Ericsson · feyruzb · May 17, 2024 · Jul 3, 2024 · Jul 4, 2024 · Jul 17, 2024
@@ -16,6 +16,9 @@ Table of Contents
         * [<i>LDAP</i> authentication](#ldap-authentication)
             * [Configuration options](#configuration-options)
     * Membership in custom groups with [<i>regex_groups</i>](#regex_groups-authentication)
+      * [<i>OAuth</i> authentication](#oauth-authentication)
+        * [<i>OAuth</i> Configuration options](#oauth-configuration-options)
+        * [<i>OAuth</i> details per each provider](#oauth-details-per-each-provider)
 * [Client-side configuration](#client-side-configuration)
     * [Web-browser client](#web-browser-client)
     * [Command-line client](#command-line-client)
@@ -39,31 +42,31 @@ is handled.
  * `enabled`
 
     Setting this to `false` disables privileged access
-    
+
  * `realm_name`
 
     The name to show for web-browser viewers' pop-up login window via
     *HTTP Authenticate*
-    
+
  * `realm_error`
 
     The error message shown in the browser when the user fails to authenticate
-    
+
  * `logins_until_cleanup`
 
     After this many login attempts made towards the server, it will perform an
     automatic cleanup of old, expired sessions.
     This option can be changed and reloaded without server restart by using the
     `--reload` option of CodeChecker server command.
-    
+
  * `session_lifetime`
 
     (in seconds) The lifetime of the session sets that after this many seconds
     since last session access the session is permanently invalidated.
 
     This option can be changed and reloaded without server restart by using the
     `--reload` option of CodeChecker server command.
-    
+
  * `refresh_time`
 
     (in seconds) Refresh time of the local session objects. We use local session
@@ -243,12 +246,12 @@ servers as it can elongate the authentication process.
  * `groupPattern`
 
    Group query pattern used LDAP query expression to find the group objects
-   a user is a member of. It must contain a `$USERDN$` pattern. 
+   a user is a member of. It must contain a `$USERDN$` pattern.
    `$USERDN$` will be automatically replaced by the queried user account DN.
 
  * `groupNameAttr`
 
-   The attribute of the group object which contains the name of the group. 
+   The attribute of the group object which contains the name of the group.
 
  * `groupScope`
 
@@ -320,6 +323,118 @@ groups. For more information [see](permissions.md#managing-permissions).
 
