OpenSource
/
ragflow
Watch 4
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 33 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3738 Commits
7 Branches
Tree: e6cb74b27f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e6cb74b27f'
${ noResults }
ragflow/api/apps/auth/oidc.py

oidc.py 3.4KB
Raw Normal View History

Feat: Add support for OAuth2 and OpenID Connect (OIDC) authentication (#7379) ### What problem does this PR solve? Add support for OAuth2 and OpenID Connect (OIDC) authentication, allowing OAuth/OIDC authentication using the specified routes: - `/login/<channel>`: Initiates the OAuth flow for the specified channel - `/oauth/callback/<channel>`: Handles the OAuth callback after successful authentication The callback URL should be configured in your OAuth provider as: ``` https://your-app.com/oauth/callback/<channel> ``` For detailed instructions on configuring **service_conf.yaml.template**, see: `./api/apps/auth/README.md#usage`. - Related issues #3495 ### Type of change - [x] New Feature (non-breaking change which adds functionality) - [x] Documentation Update
6 months ago
Feat: Add `/login/channels` route and improve auth logic for frontend third-party login integration (#7521) ### What problem does this PR solve? Add `/login/channels` route and improve auth logic to support frontend integration with third-party login providers: - Add `/login/channels` route to provide authentication channel list with `display_name` and `icon` - Optimize user info parsing logic by prioritizing `avatar_url` and falling back to `picture` - Simplify OIDC token validation by removing unnecessary `kid` checks - Ensure `client_id` is safely cast to string during `audience` validation - Fix typo --- - Related pull request: #7379 ### Type of change - [x] New Feature (non-breaking change which adds functionality) - [x] Documentation Update
6 months ago
Feat: Add support for OAuth2 and OpenID Connect (OIDC) authentication (#7379) ### What problem does this PR solve? Add support for OAuth2 and OpenID Connect (OIDC) authentication, allowing OAuth/OIDC authentication using the specified routes: - `/login/<channel>`: Initiates the OAuth flow for the specified channel - `/oauth/callback/<channel>`: Handles the OAuth callback after successful authentication The callback URL should be configured in your OAuth provider as: ``` https://your-app.com/oauth/callback/<channel> ``` For detailed instructions on configuring **service_conf.yaml.template**, see: `./api/apps/auth/README.md#usage`. - Related issues #3495 ### Type of change - [x] New Feature (non-breaking change which adds functionality) - [x] Documentation Update
6 months ago
Feat: Add `/login/channels` route and improve auth logic for frontend third-party login integration (#7521) ### What problem does this PR solve? Add `/login/channels` route and improve auth logic to support frontend integration with third-party login providers: - Add `/login/channels` route to provide authentication channel list with `display_name` and `icon` - Optimize user info parsing logic by prioritizing `avatar_url` and falling back to `picture` - Simplify OIDC token validation by removing unnecessary `kid` checks - Ensure `client_id` is safely cast to string during `audience` validation - Fix typo --- - Related pull request: #7379 ### Type of change - [x] New Feature (non-breaking change which adds functionality) - [x] Documentation Update
6 months ago
Feat: Add support for OAuth2 and OpenID Connect (OIDC) authentication (#7379) ### What problem does this PR solve? Add support for OAuth2 and OpenID Connect (OIDC) authentication, allowing OAuth/OIDC authentication using the specified routes: - `/login/<channel>`: Initiates the OAuth flow for the specified channel - `/oauth/callback/<channel>`: Handles the OAuth callback after successful authentication The callback URL should be configured in your OAuth provider as: ``` https://your-app.com/oauth/callback/<channel> ``` For detailed instructions on configuring **service_conf.yaml.template**, see: `./api/apps/auth/README.md#usage`. - Related issues #3495 ### Type of change - [x] New Feature (non-breaking change which adds functionality) - [x] Documentation Update
6 months ago
Fix: use jwks_uri from OIDC metadata for JWKS client (#8136) ### What problem does this PR solve? Issue: #8051 The current implementation assumes JWKS endpoints follow the standard `/.well-known/jwks.json` convention. This breaks authentication for OIDC providers that use non-standard JWKS paths, resulting in 404 errors during token validation. Root Cause Analysis - The OpenID Connect specification doesn't mandate a fixed path for JWKS endpoints - Some identity providers (like certain Keycloak configurations) use custom endpoints - Our previous approach constructed JWKS URLs by convention rather than discovery ### Solution Approach Instead of constructing JWKS URLs by appending to the issuer URI, we now: 1. Properly leverage the `jwks_uri` from the OIDC discovery metadata 2. Honor the identity provider's actual configured endpoint ```python # Before (fragile approach) jwks_url = f"{self.issuer}/.well-known/jwks.json" # After (standards-compliant) jwks_cli = jwt.PyJWKClient(self.jwks_uri) # Use discovered endpoint ``` ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue)
4 months ago
Feat: Add support for OAuth2 and OpenID Connect (OIDC) authentication (#7379) ### What problem does this PR solve? Add support for OAuth2 and OpenID Connect (OIDC) authentication, allowing OAuth/OIDC authentication using the specified routes: - `/login/<channel>`: Initiates the OAuth flow for the specified channel - `/oauth/callback/<channel>`: Handles the OAuth callback after successful authentication The callback URL should be configured in your OAuth provider as: ``` https://your-app.com/oauth/callback/<channel> ``` For detailed instructions on configuring **service_conf.yaml.template**, see: `./api/apps/auth/README.md#usage`. - Related issues #3495 ### Type of change - [x] New Feature (non-breaking change which adds functionality) - [x] Documentation Update
6 months ago
Feat: Add `/login/channels` route and improve auth logic for frontend third-party login integration (#7521) ### What problem does this PR solve? Add `/login/channels` route and improve auth logic to support frontend integration with third-party login providers: - Add `/login/channels` route to provide authentication channel list with `display_name` and `icon` - Optimize user info parsing logic by prioritizing `avatar_url` and falling back to `picture` - Simplify OIDC token validation by removing unnecessary `kid` checks - Ensure `client_id` is safely cast to string during `audience` validation - Fix typo --- - Related pull request: #7379 ### Type of change - [x] New Feature (non-breaking change which adds functionality) - [x] Documentation Update
6 months ago
Feat: Add support for OAuth2 and OpenID Connect (OIDC) authentication (#7379) ### What problem does this PR solve? Add support for OAuth2 and OpenID Connect (OIDC) authentication, allowing OAuth/OIDC authentication using the specified routes: - `/login/<channel>`: Initiates the OAuth flow for the specified channel - `/oauth/callback/<channel>`: Handles the OAuth callback after successful authentication The callback URL should be configured in your OAuth provider as: ``` https://your-app.com/oauth/callback/<channel> ``` For detailed instructions on configuring **service_conf.yaml.template**, see: `./api/apps/auth/README.md#usage`. - Related issues #3495 ### Type of change - [x] New Feature (non-breaking change which adds functionality) - [x] Documentation Update
6 months ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 
  1. #

