Skip to content

add oidc support #2510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
p-hoffmann merged 9 commits into from
Apr 25, 2026
Merged

add oidc support #2510

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a132591
add oidc support
p-hoffmann Mar 27, 2026
c1f0ab0
Merge branch 'webapi-3.0' into p-hoffmann/openid
p-hoffmann Apr 23, 2026
17edae6
cleanup
p-hoffmann Apr 23, 2026
d539461
align naming
p-hoffmann Apr 23, 2026
ea03800
fix tests
p-hoffmann Apr 23, 2026
72ff81a
fix
p-hoffmann Apr 23, 2026
9155f9b
fix
p-hoffmann Apr 23, 2026
7100536
fix
p-hoffmann Apr 25, 2026
fd2955f
cleanup
p-hoffmann Apr 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 10 additions & 8 deletions docker/auth-test/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ services:
container_name: mock-oauth2
environment:
- SERVER_PORT=9090
- JSON_CONFIG={"interactiveLogin":true,"httpServer":"NettyWrapper","tokenCallbacks":[{"issuerId":"default","tokenExpiry":3600,"requestMappings":[{"requestParam":"grant_type","match":"*","claims":{"sub":"testuser","email":"testuser@example.com","name":"Test User"}}]}]}
- JSON_CONFIG={"interactiveLogin":true,"httpServer":"NettyWrapper","tokenCallbacks":[{"issuerId":"default","tokenExpiry":3600,"requestMappings":[{"requestParam":"grant_type","match":"*","claims":{"sub":"testuser","email":"testuser@example.com","name":"Test User","roles":["Atlas users"]}}]}]}
ports:
- "9090:9090"
networks:
Expand Down Expand Up @@ -52,7 +52,7 @@ services:
- SPRING_FLYWAY_SCHEMAS=webapi
- SPRING_FLYWAY_PLACEHOLDERS_OHDSISCHEMA=webapi
- SECURITY_PROVIDER=AtlasRegularSecurity
- SECURITY_AUTH_OPENID_ENABLED=true
- SECURITY_AUTH_OIDC_ENABLED=true
- SECURITY_AUTH_DB_ENABLED=true
- SECURITY_AUTH_LDAP_ENABLED=false
- SECURITY_AUTH_AD_ENABLED=false
Expand All @@ -62,12 +62,14 @@ services:
- SECURITY_AUTH_OAUTH_GOOGLE_ENABLED=false
- SECURITY_AUTH_OAUTH_FACEBOOK_ENABLED=false
- SECURITY_AUTH_OAUTH_GITHUB_ENABLED=false
- SECURITY_AUTH_OPENID_CLIENTID=webapi-client
- SECURITY_AUTH_OPENID_APISECRET=webapi-secret
- SECURITY_AUTH_OPENID_URL=http://mock-oauth2:9090/default/.well-known/openid-configuration
- SECURITY_AUTH_OPENID_EXTERNALURL=http://localhost:9090/default
- SECURITY_AUTH_OPENID_LOGOUTURL=http://localhost:9090/default/endsession
- SECURITY_AUTH_OPENID_EXTRASCOPES=profile email
- SECURITY_AUTH_OIDC_CLIENTID=webapi-client
- SECURITY_AUTH_OIDC_APISECRET=webapi-secret
- SECURITY_AUTH_OIDC_URL=http://mock-oauth2:9090/default/.well-known/openid-configuration
- SECURITY_AUTH_OIDC_EXTERNALURL=http://localhost:9090/default
- SECURITY_AUTH_OIDC_LOGOUTURL=http://localhost:9090/default/endsession
- SECURITY_AUTH_OIDC_EXTRASCOPES=profile email
- SECURITY_AUTH_OIDC_ROLESCLAIM=roles
- SECURITY_DEFAULTROLES=Atlas users
- SECURITY_AUTH_OAUTH_CALLBACK_UI=http://localhost:18080/WebAPI/#/welcome
- SECURITY_AUTH_OAUTH_CALLBACK_API=http://localhost:18080/WebAPI/user/oauth/callback
- SECURITY_AUTH_OAUTH_CALLBACK_URLRESOLVER=query
Expand Down
205 changes: 130 additions & 75 deletions docker/auth-test/postman/auth-tests.postman_collection.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,22 +46,19 @@
{
"name": "OIDC Discovery Endpoint",
"event": [
{
"listen": "prerequest",
"script": {
"exec": [
"// OIDC tests disabled - skip this request",
"pm.execution.skipRequest();"
],
