Skip to content

Commit

Permalink
added documentation for oauth
Browse files Browse the repository at this point in the history
  • Loading branch information
feyruzb committed Jul 29, 2024
1 parent 8f9a467 commit de2e213
Show file tree
Hide file tree
Showing 6 changed files with 152 additions and 26 deletions.
Binary file removed analyzer/tools/build-logger/ldlogger
Binary file not shown.
Binary file removed analyzer/tools/build-logger/ldlogger_32.so
Binary file not shown.
157 changes: 140 additions & 17 deletions docs/web/authentication.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,23 +9,28 @@ the results stored on a server.
Table of Contents
=================
* [Server-side configuration](#server-side-configuration)
* [<i>Dictionary</i> authentication](#dictionary-authentication)
* [External authentication methods](#external-auth-methods)
* [<i>PAM</i> authentication](#pam-authentication)
* [<i>LDAP</i> authentication](#ldap-authentication)
* [Configuration options](#configuration-options)
* Membership in custom groups with [<i>regex_groups</i>](#regex_groups-authentication)
* [Client-side configuration](#client-side-configuration)
* [Web-browser client](#web-browser-client)
* [Command-line client](#command-line-client)
* [Preconfigured credentials](#preconfigured-credentials)
* [Automatic login](#automatic-login)
* [Currently active tokens](#currently-active-tokens)
* [Personal access token](#personal-access-token)
* [`new`](#new-personal-access-token)
* [`list`](#list-personal-access-token)
* [`del`](#remove-personal-access-token)
- [CodeChecker authentication subsystem](#codechecker-authentication-subsystem)
- [Table of Contents](#table-of-contents)
- [Server-side configuration ](#server-side-configuration-)
- [Dictionary authentication ](#dictionary-authentication-)
- [External authentication methods ](#external-authentication-methods-)
- [PAM authentication ](#pam-authentication-)
- [LDAP authentication ](#ldap-authentication-)
- [Configuration options ](#configuration-options-)
- [Membership in custom groups with regex\_groups](#membership-in-custom-groups-with-regex_groups)
- [OAUTH authentication ](#oauth-authentication-)
- [OAUTH Configuration options ](#oauth-configuration-options-)
- [Details per each provider ](#details-per-each-provider-)
- [Client-side configuration ](#client-side-configuration-)
- [Web-browser client ](#web-browser-client-)
- [Command-line client ](#command-line-client-)
- [Preconfigured credentials ](#preconfigured-credentials-)
- [Automatic login ](#automatic-login-)
- [Currently active tokens ](#currently-active-tokens-)
- [Personal access token ](#personal-access-token-)
- [New personal access token ](#new-personal-access-token-)
- [List personal access tokens ](#list-personal-access-tokens-)
- [Remove personal access token ](#remove-personal-access-token-)

# Server-side configuration <a name="server-side-configuration"></a>

Expand Down Expand Up @@ -320,6 +325,124 @@ groups. For more information [see](permissions.md#managing-permissions).

----

### <i>OAUTH</i> authentication <a name="oauth-authentication"></a>

CodeChecker also supports OAUTH-based authentication. The `authentication.method_oauth` section contains the configuration for OAUTH authentication for different OAUTH providers. The server can be configured for different Oauth `providers` .Users can be added into the `allowed_users`

#### OAUTH Configuration options <a name="oauth-configuration-options"></a>
* `enabled`

Indicated if OAUTH method is enabled

* `providers`

The provider field contains configuration details for OAuth providers. Each provider's configuration includes but may vary depending on provider:

* `enabled`

Indicates if the Oauth provider is enabled

* `oauth_client_id`

Contains client ID provided by the OAuth provider.


* `oauth_client_secret`

The client secret provided by the OAuth provider.

* `oauth_authorization_uri`

This link in used for redirecting user for perovider's authentication page

* `oauth_redirect_uri`

The oauth_redirect_uri URI to which the OAuth provider will redirect after authorization and in some providers used for confirming the redirection URI.

* `oauth_token_uri`

The URI to exchange the authorization code for an access token.

* `oauth_user_info_uri`

The URI to fetch the authenticated user's information.

* `oauth_scope`

The scope of access requested from the OAuth provider.

* `oauth_user_info_mapping`

A mapping of user info fields from the provider to local fields.