 ----
 
+### <i>OAUTH</i> authentication <a name="oauth-authentication"></a>
+
+CodeChecker also supports OAUTH-based authentication. The `authentication.method_oauth` section contains the configuration for OAUTH authentication for different OAUTH providers. The server can be configured for different Oauth `providers`. Users can be added into the `allowed_users`.
+
+#### OAUTH Configuration options <a name="oauth-configuration-options"></a>
+  * `enabled`
+
+    Indicated if OAuth authentication is enabled (required for any methods below)
+
+ * `providers`
+
+    The provider field contains configuration details for OAuth providers. Each provider's configuration includes but may vary depending on provider:
+
+  * `provider_name` as an object containing following properties:
+
+      * `enabled`
+
+          Indicates if current provider is enabled (github, google, etc)
+
+      * `oauth_client_id`
+
+           Contains client ID provided by the OAuth provider.
+
+      * `oauth_client_secret`
+
+          The client secret must be provided by the OAuth provider.
+
+      * `oauth_authorization_uri`
+
+          This link in used for redirecting user for provider's authentication page
+
+      * `oauth_callback_url`
+
+          User will be redirected back to the provided link after login with returned data.
+          It should be constructed in that format `http://codechecker_path/login/OAuthLogin/provider` where `provider` is the the name of the provider of OAuth and should match existing `provider_name`.The `oauth_callback_url` should also match the callback url specified in the config of your provider on their webpage.
+
+          Example of correct link using github, google and microsoft
+          * http://localhost:8080/login/OAuthLogin/github
+          * http://localhost:8080/login/OAuthLogin/google
+          * http://localhost:8080/login/OAuthLogin/microsoft
+          * https://codechecker.gic.ericsson.se/login/OAuthLogin/github
+
+      * `oauth_token_uri`
+
+          The URI to exchange the authorization code for an access token.
+
+      * `oauth_user_info_uri`
+
+          The URI to fetch the authenticated user's information.
+
+      * `oauth_scope`
+
+          The scope of access requested from the OAuth provider.
+
+      * `oauth_user_info_mapping`
+
+          A mapping of user info fields from the provider to local fields.
+
+          * `username`
+
+              Field for the username.
+          * `email`
+
+              Field for the email.
+          * `fullname`
+
+              Field for the fullname.
+      * `allowed_users`
+
+          list of approved usernames independently specified per each provider
+~~~{.json}
+"method_oauth": {
+      "enabled": false,
+      "providers": {
+        "example_provider": {
+          "enabled": false,
+          "oauth_client_id": "client id",
+          "oauth_client_secret": "client secret",
+          "oauth_authorization_uri": "https://accounts.google.com/o/oauth2/auth",
+          "oauth_callback_url": "http://localhost:8080/login/OAuthLogin/provider",
+          "oauth_token_uri": "https://accounts.google.com/o/oauth2/token",
+          "oauth_user_info_uri": "https://www.googleapis.com/oauth2/v1/userinfo",
+          "oauth_scope": "openid email profile",
+          "oauth_user_info_mapping": {
+            "username": "email",
+            "email": "email",
+            "fullname": "name"
+          },
+          "allowed_users": [
+            "user1",
+            "user2",
+            "user3"
+          ]
+        }
+      }
+    }
+~~~
+
+#### OAuth Details per each provider <a name ="oauth-details-per-each-provider"></a>
+
+* Important: 'oauth_callback_url' must always match with link specified in the
+Providers settings when issuing an access token.
+
+* Important: At the time this code was written, GitHub doesn't support PKCE (Proof Key for Code Exchange).
+Therefore PKCE is not used when users log in using GitHub.
+If GitHub starts supporting PKCE in the future, the code should automatically
+start using it ,and in that case, this note can be removed.
+
+* Important: To maintain consistency between GitHub and other providers, we need to fetch primary email
+from another endpoint because GitHub dosn't provide the primary email in the `user_info`,so
+we make an API request to fetch the primary email of the GitHub and use it instead of the username provided by the `user_info`.
+
 # Client-side configuration <a name="client-side-configuration"></a>
 
 ## Web-browser client <a name="web-browser-client"></a>

@@ -68,6 +68,13 @@ service codeCheckerAuthentication {
   string performLogin(1: string authMethod,
                       2: string authString)
                       throws (1: codechecker_api_shared.RequestFailed requestError),
+
+  // Returns list of providers for oauth for respective appearence of buttons.
+  list<string> getOauthProviders(),
+
+  // Create a link for the user to log in for github Oauth.
+  string createLink(1: string provider)
+                    throws (1: codechecker_api_shared.RequestFailed requestError),
 
   // Performs logout action for the user. Must be called from the
   // corresponding valid session which is to be destroyed.

@@ -12,9 +12,9 @@
 
 import getpass
 import sys
-
 from thrift.Thrift import TApplicationException
 
+
 import codechecker_api_shared
 from codechecker_api.Authentication_v6 import ttypes as AuthTypes
 

@@ -44,6 +44,14 @@ def getAccessControl(self):
     def performLogin(self, auth_method, auth_string):
         pass
 
+    @thrift_client_call
+    def createLink(self, provider):
+        pass
+
+    @thrift_client_call
+    def getOauthProviders(self):
+        pass
+
     @thrift_client_call
     def destroySession(self):
         pass

@@ -1,2 +1,4 @@
 python-ldap==3.4.0
 python-pam==1.8.4
+Authlib==1.3.1
+requests==2.32.3