"type": "text/javascript"
}
},
{
"listen": "test",
"script": {
"exec": [
"pm.test('SKIPPED - OIDC not yet implemented', function() {",
" pm.expect(true).to.be.true;",
"pm.test('OIDC discovery endpoint returns 200', function() {",
" pm.response.to.have.status(200);",
"});",
"",
"pm.test('Discovery document contains required endpoints', function() {",
" const doc = pm.response.json();",
" pm.expect(doc).to.have.property('authorization_endpoint');",
" pm.expect(doc).to.have.property('token_endpoint');",
" pm.expect(doc).to.have.property('issuer');",
"});"
],
"type": "text/javascript"
Expand All @@ -86,22 +83,19 @@
{
"name": "Auth Providers Endpoint",
"event": [
{
"listen": "prerequest",
"script": {
"exec": [
"// OIDC tests disabled - skip this request",
"pm.execution.skipRequest();"
],
"type": "text/javascript"
}
},
{
"listen": "test",
"script": {
"exec": [
"pm.test('SKIPPED - OIDC not yet implemented', function() {",
" pm.expect(true).to.be.true;",
"pm.test('Auth providers returns 200', function() {",
" pm.response.to.have.status(200);",
"});",
"",
"pm.test('OpenID provider is listed', function() {",
" const providers = pm.response.json();",
" const oidc = providers.find(p => p.name === 'OpenID');",
" pm.expect(oidc).to.not.be.undefined;",
" pm.expect(oidc.url).to.equal('user/login/openid');",
"});"
],
"type": "text/javascript"
Expand Down Expand Up @@ -196,23 +190,32 @@
{
"name": "1. Start OIDC Login",
"event": [
{
"listen": "prerequest",
"script": {
"exec": [
"// OIDC tests disabled - skip this request",
"pm.execution.skipRequest();"
],
"type": "text/javascript"
}
},
{
"listen": "test",
"script": {
"exec": [
"pm.test('SKIPPED - OIDC not yet implemented', function() {",
" pm.expect(true).to.be.true;",
"});"
"pm.test('OIDC login returns 302 redirect', function() {",
" pm.response.to.have.status(302);",
"});",
"",
"const location = pm.response.headers.get('Location');",
"pm.test('Location header contains authorization endpoint', function() {",
" pm.expect(location).to.not.be.undefined;",
" pm.expect(location).to.include('client_id=');",
" pm.expect(location).to.include('state=');",
" pm.expect(location).to.include('response_type=code');",
"});",
"",
"// Extract the state parameter and full auth URL for subsequent requests",
"if (location) {",
" const stateMatch = location.match(/[?&#]state=([^&#]+)/);",
" const state = stateMatch ? stateMatch[1] : null;",
" pm.collectionVariables.set('oidc_state', state);",
" // The mock-oauth2-server's interactive login is at the authorization endpoint",
" // Newman needs the internal Docker URL, so replace localhost with mock-oauth2",
" const internalUrl = location.replace('localhost:9090', 'mock-oauth2:9090');",
" pm.collectionVariables.set('oidc_full_auth_url', internalUrl);",
"}"
],
"type": "text/javascript"
}
Expand Down Expand Up @@ -240,23 +243,32 @@
{
"name": "2. Simulate IdP Login",
"event": [
{
"listen": "prerequest",
"script": {
"exec": [
"// OIDC tests disabled - skip this request",
"pm.execution.skipRequest();"
],
"type": "text/javascript"
}
},
{
"listen": "test",
"script": {
"exec": [
"pm.test('SKIPPED - OIDC not yet implemented', function() {",
" pm.expect(true).to.be.true;",
"});"
"pm.test('IdP login returns redirect with code', function() {",
" pm.expect(pm.response.code).to.be.oneOf([302, 303]);",
"});",
"",
"const location = pm.response.headers.get('Location');",
"pm.test('Redirect contains authorization code', function() {",
" pm.expect(location).to.not.be.undefined;",
" pm.expect(location).to.include('code=');",
"});",
"",
"// Extract code and state from redirect",
"if (location) {",
" const codeMatch = location.match(/[?&#]code=([^&#]+)/);",
" const stateMatch = location.match(/[?&#]state=([^&#]+)/);",
" const code = codeMatch ? codeMatch[1] : null;",
" const state = stateMatch ? stateMatch[1] : null;",
" pm.collectionVariables.set('oidc_auth_code', code);",
" // State should match what we sent",
" if (state) {",
" pm.collectionVariables.set('oidc_state', state);",
" }",
"}"
],
"type": "text/javascript"
}
Expand Down Expand Up @@ -293,23 +305,33 @@
{
"name": "3. Complete OAuth Callback",
"event": [
{
"listen": "prerequest",
"script": {
"exec": [
"// OIDC tests disabled - skip this request",
"pm.execution.skipRequest();"
],
"type": "text/javascript"
}
},
{
"listen": "test",
"script": {
"exec": [
"pm.test('SKIPPED - OIDC not yet implemented', function() {",
" pm.expect(true).to.be.true;",
"});"
"pm.test('Callback returns 302 redirect to frontend', function() {",
" pm.response.to.have.status(302);",
"});",
"",
"const location = pm.response.headers.get('Location');",
"pm.test('Redirect contains JWT token', function() {",
" pm.expect(location).to.not.be.undefined;",
" pm.expect(location).to.include('token=');",
"});",
"",
"// Extract JWT from redirect URL",
"if (location) {",
" const tokenMatch = location.match(/[?&#]token=([^&#]+)/);",
" const token = tokenMatch ? tokenMatch[1] : null;",
" if (token) {",
" pm.collectionVariables.set('oidc_jwt_token', token);",
" pm.test('JWT token is well-formed', function() {",
" pm.expect(token).to.include('.');",
" const parts = token.split('.');",
" pm.expect(parts.length).to.equal(3);",
" });",
" }",
"}"
],
"type": "text/javascript"
}
Expand All @@ -322,14 +344,15 @@
"method": "GET",
"header": [],
"url": {
"raw": "{{base_url}}/user/oauth/callback?code={{oidc_auth_code}}&state={{oidc_state}}",
"raw": "{{base_url}}/user/oauth/callback/openid?code={{oidc_auth_code}}&state={{oidc_state}}",
"host": [
"{{base_url}}"
],
"path": [
"user",
"oauth",
"callback"
"callback",
"openid"
],
"query": [
{
Expand All @@ -351,8 +374,13 @@
"listen": "prerequest",
"script": {
"exec": [
"// OIDC tests disabled - skip this request",
"pm.execution.skipRequest();"
"const token = pm.collectionVariables.get('oidc_jwt_token');",
"if (token) {",
" pm.request.headers.add({",
" key: 'Authorization',",
" value: 'Bearer ' + token",
" });",
"}"
],
"type": "text/javascript"
}
Expand All @@ -361,9 +389,26 @@
"listen": "test",
"script": {
"exec": [
"pm.test('SKIPPED - OIDC not yet implemented', function() {",
" pm.expect(true).to.be.true;",
"});"
"const token = pm.collectionVariables.get('oidc_jwt_token');",
"if (!token) {",
" pm.test.skip('No OIDC token available');",
"} else {",
" pm.test('Refresh returns 200 with new JWT', function() {",
" pm.response.to.have.status(200);",
" });",
"",
" const jsonData = pm.response.json();",
" pm.test('Refresh response contains login and jwt', function() {",
" pm.expect(jsonData).to.have.property('login');",
" pm.expect(jsonData).to.have.property('jwt');",
" pm.expect(jsonData.login).to.equal('testuser');",
" });",
"",
" // Update token for subsequent requests",
" if (jsonData.jwt) {",
" pm.collectionVariables.set('oidc_jwt_token', jsonData.jwt);",
" }",
"}"
],
"type": "text/javascript"
}
Expand Down Expand Up @@ -391,8 +436,13 @@
"listen": "prerequest",
"script": {
"exec": [
"// OIDC tests disabled - skip this request",
"pm.execution.skipRequest();"
"const token = pm.collectionVariables.get('oidc_jwt_token');",
"if (token) {",
" pm.request.headers.add({",
" key: 'Authorization',",
" value: 'Bearer ' + token",
" });",
"}"
],
"type": "text/javascript"
}
Expand All @@ -401,9 +451,14 @@
"listen": "test",
"script": {
"exec": [
"pm.test('SKIPPED - OIDC not yet implemented', function() {",
" pm.expect(true).to.be.true;",
"});"
"const token = pm.collectionVariables.get('oidc_jwt_token');",
"if (!token) {",
" pm.test.skip('No OIDC token available');",
"} else {",
" pm.test('Protected endpoint accessible with OIDC token', function() {",
" pm.expect(pm.response.code).to.be.oneOf([200, 403]);",
" });",
"}"
],
"type": "text/javascript"
}
Expand Down
14 changes: 7 additions & 7 deletions docker/integration-test/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ services:
- SPRING_FLYWAY_SCHEMAS=webapi
- SPRING_FLYWAY_PLACEHOLDERS_OHDSISCHEMA=webapi
- SECURITY_PROVIDER=AtlasRegularSecurity
- SECURITY_AUTH_OPENID_ENABLED=true
- SECURITY_AUTH_OIDC_ENABLED=true
- SECURITY_AUTH_DB_ENABLED=true
- SECURITY_AUTH_LDAP_ENABLED=false
- SECURITY_AUTH_AD_ENABLED=false
Expand All @@ -89,12 +89,12 @@ services:
- SECURITY_AUTH_OAUTH_GOOGLE_ENABLED=false
- SECURITY_AUTH_OAUTH_FACEBOOK_ENABLED=false
- SECURITY_AUTH_OAUTH_GITHUB_ENABLED=false
- SECURITY_AUTH_OPENID_CLIENTID=webapi-client
- SECURITY_AUTH_OPENID_APISECRET=${OIDC_CLIENT_SECRET:-webapi-secret}
- SECURITY_AUTH_OPENID_URL=http://mock-oauth2:9090/default/.well-known/openid-configuration
- SECURITY_AUTH_OPENID_EXTERNALURL=http://localhost:9090/default
- SECURITY_AUTH_OPENID_LOGOUTURL=http://localhost:9090/default/endsession
- SECURITY_AUTH_OPENID_EXTRASCOPES=profile email
- SECURITY_AUTH_OIDC_CLIENTID=webapi-client
- SECURITY_AUTH_OIDC_APISECRET=${OIDC_CLIENT_SECRET:-webapi-secret}
- SECURITY_AUTH_OIDC_URL=http://mock-oauth2:9090/default/.well-known/openid-configuration
- SECURITY_AUTH_OIDC_EXTERNALURL=http://localhost:9090/default
- SECURITY_AUTH_OIDC_LOGOUTURL=http://localhost:9090/default/endsession
- SECURITY_AUTH_OIDC_EXTRASCOPES=profile email
- SECURITY_AUTH_OAUTH_CALLBACK_UI=http://localhost:18080/WebAPI/#/welcome
- SECURITY_AUTH_OAUTH_CALLBACK_API=http://localhost:18080/WebAPI/user/oauth/callback
- SECURITY_AUTH_OAUTH_CALLBACK_URLRESOLVER=query
Expand Down
4 changes: 2 additions & 2 deletions src/main/java/org/ohdsi/webapi/auth/AuthProviderService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ public class AuthProviderService {
@Value("${security.auth.cas.enabled}")
private boolean casAuthEnabled;

@Value("${security.auth.openId.enabled}")
@Value("${security.auth.oidc.enabled}")
private boolean openidAuthEnabled;

@Value("${security.auth.oauth.facebook.enabled}")
Expand All @@ -65,7 +65,7 @@ public class AuthProviderService {
@Value("${security.auth.saml.enabled}")
private boolean samlAuthEnabled;

@Value("${security.auth.openId.logoutUrl:}")
@Value("${security.auth.oidc.logoutUrl:}")
private String oidcLogoutUrl;

/**
Expand Down
Loading
Loading