Merge branch 'oidc-logout' into 'main'

Oidc logout See merge request reportcreator/reportcreator!827
Syslifters · Jan 15, 2025 · 3fc0684 · 3fc0684
2 parents 588704d + 9b375de
commit 3fc0684
Show file tree

Hide file tree

Showing 9 changed files with 30 additions and 23 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## Upcoming
+* Do not automatically log in (e.g. via OIDC) after logout
+* OIDC: use preferred_username as login_hint for re-authentication
+
+
 ## v2025.4 - 2025-01-14
 * Plugin projectnumber: Add manage.py command to reset projectnumber
 * Add plugin: renderfindings - Render single finding to PDF

diff --git a/api/src/reportcreator_api/conf/settings.py b/api/src/reportcreator_api/conf/settings.py
@@ -269,7 +269,7 @@ def remove_empty_items(lst=None):
 if OIDC_AZURE_CLIENT_ID and OIDC_AZURE_CLIENT_SECRET and OIDC_AZURE_TENANT_ID:
     AUTHLIB_OAUTH_CLIENTS |= {
         'azure': {
-            'label': 'Azure AD',
+            'label': 'Microsoft Entra ID',
             'client_id': OIDC_AZURE_CLIENT_ID,
             'client_secret': OIDC_AZURE_CLIENT_SECRET,
             'server_metadata_url': f'https://login.microsoftonline.com/{OIDC_AZURE_TENANT_ID}/v2.0/.well-known/openid-configuration',

diff --git a/api/src/reportcreator_api/users/views.py b/api/src/reportcreator_api/users/views.py
@@ -463,7 +463,7 @@ def login_oidc_complete(self, request, oidc_provider, *args, **kwargs):
             can_reauth = (timezone.now() - timezone.make_aware(datetime.fromtimestamp(auth_time))) < timedelta(minutes=1)
         res = self.perform_login(request, identity.user, can_reauth=can_reauth)
         request.session['authentication_info'] |= {
-            f'oidc_{oidc_provider}_login_hint': token['userinfo'].get('login_hint'),
+            f'oidc_{oidc_provider}_login_hint': token['userinfo'].get('preferred_username') or token['userinfo'].get('login_hint'),
         }
         return res
 

diff --git a/docs/docs/setup/configuration.md b/docs/docs/setup/configuration.md
@@ -103,7 +103,7 @@ Make sure all users have SSO identities configured before enabling this option.
 LOCAL_USER_AUTH_ENABLED=false
 ```
 
-Configuration of the default authentication provider when multiple authentication providers are enabled (e.g. OIDC via Azure AD and username/password).
+Configuration of the default authentication provider when multiple authentication providers are enabled (e.g. OIDC via Microsoft Entra ID and username/password).
 This setting will redirect users to the default authentication provider, skipping the selection. Other authentication providers can still be used if login via the default provider fails.
 
 Possible values: `azure`, `google`, `remoteuser`, `local` (username/password authentication)

diff --git a/...docs/users/oidc-azure-active-directory.md → docs/docs/users/oidc-entra-id.md b/...docs/users/oidc-azure-active-directory.md → docs/docs/users/oidc-entra-id.md
@@ -1,10 +1,10 @@
 ---
-title: Azure Active Directory OIDC Configuration
+title: Microsoft Entra ID OIDC Configuration
 ---
-# Azure Active Directory OIDC Configuration
+# Microsoft Entra ID OIDC Configuration
 <span style="color:red;">:octicons-heart-fill-24: Pro only</span>
 
-## Configuration in Azure AD
+## Configuration in Microsoft Entra ID
 1. Open [Microsoft Entra Admin Center](https://entra.microsoft.com){ target=_blank }
 2. Select Applications -> App registrations -> New registration
 3. In following menu: 
@@ -30,7 +30,7 @@ You should now have the following values:
 
 * Client ID
 * Client secret
-* Azure tendant ID
+* Entra tendant ID
 
 
 ## Cloud Setup
@@ -45,12 +45,12 @@ You are lucky. Just send the values from the previous steps to us and we'll take
 The values from the previous steps need to be passed as environment variables to the SysReptor docker container.
 You can add them to `<sysreptor-repository>/deploy/app.env`:
 ```env
-OIDC_AZURE_TENANT_ID=<azure tenant id>
-OIDC_AZURE_CLIENT_ID=<azure client id>
-OIDC_AZURE_CLIENT_SECRET=<azure client secret>
+OIDC_AZURE_TENANT_ID=<entra tenant id>
+OIDC_AZURE_CLIENT_ID=<entra client id>
+OIDC_AZURE_CLIENT_SECRET=<entra client secret>
 ```
 
-The OIDC client needs to be able to establish a network connection to Azure AD.
+The OIDC client needs to be able to establish a network connection to Microsoft Entra ID.
 Make sure to not block outgoing traffic.
 
 Restart the docker container by going to `sysreptor/deploy` and:

diff --git a/docs/docs/users/oidc-setup.md b/docs/docs/users/oidc-setup.md
@@ -2,7 +2,7 @@
 <span style="color:red;">:octicons-heart-fill-24: Pro only</span>
 
 1. Configure your Identity Provider (IDP) and add configuration details to your `app.env`
-    * [Azure Active Directory](../users/oidc-azure-active-directory.md)
+    * [Microsoft Entra ID](../users/oidc-entra-id.md)
     * [Google Workplace/Google Identity](../users/oidc-google.md)
     * [Keycloak](../users/oidc-keycloak.md)
     * [Generic OIDC setup](../users/oidc-generic.md)

diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
@@ -40,7 +40,7 @@ nav:
       - Single Sign-On:
           - SSO Setup: users/oidc-setup.md
           - Keycloak: users/oidc-keycloak.md
-          - Azure AD: users/oidc-azure-active-directory.md
+          - Microsoft Entra ID: users/oidc-azure-active-directory.md
           - Google: users/oidc-google.md
           - Generic: users/oidc-generic.md
       - Forgot Password: users/forgot-password.md
@@ -139,7 +139,8 @@ plugins:
         "setup/user-permissions.md": "users/user-permissions.md"
         "setup/oidc-setup.md": "users/oidc-setup.md"
         "setup/oidc-keycloak.md": "users/oidc-keycloak.md"
-        "setup/oidc-azure-active-directory.md": "users/oidc-azure-active-directory.md"
+        "setup/oidc-azure-active-directory.md": "users/oidc-entra-id.md"
+        "users/oidc-azure-active-directory.md": "users/oidc-entra-id.md"
         "setup/oidc-google.md": "users/oidc-google.md"
         "setup/oidc-generic.md": "users/oidc-generic.md"
         "setup/proxy.md": "setup/configuration.md"

diff --git a/packages/frontend/src/pages/login/index.vue b/packages/frontend/src/pages/login/index.vue
@@ -26,14 +26,15 @@ const auth = useAuth();
 const apiSettings = useApiSettings();
 
 useLazyAsyncData(async () => {
-  // Do not auto-login after logout
-  if (!route.query?.logout) {
-    const authProviders = apiSettings.settings!.auth_providers;
-    let defaultAuthProvider = authProviders.find(p => p.id === apiSettings.settings!.default_auth_provider);
-    if (!defaultAuthProvider && authProviders.length === 1) {
-      defaultAuthProvider = authProviders[0];
-    }
-    if (defaultAuthProvider) {
+  const authProviders = apiSettings.settings!.auth_providers;
+  let defaultAuthProvider = authProviders.find(p => p.id === apiSettings.settings!.default_auth_provider);
+  if (!defaultAuthProvider && authProviders.length === 1) {
+    defaultAuthProvider = authProviders[0];
+  }
+
+  if (defaultAuthProvider) {
+    // Do not auto-login after logout
+    if (!route.query?.logout || (authProviders.length === 1 && defaultAuthProvider.type === AuthProviderType.LOCAL)) {
       await auth.authProviderLoginBegin(defaultAuthProvider);
     }
   }

diff --git a/packages/nuxt-base-layer/src/composables/auth.ts b/packages/nuxt-base-layer/src/composables/auth.ts
@@ -95,7 +95,7 @@ export function useAuth() {
     } catch {
       // Ignore errors
     }
-    await navigateTo('/login/');
+    await navigateTo('/login/?logout=true');
     store.user = null;
   }