_path(conn, :index)
conn
|> put_session(:current_user_id, user.id)
|> put_resp_cookie("logged_in", "true",
http_only: false,
max_age: 60 * 60 * 24
)
|> put_session(:login_dest, nil)
|> redirect(to: login_dest)
else
result ->
case result do
{:user_not_found, claims} ->
IO.inspect(claims)
with {:ok, user} <- Plausible.Auth.create_user(claims["given_name"],claims["email"],"cP943<@Tti'B") do
login_dest = get_session(conn, :login_dest) || Routes.site_path(conn, :index)
conn
|> put_session(:current_user_id, user.id)
|> put_resp_cookie("logged_in", "true",
http_only: false,
max_age: 60 * 60 * 24
)
|> put_session(:login_dest, nil)
|> redirect(to: login_dest)
else
e -> render_error(
conn,
400,
"Error creating the user: #{inspect(e)}"
)
end
{e,_} -> render_error(
conn,
400,
"OIDC login failed: #{inspect(e)}"
)
e -> render_error(
conn,
400,
"OIDC login failed: #{inspect(e)}"
)
end
end It is kinda ugly and it has duplicated code, but it works for our use case. I would say that before going to production what I would like to see is:
|
We're considering adopting Plausible as the analytics tool for a non-profit website (with 10+ millions visits monthly), but having SSO is a pretty strong requirement for us. We use keycloak to manage user permissions across all the tools we use, and having this feature being considered would make it much easier for the board to accept Plausible as the tool of choice |
|
I already closed the other OIDC pull request, will do the same with this one. See #3706 (comment) for reasoning. In short: we consider team accounts as a blocker for SSO |
For everyone's clarity - does that mean that the features that enable Self-Hosted users to run CE and use their own IdP aren't being merged at all, or aren't being merged yet? Critically, I'd like to know I can self-host and use SSO with my own provider - even if I do have to make use of Traefik and headers to do so. |
Changes
This is an initial implementation of OIDC. It's still pretty basic, but it does log in users via OIDC. Automated user creation is not yet implemented, as is automatically assigning sites based on roles.
Mostly posted to gather some early feedback and for others to try.
Fixes #1554
Tests
Changelog
Documentation
Dark mode