MyFavMirrors/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-11-07 12:52:54 -05:00
Code Issues Packages Projects Releases Wiki Activity

Migrate to openid client (#5856)

Browse Source 
* Create forksync.yml

* update oidc to use openid-client

* update oidc module requirements

* working oidc+

includes all oauth2 clients automatically migrated. azure will need some kind of fix for the uid

* update openid-client install checks

* created overarching schema for OIDC

* bug fixs for azure login

* update schema

prepare schema for unified oidc module

* update 'oidc' to strategy variable

* working azure+ groups

groups from azure are in,
you can use memberOf or transitiveMemberOf in config (Graphs API)

* clean up old config import + working google oidc

previous config map was recursive nonsense, changed to multiple IFs

* added convertStrArray

* de-expanded scope

put all other auth strategies back to normal and fixed oidc strategy

* swap back to using authlog debugger

* Update meshcentral-config-schema.json

* working google oidc + groups

* working azure+groups (again)

* init oidc docs

very incomplete but basic config is present

* add oidc

* more work on docs

* add scope and claim options

plus fixed a few bugs and faults in my logic
used logs correctly

* further cleanup debug

* more debug cleanup

* continue documentation push

fixed minor debug bugs also

* more work on docs

missing links, need to get azure preset docs, probably more.

* done with docs

its good enough for now

* minor fix + presets get correct icon

* fix google oidc not visible at login

* fix bug with emailVerified property

* fix logout bug + debug cleanup

* fix strategy logout bug +cleanup

* fixed preset login icon

* fix alert + fix schema

* terminate lines

* Dutch language update 1.0.85

line up polish translation

* Fixed guest web relay session revocation (#4667)

* Updated French translation.

* Add hook to allow adding custom api endpoints to Express routing

* Updated German translation.

* Update meshcentral-config-schema.json (change formatting)

This way it is easier to edit and maintain

* Fixed schema.

* fix meshcentral-config-schema.json

* add language selector to login (#5648)

* add language selector to login

* add showLanguageSelect to pick top or bottom boxe

* remove additionalProperties: false in schema to allow comments #5697

Signed-off-by: si458 <simonsmith5521@gmail.com>

* fix notes in docs

* Fix web relay session handling and redirection due to bad merge

* Added option to check HTTP origin.

* add links and fix typo

* move groups after strategy

* Update version split in docs

* Fix preset issuer URL in OIDC strategy

* Update clientid and clientsecret to client_id and client_secret

* Update meshcentral-config-schema.json and fix bad rebase

* Update meshcentral-config-schema.json

* fix bad rebase

* fix bad rebase

* Add 'connect-flash' to passport dependencies

* Remove unnecessary passport dependencies - fix bad rebase

* Fix auth strategy bug and remove console.log statement

* Set groupType to the preset name if it exists, otherwise use the strategy name

* remove finally block from

* Refactor authentication logging in handleStrategyLogin to include strategy name

---------

Signed-off-by: si458 <simonsmith5521@gmail.com>
Co-authored-by: petervanv <58996467+petervanv@users.noreply.github.com>
Co-authored-by: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Co-authored-by: Martin Mädler <martin.maedler@gmail.com>
Co-authored-by: Fausto Gutierrez <28719096+faustogut@users.noreply.github.com>
Co-authored-by: Simon Smith <simonsmith5521@gmail.com>
This commit is contained in:
mstrhakr
2024-03-03 19:03:27 -05:00
committed by GitHub
parent 436a3cb9be
commit 4be5b7273e
11 changed files with 2220 additions and 872 deletions
Download Patch File Download Diff File Expand all files Collapse all files

