Blame
| 6e7d20 | Hargata Softworks | 2024-02-16 02:25:37 | 1 | # Authenticating via OpenID Connect |
| 2 | ||||
| 3 | Configure OpenID Connect(OIDC) for LubeLogger via the following environment variables | |||
| 4 | ||||
| 5 | ``` | |||
| 6 | OpenIDConfig__Name=Name of the OpenID Connect Provider | |||
| 7 | OpenIDConfig__ClientId=Client Id to Authenticate with the Provider | |||
| 8 | OpenIDConfig__ClientSecret=Client Secret to Authenticate with the Provider | |||
| 9 | OpenIDConfig__AuthURL=Authorization URL to the Provider's Login Page | |||
| 10 | OpenIDConfig__TokenURL=URL to retrieve user JWT from the Provider | |||
| 11 | OpenIDConfig__RedirectURL=https://<yourlubeloggerdomain.com>/Login/RemoteAuth(must be HTTPS) | |||
| 2c9cf6 | Hargata Softworks | 2025-03-30 17:26:57 | 12 | OpenIDConfig__Scope=Scope to request from Provider(default: openid email) |
| 639e27 | Hargata Softworks | 2024-02-24 16:58:08 | 13 | OpenIDConfig__ValidateState=true/false(default: false) - whether LubeLogger should validate state. |
| 0449d6 | Hargata Softworks | 2024-08-20 19:58:08 | 14 | OpenIDConfig__UsePKCE=true/false(default: false) - whether LubeLogger should use PKCE |
| 8a02d9 | Hargata Softworks | 2024-03-21 01:57:18 | 15 | OpenIDConfig__DisableRegularLogin=true/false(default: false) - auto re-direct user to OIDC login. |
| 7dc2b7 | Hargata Softworks | 2024-03-21 01:57:46 | 16 | OpenIDConfig__LogOutURL=Log Out URL for OIDC Provider, required if DisableRegularLogin=true. |
| 6e7d20 | Hargata Softworks | 2024-02-16 02:25:37 | 17 | ``` |
| 18 | ||||
| 9b47f1 | Hargata Softworks | 2024-02-16 03:18:13 | 19 | If you're using the Windows Standalone executable, add the following section into `appsettings.json` |
| 20 | ||||
| 21 | ``` | |||
| 22 | "OpenIDConfig": { | |||
| 23 | "Name": "", | |||
| 24 | "ClientId": "", | |||
| 25 | "ClientSecret": "", | |||
| 26 | "AuthURL": "", | |||
| 27 | "TokenURL": "", | |||
| 28 | "RedirectURL": "", | |||
| 2c9cf6 | Hargata Softworks | 2025-03-30 17:26:57 | 29 | "Scope": "openid email", |
| c8565f | Hargata Softworks | 2024-03-21 01:55:57 | 30 | "ValidateState": true/false, |
| 0449d6 | Hargata Softworks | 2024-08-20 19:58:08 | 31 | "UsePKCE": true/false, |
| c8565f | Hargata Softworks | 2024-03-21 01:55:57 | 32 | "DisableRegularLogin": true/false, |
| 33 | "LogOutURL": "" | |||
| 9b47f1 | Hargata Softworks | 2024-02-16 03:18:13 | 34 | } |
| 35 | ``` | |||
| 36 | ||||
| d9b4ab | Hargata Softworks | 2024-02-16 06:43:52 | 37 | The following sample shows how to set up OIDC with Google as the provider with the LubeLogger instance running on `https://localhost:5011` |
| 6e7d20 | Hargata Softworks | 2024-02-16 02:25:37 | 38 | |
| 39 | ``` | |||
| 40 | OpenIDConfig__Name=Google | |||
| 5e9566 | Hargata Softworks | 2024-02-16 03:04:40 | 41 | OpenIDConfig__ClientId=xxx.apps.googleusercontent.com |
| 42 | OpenIDConfig__ClientSecret=<your Google API Client Secret> | |||
| 6e7d20 | Hargata Softworks | 2024-02-16 02:25:37 | 43 | OpenIDConfig__AuthURL=https://accounts.google.com/o/oauth2/auth |
| 44 | OpenIDConfig__TokenURL=https://oauth2.googleapis.com/token | |||
| 45 | OpenIDConfig__RedirectURL=https://localhost:5011/Login/RemoteAuth | |||
| 46 | OpenIDConfig__Scope=email | |||
| 639e27 | Hargata Softworks | 2024-02-24 16:58:08 | 47 | OpenIDConfig__ValidateState=true |
| 0449d6 | Hargata Softworks | 2024-08-20 19:58:08 | 48 | OpenIDConfig__UsePKCE=false |
| c8565f | Hargata Softworks | 2024-03-21 01:55:57 | 49 | OpenIDConfig__DisableRegularLogin=false |
| 6e7d20 | Hargata Softworks | 2024-02-16 02:25:37 | 50 | ``` |
| 51 | ||||
