Commit Graph

35 Commits

Author SHA1 Message Date
Claude fc9c21915d feat(auth): enforce OpenID Connect issuer uniqueness across providers
Detect when two configured OIDC providers resolve to the same issuer URL
at startup and halt with a fatal error, preventing team sync data
corruption caused by ambiguous (external_id, issuer) matching.

Also adds duplicate issuer detection to the doctor service diagnostics
and comprehensive tests with mock OIDC discovery servers.
2026-03-30 22:41:50 +00:00
Copilot c7a26d81fe
fix(auth): do not panic with invalid openid provider configuration (#1354) 2025-08-31 07:17:50 +00:00
Copilot 5ca637a7e6
feat(auth): add oauth require availability configuration on startup (#1358) 2025-08-30 22:15:20 +00:00
kolaente de917467cb
fix(openid): manually fetch providers
Partially reverts fcdcdcf46a
Resolves https://github.com/go-vikunja/vikunja/issues/1165
2025-07-28 11:40:09 +02:00
kolaente bbd3567e43
chore: add debug logging around provider failure
https://github.com/go-vikunja/vikunja/issues/1165
2025-07-24 16:00:03 +02:00
kolaente 7243a10fb2
fix(openid): check different provider types
Related to https://github.com/go-vikunja/vikunja/issues/1165
2025-07-23 15:40:51 +02:00
kolaente 2b497e6265
fix: pass pointer when fetching provider
Resolves https://github.com/go-vikunja/vikunja/issues/1165
2025-07-23 11:09:09 +02:00
kolaente 566657c54a fix: correctly return cached provider 2025-07-18 18:38:12 +02:00
kolaente fcdcdcf46a feat: use keyvalue.Remember where it makes sense 2025-07-17 16:19:13 +02:00
Dominik Pschenitschni 296577a875
fix: correct license header references (#882)
See originals:
- https://www.gnu.org/licenses/agpl-3.0.txt
- https://www.gnu.org/licenses/gpl-3.0.txt
2025-06-10 12:18:38 +02:00
Weijie Zhao 00c4148f05
feat(auth): add ForceUserInfo option to OpenID provider (#797)
Problem:

When using Casdoor as an OpenID provider, there's an inconsistency between the user information in the JWT token and the UserInfo endpoint. The token contains the user's unique ID in the `name` field, while the UserInfo endpoint correctly returns the user's display name.

Solution:

This PR adds a new `ForceUserInfo` option to the OpenID provider configuration. When enabled, it forces the use of the UserInfo endpoint to retrieve user information instead of relying on claims from the ID token.

Impact:

- Default behavior remains unchanged (backward compatible)
- New option allows administrators to force using UserInfo endpoint data
- Particularly useful for providers like Casdoor that don't fully comply with OIDC standards

Related:

I've opened an issue in the Casdoor repository (https://github.com/casdoor/casdoor/issues/3806) to discuss the root cause. However, changing Casdoor's token structure might cause significant compatibility issues for existing integrations, so it's unclear if this can be fixed at the provider level. This PR provides a workaround in Vikunja that doesn't affect existing functionality.
2025-05-20 08:06:34 +00:00
Marc f4a0c0ef31 feat(auth): sso fallback mapping (#3068)
Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/3068
Reviewed-by: konrad <k@knt.li>
Co-authored-by: Marc <marc88@free.fr>
Co-committed-by: Marc <marc88@free.fr>
2025-03-02 15:21:09 +00:00
kolaente c9a68d3a63
fix(openid): lint 2024-12-11 17:10:41 +01:00
kolaente 4512045cbf
fix: check if all required keys are available when parsing openid configuration
Related to https://github.com/go-vikunja/vikunja/issues/371
2024-12-11 16:25:41 +01:00
kolaente b8c4e0a91e
fix(openid): log error when config is still using array value 2024-11-18 12:16:38 +01:00
kolaente 05349ddb5c
feat!: config for auth providers now use a map instead of an array
The config values for openid providers now use a map with the provider as key instead of an array. For example before:

auth:
  openid:
    providers:
      - name: foo
        clientid: ...

now becomes:

auth:
  openid:
    providers:
      foo:
        clientid: ...

