feat: Preliminary OIDC implementation

[jescalada]

Fixes #905.

It adds the OIDC login button to the login page (/login) and the internals for OIDC. I would appreciate some feedback before I fill in the missing MongoDB implementation and clean up the package-lock.json.

To get this to work, I modified the proxy.config.json. I filled in the authentication section with my own OIDC provider config. If you want to use my own config from below, let me know your email so I can register you with my Google client.

Also, let me know if there is a better way to set the config! (I noticed user-settings.json being mentioned in the unit tests)

"authentication": [
    {
      "type": "local",
      "enabled": false
    },
    {
      "type": "ActiveDirectory",
      "enabled": false,
      "adminGroup": "",
      "userGroup": "",
      "domain": "",
      "adConfig": {
        "url": "",
        "baseDN": "",
        "searchBase": ""
      }
    },
    {
      "type": "openidconnect",
      "enabled": true,
      "oidcConfig": {
        "issuer": "https://accounts.google.com/",
        "clientID": "...", // Add your client ID
        "clientSecret": "...", // Add your client secret
        "authorizationURL": "https://accounts.google.com/o/oauth2/auth",
        "tokenURL": "https://oauth2.googleapis.com/token",
        "userInfoURL": "https://openidconnect.googleapis.com/v1/userinfo",
        "callbackURL": "http://localhost:8080/api/auth/oidc/callback",
        "scope": "openid email profile"
      }
    }
  ],

Note: Currently, the above config will make existing unit tests fail (because it disables the local auth for OIDC to work). To make them pass again, set the local authentication in the config to "enabled": true. We're working on patching this up by refactoring to allow multiple auth methods to coexist (G-Research#6).

If you feel like this PR is too barebones to merge in, I can add more improvements, like the multiple auth system, so that everything works well and is backward-compatible! Let me know if you prefer small, incremental PRs or completed and well-tested flows.

Changelog

• Add OIDC login backend (endpoints, filesystem database functions) and frontend
  • Add trivial E2E test for OIDC, as it testing the whole flow is challenging
• Add checks for easier development
  • Why? To speed up refresh time by running the frontend separately in dev. Let me know if there's a cleaner way to handle it
• Fix minor issues to complete OIDC auth flow

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: jescalada / name: Juan Escalada (d3d04a0, 96edf6a, ddcacee, 712938b, 0a0656d, d157d96, 5c93210, 1c19264, 52e33d9, 49a09b3, 4f71e77, a096252, 8d0453f)
• ✅ login: JamieSlome / name: Jamie Slome (8017b10, c61506a)

[netlify]

✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name	Link
🔨 Latest commit	8017b10
🔍 Latest deploy log	https://app.netlify.com/sites/endearing-brigadeiros-63f9d0/deploys/67d2c6cd78c143000844ff91

[coopernetes]

Thank you for the contribution @jescalada ! Glad to see the addition of OIDC login support to enable the use of more identity providers 😁

When you get a chance, please ensure to sign the CLA so that this PR can be eventually merged.

[jescalada]

@coopernetes It was tough to integrate openid-client since the latest version (v6) completely changed how auth works, so the documentation was sparse. However, I did manage to get the whole flow working again.

Some additions were the manual sub check (the previous library perhaps did this automatically?) and the manual user info fetch to handle user serialization.

Let me know what you think!

After integrating the multiple auth method system, things will make more sense, as this PR will force you to use OIDC exclusively.

[JamieSlome]

@06kellyjac (cc) 🍰

[JamieSlome]

Solid PR! 🍰 A couple of comments and requested changes 👍

[jescalada]

Hi @JamieSlome and @coopernetes, our CLA got cleared, so I'd appreciate one final look! 😃

[JamieSlome]

LGTM! 🚀 🍰

[codecov]

Codecov Report

Attention: Patch coverage is 21.59091% with 69 lines in your changes missing coverage. Please review.

Project coverage is 61.06%. Comparing base (6ba8021) to head (8017b10).
Report is 17 commits behind head on main.

Files with missing lines	Patch %	Lines
src/service/passport/oidc.js	13.46%	45 Missing ⚠️
src/service/routes/auth.js	27.77%	13 Missing ⚠️
src/db/file/users.js	12.50%	7 Missing ⚠️
src/service/passport/index.js	40.00%	3 Missing ⚠️
src/service/routes/users.js	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #906      +/-   ##
==========================================
- Coverage   63.20%   61.06%   -2.15%     
==========================================
  Files          47       48       +1     
  Lines        1685     1767      +82     
==========================================
+ Hits         1065     1079      +14     
- Misses        620      688      +68     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[JamieSlome]

@jescalada - can we look at the Codecov above and address as some technical debt? 🤝

I'll package this feature up and release under v1.9.0 👍

[jescalada]

@JamieSlome Absolutely! Once all the OIDC-related features are merged, I can do a final PR to increase test coverage. We have 4 more bite-sized OIDC/Auth/JWT PRs and no additional ones for the foreseeable future.

Thanks for taking a look at this one! 😃

[JamieSlome]

Great, thanks! ❤️@jescalada