439
meshcentral-config-schema.json
View File

@@ -1135,7 +1135,10 @@
}
},
"allowedOrigin": {
"type": [ "array", "boolean" ],
"type": [
"array",
"boolean"
],
"default": false,
"uniqueItems": true,
"description": "A list of allowed hostnames for HTTP request origin header. If false, a default list is created, if true, all hostnames are allowed.",
@@ -2451,7 +2454,10 @@
}
}
}
}
},
"required": [
"certs"
]
},
"amtAcmActivation": {
"type": "object",
@@ -3020,93 +3026,444 @@
},
"oidc": {
"type": "object",
"description": "Enables the use of OpenID Connect SSO",
"anyOf": [
{
"required": [
"client"
]
},
{
"required": [
"client",
"custom"
]
},
{
"required": [
"client",
"issuer"
]
},
{
"required": [
"clientid",
"clientsecret",
"issuer"
]
}
],
"additionalProperties": false,
"properties": {
"newAccounts": {
"type": "boolean",
"description": "Enable the creation of new accounts based upon Idp Authorization",
"default": true
},
"newAccountsUserGroups": {
"type": [
"string",
"array"
],
"description": "Add all new users to these static MeshCentral user groups. Use this if the new groups section does not work with your preset.",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"newAccountsRights": {
"type": [
"array",
"string"
],
"uniqueItems": true,
"items": {
"type": "string"
}
},
"clientid": {
"type": "string",
"depreciated": true,
"description": "REPLACED WITH 'client.client_id'"
},
"clientsecret": {
"type": "string",
"description": "REPLACED WITH 'client.client_secret'"
},
"authorizationURL": {
"type": "string",
"format": "uri",
"description": "If set, this will be used as the authorization URL. (If set tokenURL and userInfoURL need set also)"
},
"callbackURL": {
"type": "string",
"format": "uri",
"description": "Required, this is the URL that your SSO provider sends auth approval to."
},
"clientid": {
"type": "string"
},
"clientsecret": {
"type": "string"
},
"issuer": {
"type": "string",
"format": "uri",
"description": "Full URL of SSO portal"
"depreciated": true,
"description": "REPLACED WITH 'issuer.authorization_endpoint'"
},
"tokenURL": {
"type": "string",
"format": "uri",
"description": "If set, this will be used as the token URL. (If set authorizationURL and userInfoURL need set also)"
"depreciated": true,
"description": "REPLACED WITH 'issuer.token_endpoint': If set, this will be used as the token URL."
},
"userInfoURL": {
"type": "string",
"format": "uri",
"description": "If set, this will be used as the user info URL. (If set authorizationURL and tokenURL need set also)"
"depreciated": true,
"description": "REPLACED WITH 'issuer.userinfo_endpoint': If set, this will be used as the user info URL."
},
"scope": {
"type": [
"string",
"array"
],
"depreciated": true,
"description": "REPLACED WITH 'custom.scope': A list of scopes to request from the issuer."
},
"callbackURL": {
"type": "string",
"format": "uri",
"depreciated": true,
"description": "REPLACED WITH 'client.redirect_uri': The URI your IdP sends you back to after successful authorization. This must match what is listed with your IdP."
},
"logouturl": {
"type": "string",
"format": "uri",
"description": "Then set, the user will be redirected to this URL when hitting the logout link."
"description": "Overrides defaults ( [issuer.end_session_endpoint]?post_logout_redirect_uri=[post_logout_redirect_uri] OR [issuer.end_session_endpoint] )"
},
"newAccounts": {
"type": "boolean",
"default": true
"client": {
"type": "object",
"description": "OIDC Client Options",
"properties": {
"client_id": {
"type": "string",
"description": "REQUIRED: The client ID provided by your Identity Provider (IdP)"
},
"client_secret": {
"type": "string",
"description": "REQUIRED: The client secret provided by your Identity Provider (IdP)"
},
"id_token_signed_response_alg": {
"type": "string",
"default": "RS256",
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"id_token_encrypted_response_alg": {
"type": "string",
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"id_token_encrypted_response_enc": {
"type": "string",
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"userinfo_signed_response_alg": {
"type": "string",
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"userinfo_encrypted_response_alg": {
"type": "string",
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"userinfo_encrypted_response_enc": {
"type": "string",
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"redirect_uri": {
"type": "string",
"format": "uri",
"description": "URI your IdP sends you after successful authorization. This must match what is listed with your IdP. (Default is https://[currentHost][currentPath]/auth-oidc-callback)"
},
"response_types": {
"type": [
"string",
"array"
],
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details",
"default": [
"code"
]
},
"post_logout_redirect_uri": {
"type": "string",
"format": "uri",
"description": "URI for your IdP to send you after logging out of IdP via MeshCentral. (Default is https:[currentHost][currentPath]/login)"
},
"default_max_age": {
"type": "number",
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"require_auth_time": {
"type": "boolean",
"default": false,
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"request_object_signing_alg": {
"type": "string",
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"request_object_encryption_alg": {
"type": "string",
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"request_object_encryption_enc": {
"type": "string",
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"token_endpoint_auth_method": {
"type": "string",
"default": "client_secret_basic",
"enum": [
"none",
