feat: add OIDC auth support for osctrl-admin#801
Open
jan-krueger wants to merge 5 commits intojmpsec:mainfrom
Open
feat: add OIDC auth support for osctrl-admin#801jan-krueger wants to merge 5 commits intojmpsec:mainfrom
jan-krueger wants to merge 5 commits intojmpsec:mainfrom
Conversation
javuto
added
✨ enhancement
Contributor
There was a problem hiding this comment.
Pull request overview
Adds OIDC (OpenID Connect) as an authentication option for the osctrl-admin service, including issuer discovery, login/callback handlers, and JIT user provisioning with optional group-based access restrictions (aligning with #800’s request for OIDC support).
Changes:
- Introduce OIDC configuration schema + CLI flags/env vars, and wire it into admin config loading.
- Implement OIDC Authorization Code flow (optionally with PKCE), session creation, JIT user provisioning, and required-group gating.
- Add example OIDC configuration to the shipped
deploy/config/admin.yml.
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/config/types.go | Adds oidc section to admin config types and defines YAMLConfigurationOIDC. |
| pkg/config/flags.go | Adds OIDC-related CLI flags/env vars and attaches them to admin flag initialization. |
| cmd/admin/utils.go | Wires loaded YAML oidc config into ServiceParameters. |
| cmd/admin/main.go | Enables auth: oidc, initializes OIDC runtime, and registers OIDC routes. |
| cmd/admin/auth.go | Treats OIDC like DB auth for session-based auth checks. |
| cmd/admin/oidc.go | Implements OIDC login/callback/logout handlers, PKCE/state cookie handling, group checks, and JIT provisioning. |
| deploy/config/admin.yml | Documents/example configuration for OIDC auth. |
| go.mod / go.sum | Adds OIDC dependencies (go-oidc, oauth2, go-jose) and tidies module sums. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Author
|
I've addressed the issues the bot spotted. Let me know if there is anything else you want me to address. :) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds OIDC (OpenID Connect) authentication as a new auth method for osctrl-admin. It partially closes #800
.well-known/openid-configurationI've tested this with a local Keycloak instance.