This allows us to read values for openid providers from files using the same syntax as everywhere and makes the configuration more predictable. It also allows configuring providers through env variables, though it is still required to set at least one value via the config file because Vikunja won't discover the provider otherwise.
2024-11-18 10:34:30 +01:00
viehlieb ed4da96ab1 feat: assign users to teams via OIDC claims (#1393)
This change adds the ability to sync teams via a custom openid claim. Vikunja will automatically create and delete teams as necessary, it will also add and remove users when they log in. These teams are fully managed by Vikunja and cannot be updated by a user.

Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/1393
Resolves https://kolaente.dev/vikunja/vikunja/issues/1279
Resolves https://github.com/go-vikunja/vikunja/issues/42
Resolves https://kolaente.dev/vikunja/vikunja/issues/950
Co-authored-by: viehlieb <pf@pragma-shift.net>
Co-committed-by: viehlieb <pf@pragma-shift.net>
2024-03-02 08:47:10 +00:00
kolaente ce53663a88
fix(openid): use the calculated redirect url when authenticating with openid providers 2024-01-28 12:41:35 +01:00
kolaente e518fb1191
chore: remove year from copyright headers
Resolves https://kolaente.dev/vikunja/api/pulls/1483
2023-09-01 08:32:28 +02:00
kolaente 9bf535d06f
fix: remove old saved openid provider settings from cache when starting Vikunja
Resolves https://kolaente.dev/vikunja/api/issues/1487
2023-04-10 13:32:20 +02:00
viehlieb a79b1de2d0 feat: provide logout url for openid providers (#1340)
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/1340
Co-authored-by: viehlieb <pf@pragma-shift.net>
Co-committed-by: viehlieb <pf@pragma-shift.net>
2022-12-18 18:26:28 +00:00
kolaente 25ffa1bc2e
fix: prevent logging openid provider errors twice 2022-07-07 15:47:37 +02:00
renovate 6018573d81 Update module github.com/coreos/go-oidc to v3 (#885)
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/885
Co-authored-by: renovate <renovatebot@kolaente.de>
Co-committed-by: renovate <renovatebot@kolaente.de>
2021-06-14 20:56:29 +00:00
kolaente 9147e6739f
Fix authentication callback 2021-06-09 23:00:42 +02:00
kolaente 570d146b21
Fix parsing openid config when using a json config file 2021-06-09 21:56:17 +02:00
kolaente d48aa101cf
Refactor & fix storing struct-values in redis keyvalue 2021-05-28 10:52:51 +02:00
kolaente 3973ce985d
Try to get more information about the user when authenticating with openid 2021-05-19 14:45:24 +02:00
kolaente 2e52cc1802
Fix lint 2021-05-17 12:15:15 +02:00
kolaente 20ede346b4
Only filter out failing openid providers if multiple are configured and one of them failed 2021-05-16 13:28:15 +02:00
kolaente c4a71016b8
Update copyright year 2021-02-02 20:19:13 +01:00
kolaente 2e88600c93
Change keyvalue.Get to return if a value exists or not instead of an error 2021-01-31 12:32:46 +01:00
kolaente 20af034d78
Fix retrieving over openid providers if there are none
Fixes #767
2021-01-15 20:40:07 +01:00
kolaente 9baf6d39bd
Change license to AGPLv3 2020-12-23 16:41:52 +01:00
kolaente d2d610e0f5
Fix /info endpoint 500 error when no openid providers were configured 2020-11-26 21:26:31 +01:00
konrad 2b5c9ae7a8 Authentication with OpenID Connect providers (#713)
Add config docs

Lint

Move provider-related stuff to separate file

Refactor getting auth providers

Fix tests

Fix user tests

Fix openid tests

Add swagger docs

Fix lint

Fix lint issues

Fix checking if the user already exists

Make sure to create a new namespace for new users

Docs

Add tests for openid

Remove unnessecary err check

Consistently return nil users if creating a new user failed

Move sending confirmation email to separate function

Better variable names

Move checks to separate functions

Refactor creating user into seperate file

Fix creating new local users

Test creating new users from different issuers

Generate a random username right away if no preferred username has been given

Add todo

Cache openid providers

Add getting int clientids

Fix migration

Move creating tokens to auth package

Add getting or creating a third party user

Add parsing claims

Add retreiving auth tokens

Add token callback from openid package

Add check for provider key

Add routes

Start adding openid auth handler

Add config for openid auth

Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/713
Co-Authored-By: konrad <konrad@kola-entertainments.de>
Co-Committed-By: konrad <konrad@kola-entertainments.de>
2020-11-21 16:38:58 +00:00