feat: add optional OIDC/SSO authentication support#9
Open
fcraviolatti wants to merge 1 commit intosbabic:mainfrom
Open
feat: add optional OIDC/SSO authentication support#9fcraviolatti wants to merge 1 commit intosbabic:mainfrom
fcraviolatti wants to merge 1 commit intosbabic:mainfrom
Conversation
Adds support for any OpenID Connect compliant identity provider (Keycloak, Auth0, Okta, etc.) alongside the existing credentials login. When OIDC is configured, a "Sign in via OIDC" button appears on the login page. OIDC-authenticated users share a HawkBit service account for API access (configured via HAWKBIT_SERVICE_* env vars). New environment variables: OIDC_ISSUER_URL – OIDC issuer (e.g. https://keycloak.example.com/realms/myrealm) OIDC_CLIENT_ID – OAuth2 client ID OIDC_CLIENT_SECRET – OAuth2 client secret OIDC_PROVIDER_NAME – optional label for the sign-in button (default: "OIDC") HAWKBIT_SERVICE_USERNAME – HawkBit username for OIDC-authenticated users HAWKBIT_SERVICE_PASSWORD – HawkBit password for OIDC-authenticated users Implementation details: - Generic OIDC provider in auth-options.ts (wellKnown discovery, PKCE) - API proxy falls back to service account credentials when the per-user auth cookie is absent but a valid OIDC session exists - Login page passes oidcEnabled flag (server-side env read) to the client container to conditionally render the OIDC button - Existing credentials login is unchanged; both methods coexist
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds support for any OpenID Connect compliant identity provider (Keycloak, Auth0, Okta, etc.) alongside the existing credentials login.
OIDC_ISSUER_URL/OIDC_CLIENT_ID/OIDC_CLIENT_SECRETare set, a "Sign in via OIDC" button appears on the login pageHAWKBIT_SERVICE_*env vars)New environment variables
OIDC_ISSUER_URLhttps://keycloak.example.com/realms/myrealm)OIDC_CLIENT_IDOIDC_CLIENT_SECRETOIDC_PROVIDER_NAME"OIDC")HAWKBIT_SERVICE_USERNAMEHAWKBIT_SERVICE_PASSWORDImplementation
oidcEnabledserver-side and passes it to the client container to conditionally render the OIDC button