Skip to content

chore: poc sso #266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
fdewas-aneo wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

chore: poc sso #266

fdewas-aneo wants to merge 1 commit into from

Conversation

@fdewas-aneo
Copy link
Contributor

@fdewas-aneo fdewas-aneo commented Jan 19, 2026

Motivation

ArmoniK team wanted to know if it was feasible to connect a sso to armonik.

Description

Using the ngx_http_auth_request_module nginx module, the goal is to recreate the flow described in this openid documentation.

A variable has been added, named oauth_configuration, with the following content:

  • provider_root_URI : Address of the sso service.
  • provider_user_info_endpoint : Endpoint of the sso service that checks user claims and data (generally userinfo).
  • provider_authorization_endpoint : Endpoint of the sso service that logs the user and return the associated token or code to the client.
  • client_id : Id of the client registered to the sso service (Represent one endpoint of the client with the oidc mock provider).
  • response_type : represents the way the client awaits the sso service to return user information. Can be a code, a token...

Added two location in the ingress configmap :

  • /auth : use a proxy_pass method to get the claims associated to the user. If the user is not connected, can return either 401 or 403 http errors.
  • authError: location used when the /auth fails. Make the user connect and return either a code, refresh_token, access_token... click here for more information

Testing

Testing locally can be done using openId Mock Provider. Just use the command:

pipx run oidc-provider-mock --host 0.0.0.0

To create an instance of an oidc mock provider. It is also available as a docker image.

Next step is to register a valid endpoint and getting a ClientID, by using the command:

curl -XPOST localhost:9400/oauth2/clients \
   --json '{"redirect_uris": ["http://${your_armonik_host}:${your_armonik_port}/admin/en/"]}'

And use the returned client ID in the oauth_configuration variable. In the end, your variable should look like this:

oauth_configuration = {
  provider_root_URI               = "http://172.26.174.64:9400"
  provider_user_info_endpoint     = "/userinfo"
  provider_authorization_endpoint = "/oauth2/authorize"
  client_id                       = "37c9cadc-2ada-42ab-8c54-872177ac38ba"
  response_type                   = "code" # Response type is code because the mock service only accept this.
}

This is kinda painfull to know if it is working, since nginx cannot provide the access_token required by the userinfo endpoint (since only a code can be returned by the service...). From experience, you should not have any nginx error, but you should loop on the /authorize page of the mock service.

Checklist

  • My code adheres to the coding and style guidelines of the project.
  • I have performed a self-review of my code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have made corresponding changes to the documentation.
  • I have thoroughly tested my modifications and added tests when necessary.
  • Tests pass locally and in the CI.
  • I have assessed the performance impact of my modifications.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fdewas-aneo