| 639e27 | Hargata Softworks | 2024-02-24 16:58:08 | 52 | ## State Validation |
| 53 | The ValidateState environment variable determines if LubeLogger should validate the state token echoed back by the OIDC provider. This is set to false by default, if enabled, LubeLogger will fail any login attempts where the state token is not identical to what it sent to the provider. Leave this disabled if you wish to have IdP-initiated SSO. | |||
| 54 | ||||
| 0449d6 | Hargata Softworks | 2024-08-20 19:58:08 | 55 | ## Proof of KeyCode Exchange(PKCE) |
| 56 | The UsePKCE environment variable determines if LubeLogger should generate and pass in a SHA-256-hashed challenge code to the OIDC provider. | |||
| 57 | ||||
| 639e27 | Hargata Softworks | 2024-02-24 16:58:08 | 58 | ## Testing |
| 6e7d20 | Hargata Softworks | 2024-02-16 02:25:37 | 59 | Once you have all these environment variables injected correctly, you should see the ability to login via your OIDC provider. Note: Currently LubeLogger only supports one OIDC provider. |
| 5e9566 | Hargata Softworks | 2024-02-16 03:04:40 | 60 | |
| 2b40a9 | DESKTOP-T0O5CDB\DESK-555BD | 2024-09-20 15:19:12 | 61 |  |
| 5e9566 | Hargata Softworks | 2024-02-16 03:04:40 | 62 | |
| 2b40a9 | DESKTOP-T0O5CDB\DESK-555BD | 2024-09-20 15:19:12 | 63 |  |
| 5e9566 | Hargata Softworks | 2024-02-16 03:04:40 | 64 | |
| d483b9 | Hargata Softworks | 2024-02-17 00:06:23 | 65 | LubeLogger uses the user's email address to authenticate against a registered user, the email address provided by the OIDC provider must match the email address of the user in the system. |
| 5e9566 | Hargata Softworks | 2024-02-16 03:04:40 | 66 | |
| c73afa | Hargata Softworks | 2024-02-17 00:08:13 | 67 | If the user is attempting to login via OIDC but does not have an account with LubeLogger, they will be prompted for a registration token and to set up a username which will then allow them to log in. Note that the registration token is only required for their first time logging in. |
| 12fe29 | Hargata Softworks | 2025-03-31 15:07:07 | 68 | |
| 69 | ### Advanced Troubleshooting | |||
| 70 | ||||
| 71 | ::: warning | |||
| 72 | # Future Feature | |||
| 73 | The following sections describes a feature only available in 1.4.6 and above | |||
| 74 | ::: | |||
| 75 | ||||
| 76 | The Remote Auth Debug feature is helpful for diagnosing OIDC-related issues, here's how to use it: | |||
| 77 | ||||
| 78 | 1. Set `OpenIDConfig__RedirectURL` to `https://yourlubeloggerdomain/Login/RemoteAuthDebug` | |||
| 79 | 2. Configure your OpenID Provider so that `https://yourlubeloggerdomain/Login/RemoteAuthDebug` is a valid Redirect URL | |||
| 80 | 3. Login using OIDC, instead of being redirected to login, you will be redirected to a page that displays checks and results. | |||
| 81 | ||||
| 27e815 | Hargata Softworks | 2025-03-31 15:09:18 | 82 | Example scenarios(details redacted): |
| 12fe29 | Hargata Softworks | 2025-03-31 15:07:07 | 83 | |
| 84 | All checks passed and a user is identified: | |||
| 85 | ||||
| 86 |  | |||
| 87 | ||||
| 998cc8 | Hargata Softworks | 2025-03-31 15:29:57 | 88 | All checks passed but no user is identified with the email(will be redirected to register under normal circumstances) |
| 12fe29 | Hargata Softworks | 2025-03-31 15:07:07 | 89 | |
| 90 |  | |||
| 91 | ||||
| 37a95e | Hargata Softworks | 2025-03-31 15:08:29 | 92 | Failed State Validation, Expired OpenID Code and/or OpenID not returning `id_token`: |
| 12fe29 | Hargata Softworks | 2025-03-31 15:07:07 | 93 | |
| 94 |  | |||
| 95 | ||||
| 96 | Failed Claim Validation(no email returned from OpenID Provider): | |||
| 97 | ||||
| 98 |  |