OIDC bugs and improvements

[martenson]

Follow up tasks for #4474

• UI for pairing of an existing account with OIDC sign in
• UI for disconnecting OIDC
• use standard button for google sign in (like User authentication using OpenID Connect protocol  #4474 (comment))
• bug in js console (refuse to display in a frame because it set 'X-Frame-Options' to 'sameorigin'.) that prevents the 'sign in with google' button from working
• ftp note to upload modal (add note to FTP modal when oidc is enabled #5814)
• tests (definitely API, maybe even selenium?)
• change other random password creations (e.g., this) to leverage set_random_password
• OIDC Login: no email sent on first authentication, only on "resend email" #8245
• OIDC Registered accounts do not create a default private role #8244
• Support OIDC for CNAMEs #8215
• Show welcome after OIDC login #8099
• Use official "login with" buttons for OIDC #8107

[martenson]

Moving to 19.01. I would be nice to get this done so we can enable it on Main.

[martenson]

Pushing to 19.05 for now. @VJalili is there hope to get this to 19.01?

[dannon]

As with the other login related changes, we'll get this into 19.05.

[martenson]

@dannon cool, thanks for the update!

[martenson]

The missing UIs are still road blocks towards enabling this on any public servers.

[VJalili]

@martenson A UI to login with Google is available now. We still need UI for other IdPs, and also for "disconnect".

[VJalili]

So you can check all the items except the second, and the second last.

[martenson]

I reworded the first two and checked the others you requested. Thanks!

[bgruening]

I have a general question. Is my understanding correct that I can only have one Keycloak provider? If so this does not make much sense. It feels like everyone is offering nowadays a Keycloak Idp and we have no way to support multiple ones.

Imho we are also lacking a way to specify a description field for the provider. See the below screenshot. The provider name "Keycloak" does not say anything to the user, it would be better if we could label it differently to specify the name of the organization etc...

Mybe we need a type and ID attribute next to name in the configuration?

    <provider type="Keycloak" id="dataplant01" name="Fancy ORG with Keycload Auth">
    </provider>

Another thing I recognized is that the keycloak provider ends up in the custos_authnz_token table. It took me a while to find that. Should the table not be named oidc_authnz_token? If we support multiple providers of the same kind, we need a column in this table to distinguish them I think.

[afgane]

My understanding is that at the moment there can only be a single Keycloak (or any other) provider type. The reason the token is placed in the custos_authnz_token (and why Keycloak is supported to begin with) is because Custos is relying on Keycloak so the interfaces are compatible and was straightforward to add Keycloak after Custos was implemented. Overall, yes, there's certainly room for improvement and the current state is just a place where we stand right now.