  2. #  Copyright 2025 The InfiniFlow Authors. All Rights Reserved.

  3. #

  4. #  Licensed under the Apache License, Version 2.0 (the "License");

  5. #  you may not use this file except in compliance with the License.

  6. #  You may obtain a copy of the License at

  7. #

  8. #      http://www.apache.org/licenses/LICENSE-2.0

  9. #

  10. #  Unless required by applicable law or agreed to in writing, software

  11. #  distributed under the License is distributed on an "AS IS" BASIS,

  12. #  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. #  See the License for the specific language governing permissions and

  14. #  limitations under the License.

  15. #

  16. 

  17. import jwt

  18. import requests

  19. from .oauth import OAuthClient

  20. 

  21. 

  22. class OIDCClient(OAuthClient):

  23.     def __init__(self, config):

  24.         """

  25.         Initialize the OIDCClient with the provider's configuration.

  26.         Use `issuer` as the single source of truth for configuration discovery.

  27.         """

  28.         self.issuer = config.get("issuer")

  29.         if not self.issuer:

  30.             raise ValueError("Missing issuer in configuration.")

  31. 

  32.         oidc_metadata = self._load_oidc_metadata(self.issuer)

  33.         config.update({

  34.             'issuer': oidc_metadata['issuer'],

  35.             'jwks_uri': oidc_metadata['jwks_uri'], 

  36.             'authorization_url': oidc_metadata['authorization_endpoint'],

  37.             'token_url': oidc_metadata['token_endpoint'],

  38.             'userinfo_url': oidc_metadata['userinfo_endpoint']

  39.         })

  40. 

  41.         super().__init__(config)

  42.         self.issuer = config['issuer']

  43.         self.jwks_uri = config['jwks_uri']

  44. 

  45. 

  46.     def _load_oidc_metadata(self, issuer):

  47.         """

  48.         Load OIDC metadata from `/.well-known/openid-configuration`.

  49.         """

  50.         try:

  51.             metadata_url = f"{issuer}/.well-known/openid-configuration"

  52.             response = requests.get(metadata_url, timeout=7)

  53.             response.raise_for_status()

  54.             return response.json()

  55.         except requests.exceptions.RequestException as e:

  56.             raise ValueError(f"Failed to fetch OIDC metadata: {e}")

  57. 

  58. 

  59.     def parse_id_token(self, id_token):

  60.         """

  61.         Parse and validate OIDC ID Token (JWT format) with signature verification.

  62.         """

  63.         try:

  64.             # Decode JWT header without verifying signature

  65.             headers = jwt.get_unverified_header(id_token)

  66.             

  67.             # OIDC usually uses `RS256` for signing

  68.             alg = headers.get("alg", "RS256")

  69. 

  70.             # Use PyJWT's PyJWKClient to fetch JWKS and find signing key

  71.             jwks_cli = jwt.PyJWKClient(self.jwks_uri)

  72.             signing_key = jwks_cli.get_signing_key_from_jwt(id_token).key

  73. 

  74.             # Decode and verify signature

  75.             decoded_token = jwt.decode(

  76.                 id_token,

  77.                 key=signing_key,

  78.                 algorithms=[alg],  

  79.                 audience=str(self.client_id),

  80.                 issuer=self.issuer,

  81.             )

  82.             return decoded_token

  83.         except Exception as e:

  84.             raise ValueError(f"Error parsing ID Token: {e}")

  85. 

  86. 

  87.     def fetch_user_info(self, access_token, id_token=None, **kwargs):

  88.         """

  89.         Fetch user info.

  90.         """

  91.         user_info = {}

  92.         if id_token:

  93.             user_info = self.parse_id_token(id_token)

  94.         user_info.update(super().fetch_user_info(access_token).to_dict())

  95.         return self.normalize_user_info(user_info)

  96. 

  97. 

  98.     def normalize_user_info(self, user_info):

  99.         return super().normalize_user_info(user_info)