"client_secret_basic",
"client_secret_post",
"client_secret_jwt",
"private_key_jwt"
],
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"introspection_endpoint_auth_method": {
"type": "string",
"default": "client_secret_basic",
"enum": [
"none",
"client_secret_basic",
"client_secret_post",
"client_secret_jwt",
"private_key_jwt"
],
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"revocation_endpoint_auth_method": {
"type": "string",
"default": "client_secret_basic",
"enum": [
"none",
"client_secret_basic",
"client_secret_post",
"client_secret_jwt",
"private_key_jwt"
],
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"token_endpoint_auth_signing_alg": {
"type": "string",
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"introspection_endpoint_auth_signing_alg": {
"type": "string",
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"revocation_endpoint_auth_signing_alg": {
"type": "string",
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
},
"tls_client_certificate_bound_access_tokens": {
"type": "boolean",
"description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
}
},
"required": [
"client_id",
"client_secret"
],
"additionalProperties": false
},
"issuer": {
"type": [
"string",
"object"
],
"format": "uri",
"description": "Issuer options. Requires issuer URI (issuer.issuer) to discover missing information unless using preset",
"properties": {
"issuer": {
"type": "string",
"format": "uri",
"description": "URI of the issuer."
},
"authorization_endpoint": {
"type": "string",
"format": "uri"
},
"token_endpoint": {
"type": "string",
"format": "uri"
},
"jwks_uri": {
"type": "string",
"format": "uri"
},
"userinfo_endpoint": {
"type": "string",
"format": "uri"
},
"revocation_endpoint": {
"type": "string",
"format": "uri"
},
"introspection_endpoint": {
"type": "string",
"format": "uri"
},
"end_session_endpoint": {
"type": "string",
"format": "uri",
"description": "URI to direct users to when logging out of MeshCentral. (Attempts to autodetect, defaults to '[issuer.issuer]/logout')"
},
"registration_endpoint": {
"type": "string",
"format": "uri"
},
"token_endpoint_auth_methods_supported": {
"type": "string"
},
"token_endpoint_auth_signing_alg_values_supported": {
"type": "string"
},
"introspection_endpoint_auth_methods_supported": {
"type": "string"
},
"introspection_endpoint_auth_signing_alg_values_supported": {
"type": "string"
},
"revocation_endpoint_auth_methods_supported": {
"type": "string"
},
"revocation_endpoint_auth_signing_alg_values_supported": {
"type": "string"
},
"request_object_signing_alg_values_supported": {
"type": "string"
},
"mtls_endpoint_aliases": {
"type": "object",
"properties": {
"token_endpoint": {
"type": "string",
"format": "uri"
},
"userinfo_endpoint": {
"type": "string",
"format": "uri"
},
"revocation_endpoint": {
"type": "string",
"format": "uri"
},
"introspection_endpoint": {
"type": "string",
"format": "uri"
}
}
}
},
"additionalProperties": false
},
"custom": {
"type": "object",
"properties": {
"scope": {
"type": [
"string",
"array"
],
"description": "A list of scopes to request from the issuer.",
"default": "openid profile email",
"examples": [
"openid",
[
"openid",
"profile"
],
"openid profile email",
"openid profile email groups"
]
},
"claims": {
"type": "object",
"properties": {
"email": {
"type": "string"
},
"name": {
"type": "string"
},
"uuid": {
"type": "string"
}
}
},
"preset": {
"type": "string",
"enum": [
"azure",
"google"
]
},
"tenant_id": {
"type": "string",
"description": "REQUIRED FOR AZURE PRESET: Tenantid for Azure"
},
"customer_id": {
"type": "string",
"description": "REQUIRED IF USING GROUPS: Customer ID from Google Workspace Admin Console (https://admin.google.com/ac/accountsettings/profile)"
}
},
"additionalProperties": false
},
"groups": {
"type": "object",
"properties": {
"recursive": {
"type": "boolean",
"default": false,
"description": "When true, the group memberships will be scanned recursively."
},
"required": {
"type": [
"string",
"array"
],
"description": "When set, the user must be part of one of the OIDC user groups to login to MeshCentral."
"description": "Access is only granted to users who are a member of at least one of the listed required groups."
},
"siteadmin": {
"type": [
"string",
"array"
],
"description": "When set, users part of these groups will be promoted with site administrator in MeshCentral, users that are not part of these groups will be demoted."
"description": "Full site admin priviledges will be granted to users who are a member of at least one of the listed admin groups."
},
"revokeAdmin": {
"type": "boolean",
"description": "If true, admin privileges will be revoked from users who are NOT a member of at least one of the listed admin groups."
},
"sync": {
"type": [
"boolean",
"object"
],
"description": "Allows some or all ODIC user groups to be mirrored within MeshCentral as user groups.",
"default": false,
"description": "If true, all groups found during user login are mirrored into MeshCentral user groups.",
"properties": {
"enabled": {
"type": "boolean",
"default": false
},
"filter": {
"type": [
"string",
"array"
],
"description": "When set, limits what OIDC groups are mirrored into MeshCentral user groups."
"description": "Only groups listed here are mirrored into MeshCentral user groups."
}
}
},
"scope": {
"type": "string",
"default": "groups",
"description": "Custom scope to use."
},
"claim": {
"type": "string",
"default": "groups",
"description": "Custom claim to use."
}
}
},
"additionalProperties": false
}
},
"required": [
"issuer",
"clientid",
"clientsecret",
"callbackURL"
]
}
}
}
},