Skip to content

feat: added OAuth login#200

Open
edospadoni wants to merge 13 commits into
masterfrom
oauth_identity
Open

feat: added OAuth login#200
edospadoni wants to merge 13 commits into
masterfrom
oauth_identity

Conversation

@edospadoni

@edospadoni edospadoni commented Sep 10, 2025

Copy link
Copy Markdown
Member

@edospadoni
edospadoni requested a review from Amygos September 10, 2025 14:42
@edospadoni
edospadoni marked this pull request as ready for review September 10, 2025 14:42
@Amygos
Amygos requested a review from Copilot September 11, 2025 08:57

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements OAuth (specifically OIDC) login functionality for the sun-ui application. It adds comprehensive support for authenticating users through an external OIDC provider (like Logto or My Nethesis) as an alternative to traditional username/password authentication.

Key Changes:

  • Added OIDC client-side integration with login button and callback handling
  • Implemented secure backend OIDC authentication flow with state validation and token exchange
  • Added comprehensive error handling and internationalization support

Reviewed Changes

Copilot reviewed 11 out of 12 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
sun/sun-ui/src/styles/main.css Added CSS styles for OIDC login UI components including buttons, separators, and responsive design
sun/sun-ui/src/services/login.js Added OIDC login methods for initiating authentication and fetching provider configuration
sun/sun-ui/src/routes/router.js Added login callback route handler for processing OIDC authentication responses
sun/sun-ui/src/i18n/locale-it.json Added Italian translations for OIDC login messages and error states
sun/sun-ui/src/i18n/locale-en.json Added English translations for OIDC login messages and error states
sun/sun-ui/src/App.vue Updated login UI to include OIDC authentication option and error handling
sun/sun-api/methods/authentication.go Implemented complete OIDC authentication backend with secure state management and token exchange
sun/sun-api/main.go Added OIDC API endpoints to the router configuration
sun/sun-api/configuration/configuration.go Added OIDC configuration structure for provider settings
go.mod Added required OIDC and OAuth2 dependencies
deploy/ansible/roles/sun/templates/sun-api-conf.j2 Added OIDC configuration template for deployment

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread sun/sun-ui/src/routes/router.js Outdated
Comment thread sun/sun-ui/src/routes/router.js Outdated
Comment thread sun/sun-ui/src/routes/router.js Outdated
Comment thread sun/sun-ui/src/routes/router.js Outdated
Comment thread sun/sun-api/methods/authentication.go Outdated
Comment thread sun/sun-api/methods/authentication.go Outdated
Comment thread sun/sun-api/methods/authentication.go Outdated
@Amygos
Amygos requested a review from Copilot September 11, 2025 13:53

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 11 out of 12 changed files in this pull request and generated 5 comments.


Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread sun/sun-ui/src/i18n/locale-en.json Outdated
Comment thread sun/sun-ui/src/routes/router.js
Comment thread sun/sun-api/methods/authentication.go Outdated
Comment thread sun/sun-api/methods/authentication.go
Comment thread sun/sun-api/methods/authentication.go Outdated
edospadoni and others added 2 commits September 11, 2025 16:17
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@Amygos
Amygos requested a review from Copilot September 18, 2025 08:43

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 11 out of 12 changed files in this pull request and generated 1 comment.


Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread sun/sun-api/methods/authentication.go Outdated
Fixes CVE-2025-22868 (golang.org/x/oauth2) and the go-jose CVEs pulled
in by go-oidc v3.5.0. CI updated to Go 1.25 accordingly.
Login with My Nethesis now works at company level: users holding the
Admin global role in a My reseller organization log in as the Icaro
account linked through the new accounts.logto_org_id column (never
matched by email). Super admins keep mapping to the Icaro admin.

Flow hardening: state bound to the browser via HttpOnly cookie, nonce
and PKCE S256 on the authorization request, capped state store, cached
OIDC provider, crypto/rand session tokens, no error details leaked to
clients, audit of the actual My user in the token description.

First login of an unlinked reseller organization is verified against
the My API and provisions the company account just in time (default
subscription plan, org name/email), replacing the legacy My
"Get credentials" action. scripts/ contains the one-time bootstrap
that links existing accounts, with its runbook.
Units obtain a session token through the browser OIDC login without
sharing an origin with the frontend: /auth/oidc/device/start creates a
pairing (secret device_code held by the unit + public pair_id), the
login flow carries ?pair= and the callback attaches the minted token
to the pairing instead of redirecting to the SPA, rendering a themed
result page with account, user and unit. The unit polls
/auth/oidc/device/poll and receives the token exactly once; callback
failures reach the poll instead of timing out. Pairing tokens record
the unit name in the token description for auditing.
@edospadoni

Copy link
Copy Markdown
Member Author

Added OIDC device pairing for NethSecurity units (2bdda86): POST /api/auth/oidc/device/start creates a pairing (secret device_code held by the unit + public pair_id), the login flow carries ?pair= and the callback hands the minted token to the pairing instead of the SPA (themed result page with account/user/unit); the unit polls POST /api/auth/oidc/device/poll and receives the token exactly once. Pairing tokens are audited via the token description ("OIDC device pairing by , unit: "). Validated e2e on staging with a real NethSecurity unit (NethServer/nethsecurity#1609 + NethServer/nethsecurity-ui#746).

The login button uses the My Nethesis 'n mark (new static asset) with
an outlined style matching the NethSecurity UI; the device pairing
result page gets the Poppins font, a wider card and a cleaner details
list (regular-weight copy, dividers only).
GET /api/userinfo returns aggregate stats for the company of the
authenticated My user (hotspots, units, guests, devices, sessions,
managers, SMS quota), plus a generic widget.items payload the My
dashboard renders like the NethShop one.

The caller sends the user's Logto ID token: it is verified against the
same issuer as the OIDC login, the audience is checked against the
configured My app id (userinfo_audience), and the company is resolved
through the organization claims and logto_org_id, never by email. Every
non-data case answers 200 with an empty widget so the dashboard never
shows an error banner. CORS gains the Authorization header.
GetOIDCConfig now returns login_button separately from enabled, and the
Sun login page keys the button off it. Setting show_login_button (env
OIDC_SHOW_LOGIN_BUTTON) to false hides the button while the OIDC
endpoints stay fully functional, so the flow remains reachable from the
My dashboard but is not advertised on Sun during a soft launch. Defaults
to shown.
The My dashboard widget calls /api/userinfo cross-origin from the
browser with the user's Logto ID token. Give the endpoint its own CORS
allowlist (the My origins, per environment) handled before the global
Sun-frontend CORS: reflect the matched origin (never *), answer the
OPTIONS preflight with 204, and keep the global middleware from
rejecting those origins. Token verification is unchanged.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants