feat: support oidc login

Author: Jraaay

api/settings/settings.go

@@ -52,6 +52,7 @@ func GetSettings(c *gin.Context) {
 		"database":  settings.DatabaseSettings,
 		"auth":      settings.AuthSettings,
 		"casdoor":   settings.CasdoorSettings,
+		"oidc":      settings.OIDCSettings,
 		"cert":      settings.CertSettings,
 		"http":      settings.HTTPSettings,
 		"logrotate": settings.LogrotateSettings,
@@ -74,6 +75,7 @@ func SaveSettings(c *gin.Context) {
 		Openai    settings.OpenAI    `json:"openai"`
 		Logrotate settings.Logrotate `json:"logrotate"`
 		Nginx     settings.Nginx     `json:"nginx"`
+		Oidc      settings.OIDC      `json:"oidc"`
 	}
 
 	if !cosy.BindAndValid(c, &json) {
@@ -130,6 +132,7 @@ func SaveSettings(c *gin.Context) {
 	cSettings.ProtectedFill(settings.OpenAISettings, &json.Openai)
 	cSettings.ProtectedFill(settings.LogrotateSettings, &json.Logrotate)
 	cSettings.ProtectedFill(settings.NginxSettings, &json.Nginx)
+	cSettings.ProtectedFill(settings.OIDCSettings, &json.Oidc)
 
 	err := settings.Save()
 	if err != nil {

api/user/oidc.go

@@ -0,0 +1,207 @@
+package user
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/hex"
+	"errors"
+	"net/http"
+	"strings"
+
+	"github.com/0xJacky/Nginx-UI/internal/user"
+	"github.com/0xJacky/Nginx-UI/settings"
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/gin-gonic/gin"
+	"github.com/uozi-tech/cosy"
+	cSettings "github.com/uozi-tech/cosy/settings"
+	"golang.org/x/oauth2"
+	"gorm.io/gorm"
+)
+
+type OIDCLoginUser struct {
+	Code  string `json:"code" binding:"required,max=255"`
+	State string `json:"state" binding:"required,max=255"`
+}
+
+func OIDCCallback(c *gin.Context) {
+	var loginUser OIDCLoginUser
+
+	ok := cosy.BindAndValid(c, &loginUser)
+	if !ok {
+		return
+	}
+
+	state, err := c.Cookie("oidc_state")
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{
+			"message": "State cookie not found",
+		})
+		return
+	}
+
+	if state != loginUser.State {
+		c.JSON(http.StatusForbidden, gin.H{
+			"message": "State mismatch",
+		})
+		return
+	}
+
+	c.SetCookie("oidc_state", "", -1, "/", "", cSettings.ServerSettings.EnableHTTPS, true)
+
+	endpoint := settings.OIDCSettings.Endpoint
+	clientId := settings.OIDCSettings.ClientId
+	clientSecret := settings.OIDCSettings.ClientSecret
+	redirectUri := settings.OIDCSettings.RedirectUri
+
+	if endpoint == "" || clientId == "" || clientSecret == "" || redirectUri == "" {
+		c.JSON(http.StatusInternalServerError, gin.H{
+			"message": "OIDC is not configured",
+		})
+		return
+	}
+
+	ctx := context.Background()
+	provider, err := oidc.NewProvider(ctx, endpoint)
+	if err != nil {
+		cosy.ErrHandler(c, err)
+		return
+	}
+
+	scopes := []string{oidc.ScopeOpenID, "profile", "email"}
+	if settings.OIDCSettings.Scopes != "" {
+		scopes = strings.Split(settings.OIDCSettings.Scopes, " ")
+	}
+
+	oauth2Config := oauth2.Config{
+		ClientID:     clientId,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectUri,
+		Endpoint:     provider.Endpoint(),
+		Scopes:       scopes,
+	}
+
+	oauth2Token, err := oauth2Config.Exchange(ctx, loginUser.Code)
+	if err != nil {
+		cosy.ErrHandler(c, err)
+		return
+	}
+
+	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
+	if !ok {
+		c.JSON(http.StatusInternalServerError, gin.H{
+			"message": "No id_token field in oauth2 token",
+		})
+		return
+	}
+
+	idTokenVerifier := provider.Verifier(&oidc.Config{ClientID: clientId})
+	idToken, err := idTokenVerifier.Verify(ctx, rawIDToken)
+	if err != nil {
+		cosy.ErrHandler(c, err)
+		return
+	}
+
+	var claims map[string]interface{}
+
+	if err := idToken.Claims(&claims); err != nil {
+		cosy.ErrHandler(c, err)
+		return
+	}
+
+	var username string
+
+	if settings.OIDCSettings.Identifier != "" {
+		if v, ok := claims[settings.OIDCSettings.Identifier]; ok {
+			username, _ = v.(string)
+		}
+	}
+
+	if username == "" {
+		if v, ok := claims["email"]; ok {
+			username, _ = v.(string)
+		}
+	}
+
+	if username == "" {
+		if v, ok := claims["name"]; ok {
+			username, _ = v.(string)
+		}
+	}
+
+	if username == "" {
+		if v, ok := claims["sub"]; ok {
+			username, _ = v.(string)
+		}
+	}
+
+	u, err := user.GetUser(username)
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			c.JSON(http.StatusForbidden, gin.H{
+				"message": "User not exist",
+			})
+		} else {
+			cosy.ErrHandler(c, err)
+		}
+		return
+	}
+
+	userToken, err := user.GenerateJWT(u)
+	if err != nil {
+		cosy.ErrHandler(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, LoginResponse{
+		Message:            "ok",
+		AccessTokenPayload: userToken,
+	})
+}
+
+func GetOIDCUri(c *gin.Context) {
+	endpoint := settings.OIDCSettings.Endpoint
+	clientId := settings.OIDCSettings.ClientId
+	redirectUri := settings.OIDCSettings.RedirectUri
+	scopes := settings.OIDCSettings.Scopes
+
+	if endpoint == "" || clientId == "" || redirectUri == "" {
+		c.JSON(http.StatusOK, gin.H{
+			"uri": "",
+		})
+		return
+	}
+
+	ctx := context.Background()
+	provider, err := oidc.NewProvider(ctx, endpoint)
+	if err != nil {
+		cosy.ErrHandler(c, err)
+		return
+	}
+
+	scopeList := []string{oidc.ScopeOpenID, "profile", "email"}
+	if scopes != "" {
+		scopeList = strings.Split(scopes, " ")
+	}
+
+	oauth2Config := oauth2.Config{
+		ClientID:    clientId,
+		RedirectURL: redirectUri,
+		Endpoint:    provider.Endpoint(),
+		Scopes:      scopeList,
+	}
+
+	b := make([]byte, 16)
+	_, err = rand.Read(b)
+	if err != nil {
+		cosy.ErrHandler(c, err)
+		return
+	}
+
+	state := "nginx-ui-oidc_" + hex.EncodeToString(b)
+
+	c.SetCookie("oidc_state", state, 300, "/", "", cSettings.ServerSettings.EnableHTTPS, true)
+
+	c.JSON(http.StatusOK, gin.H{
+		"uri": oauth2Config.AuthCodeURL(state),
+	})
+}

api/user/router.go

@@ -15,6 +15,9 @@ func InitAuthRouter(r *gin.RouterGroup) {
 	r.GET("/casdoor_uri", GetCasdoorUri)
 	r.POST("/casdoor_callback", CasdoorCallback)
 