* `username`

Field for the username.
* `email`

Field for the email.
* `fullname`

Field for the fullname.
* `allowed_users`

A list of allowed users differently configured for each provider

~~~{.json}
"method_oauth": {
"enabled": false,
"providers": {
"github": {
"enabled": false,
"oauth_client_id": "client id",
"oauth_client_secret": "client secret",
"oauth_authorization_uri": "https://github.com/login/oauth/authorize",
"oauth_token_uri": "https://github.com/login/oauth/access_token",
"oauth_user_info_uri": "https://api.github.com/user",
"oauth_scope": "openid email profile",
"oauth_user_info_mapping": {
"username": "login",
"email": "email",
"fullname": "name"
},
"allowed_users": [
"user1",
"user2",
"user3"
]
},
"google": {
"enabled": false,
"oauth_client_id": "client id",
"oauth_client_secret": "client secret",
"oauth_authorization_uri": "https://accounts.google.com/o/oauth2/auth",
"oauth_redirect_uri": "http://localhost:8080/login",
"oauth_token_uri": "https://accounts.google.com/o/oauth2/token",
"oauth_user_info_uri": "https://www.googleapis.com/oauth2/v1/userinfo",
"oauth_scope": "openid email profile",
"oauth_user_info_mapping": {
"username": "email",
"email": "email",
"fullname": "name"
},
"allowed_users": [
"user1",
"user2",
"user3"
]
}
}
}
~~~

#### Details per each provider <a name ="details-per-each-provider"></a>

* For Google OAuth to function correctly, the `oauth_redirect_uri` in application's configuration must exactly match the `Authorized redirect URIs` specified in the Google API Console.

* For GitHub to redirect correctly, set the `Authorization callback URL` to the login page of CodeChecker. This ensures proper processing of the authorization. Additionally, set the homepage URL to the homepage of CodeChecker.



# Client-side configuration <a name="client-side-configuration"></a>

## Web-browser client <a name="web-browser-client"></a>
Expand Down
3 changes: 2 additions & 1 deletion web/server/codechecker_server/api/authentication.py
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,6 @@ def createLinkGoogle(self):
scope = oauth_config["oauth_scope"]
authorization_uri = oauth_config["oauth_authorization_uri"]
redirect_uri = oauth_config["oauth_redirect_uri"]
token_uri = oauth_config["oauth_token_uri"]


# Create an OAuth2Session instance
Expand Down Expand Up @@ -242,6 +241,7 @@ def performLogin(self, auth_method, auth_string):
scope = oauth_config["oauth_scope"]
token_url = oauth_config["oauth_token_uri"]
user_info_url = oauth_config["oauth_user_info_uri"]


session = OAuth2Session(client_id, client_secret, scope=scope)
token = session.fetch_token(
Expand Down Expand Up @@ -290,6 +290,7 @@ def performLogin(self, auth_method, auth_string):
"User is not authorized to access this service.")

session = self.__manager.create_session("google@" + email + ":" + token['access_token'])

return session.token

raise codechecker_api_shared.ttypes.RequestFailed(
Expand Down
16 changes: 8 additions & 8 deletions web/server/config/server_config.json
Original file line number Diff line number Diff line change
Expand Up @@ -50,13 +50,12 @@
"providers": {
"github": {
"enabled": false,
"oauth_client_id": "example_id",
"oauth_client_secret": "example_secret",
"oauth_redirect_uri": "http://localhost:8001/login",
"oauth_client_id": "client id",
"oauth_client_secret": "client secret",
"oauth_authorization_uri": "https://github.com/login/oauth/authorize",
"oauth_token_uri": "https://github.com/login/oauth/access_token",
"oauth_user_info_uri": "https://api.github.com/user",
"oauth_scope": "user:email",
"oauth_scope": "openid email profile",
"oauth_user_info_mapping": {
"username": "login",
"email": "email",
Expand All @@ -70,12 +69,13 @@
},
"google": {
"enabled": false,
"oauth_client_id": "example_id",
"oauth_client_secret": "example_secret",
"oauth_client_id": "client id",
"oauth_client_secret": "client secret",
"oauth_authorization_uri": "https://accounts.google.com/o/oauth2/auth",
"oauth_token_uri": "https://oauth2.googleapis.com/token",
"oauth_redirect_uri": "http://localhost:8080/login",
"oauth_token_uri": "https://accounts.google.com/o/oauth2/token",
"oauth_user_info_uri": "https://www.googleapis.com/oauth2/v1/userinfo",
"oauth_scope": "https://www.googleapis.com/auth/userinfo.email",
"oauth_scope": "openid email profile",
"oauth_user_info_mapping": {
"username": "email",
"email": "email",
Expand Down
2 changes: 2 additions & 0 deletions web/server/vue-cli/src/views/Login.vue
Original file line number Diff line number Diff line change
Expand Up @@ -152,8 +152,10 @@ export default {
const url = new URL(window.location.href);
let code = null, state = null;
//get the code and state from the url
code = url.searchParams.get("code");
state = url.searchParams.get("state");
//get the provider from the cookie
const provider = document.cookie.split(";").find(
c => c.includes("oauth_provider")).split("=")[1];
Expand Down

0 comments on commit de2e213

Please sign in to comment.