Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add generic OIDC login option #10614

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Mar 6, 2025
Merged

Add generic OIDC login option #10614

merged 6 commits into from
Mar 6, 2025

Conversation

dandersonsw
Copy link
Contributor

@dandersonsw dandersonsw commented Jul 23, 2024
edited by valentijnscholten
Loading

Description

This adds the option of using a generic OIDC identity provider for login, rather than a specific one like Google, Keycloak, etc...

Test results

Ideally you extend the test suite in tests/ and dojo/unittests to cover the changed in this PR.
Alternatively, describe what you have and haven't tested.

Tested logging in using an OIDC identity provider

Documentation

Please update any documentation when needed in the documentation folder)

Checklist

This checklist is for your information.

  • Make sure to rebase your PR against the very latest dev.
  • Features/Changes should be submitted against the dev.
  • Bugfixes should be submitted against the bugfix branch.
  • Give a meaningful name to your PR, as it may end up being used in the release notes.
  • Your code is flake8 compliant.
  • Your code is python 3.11 compliant.
  • If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
  • Model changes must include the necessary migrations in the dojo/db_migrations folder.
  • Add applicable tests to the unit tests.
  • Add the proper label to categorize your PR.

@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR docs ui labels Jul 23, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jul 23, 2024
edited
Loading

DryRun Security Summary

A pull request adds OpenID Connect (OIDC) authentication support with multiple security considerations including potential configuration vulnerabilities and authentication risks.

Expand for full summary

The pull request adds OpenID Connect (OIDC) authentication support across multiple files, introducing configuration settings, login template modifications, and authentication backend integration.

Security findings include:

  1. Sensitive configuration variables for OIDC authentication exposed in settings.dist.py, including client ID and secret
  2. Potential security risk with support for both RS256 and HS256 JWT algorithms
  3. Empty whitelisted domains configuration could allow authentication from any domain
  4. Potential URL exposure of internal infrastructure details through multiple OIDC endpoint configurations
  5. Risk of open redirect through next parameter in login authentication flow

Code Analysis

We ran 7 analyzers against 5 files and 1 analyzer had findings. 6 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 3 findings

Overall Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@dandersonsw dandersonsw force-pushed the add-oidc branch 2 times, most recently from e7a6740 to f97900e Compare November 13, 2024 21:46
@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@Maffooch
Copy link
Contributor

Hi @dandersonsw are you able to back out the formatting changes that aren not directly related to this PR? It is making review a little challenging

@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@mtesauro mtesauro mentioned this pull request Nov 20, 2024
Closed
10 tasks
@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@dandersonsw
Copy link
Contributor Author

Hi @Maffooch I was able to back out the formatting changes on all the files except for the documentation file. Hopefully that makes it easier to review. Happy to make further changes if needed. Thank you.

@mtesauro
Copy link
Contributor

@dandersonsw Just kicked off the tests 🤞

@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@Maffooch Maffooch changed the base branch from dev to bugfix March 4, 2025 23:27
@github-actions github-actions bot added the docker label Mar 4, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 4, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions github-actions bot added helm and removed docker labels Mar 4, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 4, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 4, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

mtesauro
mtesauro approved these changes Mar 5, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit 7afa3c7 into DefectDojo:bugfix Mar 6, 2025
70 of 71 checks passed
paulOsinski pushed a commit to paulOsinski/django-DefectDojo that referenced this pull request Mar 6, 2025
@dandersonsw @Maffooch
Add generic OIDC login option (DefectDojo#10614)
8925005 
* fixing conflicts and removing code formatting

* sha file deleted

* remove settings sha

* Make some settings optional

* Fix ruff

* Restore some vuln ids

---------

Co-authored-by: Cody Maffucci <[email protected]>
@valentijnscholten
Copy link
Member

Thanks @dandersonsw for the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees
No one assigned
Labels
docs settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@dandersonsw @Maffooch @mtesauro @valentijnscholten @dogboat @blakeaowens