+	r.GET("/oidc_uri", GetOIDCUri)
+	r.POST("/oidc_callback", OIDCCallback)
+
 	r.GET("/passkeys/config", GetPasskeyConfigStatus)
 }
 

app.example.ini

@@ -27,6 +27,14 @@ Organization    =
 Application     =
 RedirectUri     =
 
+[oidc]
+ClientId     =
+ClientSecret =
+Endpoint     =
+RedirectUri  =
+Scopes       =
+Identifier   =
+
 [cert]
 Email                =
 CADir                =

app/src/api/auth.ts

@@ -31,6 +31,15 @@ const auth = {
         login(r.token, r.short_token)
       })
   },
+  async oidc_login(code?: string, state?: string) {
+    await http.post('/oidc_callback', {
+      code,
+      state,
+    })
+      .then((r: AuthResponse) => {
+        login(r.token, r.short_token)
+      })
+  },
   async logout() {
     return http.delete('/logout').then(async () => {
       logout()
@@ -39,6 +48,9 @@ const auth = {
   async get_casdoor_uri(): Promise<{ uri: string }> {
     return http.get('/casdoor_uri')
   },
+  async get_oidc_uri(): Promise<{ uri: string }> {
+    return http.get('/oidc_uri')
+  },
   begin_passkey_login() {
     return http.get('/begin_passkey_login')
   },

app/src/api/settings.ts

@@ -110,12 +110,22 @@ export interface BannedIP {
   expired_at: string
 }
 
+export interface OIDCSettings {
+  client_id: string
+  client_secret: string
+  endpoint: string
+  redirect_uri: string
+  scopes: string
+  identifier: string
+}
+
 export interface Settings {
   app: AppSettings
   server: ServerSettings
   database: DatabaseSettings
   auth: AuthSettings
   casdoor: CasdoorSettings
+  oidc: OIDCSettings
   cert: CertSettings
   http: HTTPSettings
   logrotate: LogrotateSettings

app/src/views/other/Login.vue

@@ -134,6 +134,11 @@ async function handleLoginSuccess(options: LoginSuccessOptions = {}) {
     await settingsStore.set_language(userStore.info?.language)
   }
 
+  if (window.location.search) {
+    const newUrl = window.location.pathname + window.location.hash
+    window.history.replaceState(null, '', newUrl)
+  }
+
   const next = (route.query?.next || '').toString() || '/'
   await router.push(next)
 }
@@ -187,17 +192,46 @@ auth.get_casdoor_uri()
     }
   })
 
+const has_oidc = ref(false)
+const oidc_uri = ref('')
+
+auth.get_oidc_uri()
+  .then(r => {
+    if (r?.uri) {
+      has_oidc.value = true
+      oidc_uri.value = r.uri
+    }
+  })
+
 function loginWithCasdoor() {
   window.location.href = casdoor_uri.value
 }
 
-if (route.query?.code !== undefined && route.query?.state !== undefined) {
+function loginWithOIDC() {
+  window.location.href = oidc_uri.value
+}
+
+const searchParams = new URLSearchParams(window.location.search)
+const query = route.query
+const code = query?.code?.toString() ?? searchParams.get('code')
+const state = query?.state?.toString() ?? searchParams.get('state')
+
+if (code && state) {
   loading.value = true
-  auth.casdoor_login(route.query?.code?.toString(), route.query?.state?.toString()).then(async () => {
-    await handleLoginSuccess()
-  }).finally(() => {
-    loading.value = false
-  })
+  if (state.startsWith('nginx-ui-oidc_')) {
+    auth.oidc_login(code, state).then(async () => {
+      await handleLoginSuccess()
+    }).finally(() => {
+      loading.value = false
+    })
+  }
+  else {
+    auth.casdoor_login(code, state).then(async () => {
+      await handleLoginSuccess()
+    }).finally(() => {
+      loading.value = false
+    })
+  }
 }
 
 function handleOTPSubmit(code: string, recovery: string) {
@@ -291,6 +325,15 @@ async function handlePasskeyLogin() {
               >
                 {{ $gettext('SSO Login') }}
               </AButton>
+              <AButton
+                v-if="has_oidc"
+                block
+                :loading="loading"
+                class="mb-5"
+                @click="loginWithOIDC"
+              >
+                {{ $gettext('OIDC Login') }}
+              </AButton>
             </template>
             <div v-else>
               <Authorization