Draft: OIDC login #73

Open

ma27 wants to merge 10 commits from oidc into main

pull from: oidc

merge into: lix-project:main

lix-project:main

lix-project:cores-setting

lix-project:lix-2.94

lix-project:lix-2.93

lix-project:lix-2.91

lix-project:lix-2.92

lix-project:bump-lix

lix-project:jade/include-rearrangement

lix-project:lix-update

Conversation 0 Commits 10 Files changed 8 +304 -151

ma27 commented 2025-12-24 10:32:21 +00:00

Member

Copy link

Closes #38

cc @benaryorg @raito

Based on https://github.com/NixOS/hydra/pull/1298

Additional features:

• actually validate the id token
• use well-known endpoint rather than having to configure dozens of endpoints by hand
• use oidc logout method
• removes google/github login

Todo

• Deploy to a live instance
• Migration code for google/github users
• Docs

Closes #38 cc @benaryorg @raito Based on https://github.com/NixOS/hydra/pull/1298 Additional features: * actually validate the id token * use well-known endpoint rather than having to configure dozens of endpoints by hand * use oidc logout method * removes google/github login Todo * [ ] Deploy to a live instance * [ ] Migration code for google/github users * [ ] Docs

ma27 added 10 commits 2025-12-24 10:32:22 +00:00

Implement generic OIDC-based authentication ... eb6541abc3

Co-Authored-By: Maximilian Bosch <maximilian@mbosch.me>
(cherry picked from commit f963dba1552d85f299859c8a78b1d9ef71f69e76)

Set convenient variables for db access in shellHook ... c430d964f7

(cherry picked from commit 039165e1dbad90bcf755f441c22d81ed5233f96b)

Make OIDC name configurable ... 4a67ec1fd5

(cherry picked from commit 9d8b420281fd0f9bc7443474747de32e341e9748)

Make Hydra login optional ... 4380bf119e

(cherry picked from commit 8d220903696a0be5459777d32ad7ef05c6ee7970)

Use session instead of cookie for OIDC ... 466c4496f1

(cherry picked from commit f9072362dd77fccb659913ed3c35bfb42a4d3a29)

Add OIDC role mapping ... c688aef68b

(cherry picked from commit a9c16a19518a238d74fce789e27dd166ef7058b1)

hydra-server: improve oidc configuration ... a73134f8dc

* Struct with all parameters inside
* Normalize / process all parameters initially and fail early
* Use well-known URL and derive all other URLs from that.

hydra-server: validate ID token and sub before completing auth 848994835f

hydra-server: remove google/github login ... 254262430f

We have generic OIDC now, no need for custom implementations!

hydra-server: logout redirects to oidc logout if user type is oidc ccd50ec7c5

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin oidc:oidc

git switch oidc

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main

git merge --no-ff oidc

git switch oidc

git rebase main

git switch main

git merge --ff-only oidc

git switch oidc

git rebase main

git switch main

git merge --no-ff oidc

git switch main

git merge --squash oidc

git switch main

git merge --ff-only oidc

git switch main

git merge oidc

git push origin main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lix-project/hydra!73

No description provided.