SSO Support

[privacyguard]

Implements #2930.

This PR is based on this previous PR by @thepaperpilot.

Related PRs:

• SSO Support lemmy-js-client#297
• SSO support lemmy-ui#2578

We noticed that the original PR is outdated and has a lot of conflicts with the recent changes. We tried to keep the previous commits whenever possible (in lemmy-js-client and lemmy-ui).

How it works?

• Admins can configure external OIDC providers from within the admin settings.
• Once an OIDC provider is configured, users will be able to Sign In / Sign Up using external OIDC providers.

Available Configuration

• The usual OIDC endpoints
• auto_verify_email: When enabled, users signing up using OIDC won't need to go through email verification.
• auto_approve_application: When enabled, users signing up using OIDC won't need manual approval even if applications are required.
• account_linking_enabled: When enabled, users attempting with sign up with OIDC using an existing user email would link the OIDC account to the existing user.

Disclaimer
This is our first ever rust contribution.

Who we are? Why are we contributing to Lemmy?

Privacy Portal is an OIDC provider and an email aliasing service focused on privacy. We have decided to contribute to select open source projects that empower Free Speech online.
Our OIDC provider services are currently offered free of charge. In the future, we will have a generous free plan that will cover most deployments.
Using Privacy Portal as your OIDC provider offers your users great privacy benefits. User emails will automatically get replaced by single-purpose Privacy Aliases during sign up. Users will be able to enter any name (to be used as username). Users can benefit from email encryption and much more.

[erlend-sh]

Wonderful! We’re also building an OIDC provider for indies, so this is a very welcome development 😊

I wasn’t able to find it in your PR; are you implementing PKCE grant flow? It’s more secure, and some identity providers (like ours) rely on it to function.

Prior art in fediverse:

• Add support for OAuth Public Clients with Token Expiry mastodon/mastodon#30329
• [feature] Implement PKCE for oauth2 superseriousbusiness/gotosocial#2225

[privacyguard]

@erlend-sh This PR doesn't support PKCE grant flow yet but, once it's merged, adding PKCE support should be a small change. We'll try to make some time to add it in a separate PR.

[dullbananas]

The migrations need to be tested manually, because CI currently only checks one migration, and multiple migrations were added.

[dullbananas]

This can fail if oauth accounts were already created. Not sure what to do about that.

[privacyguard]

Correct. This is similar to the already integrated migration called "2024-04-15-105932_community_followers_url_optional".

[Nutomic]

Could you give some instructions how we can test this functionality? Maybe by writing some documentation (that will be necessary anyway).

[privacyguard]

@Nutomic we'll write some docs for users but given that local testing is slightly more complicated, here are the steps to test it:

1- You will need the changes from these 3 PRs locally:

• SSO Support #4881
• SSO Support lemmy-js-client#297
• SSO support lemmy-ui#2578

2- The lemmy-ui changes require the latest version of lemmy-js-client (the PR does not include this version yet since it requires publishing to npm. You will need to add it manually).

cd $LEMMY_JS_CLIENT_DIR && pnpm run prepare
cd $LEMMY_UI_DIR pnpm add $LEMMY_JS_CLIENT_DIR

3- Run the DB migrations diesel migration run --database-url $LEMMY_DATABASE_URL
4- Now you should be able to start lemmy and lemmy-ui
5- Sign In to Lemmy as admin and go to the admin settings page: http://localhost:1234/admin
6- Enable "oauth_registration" under the "Site" tab to allow users to Sign Up using OAUTH
7- Under the "authentication" tab you will need to add an OIDC provider configuration.

• Most fields in this configuration are provided to you by the OIDC Provider including the "oauth_issuer", "oauth_authorization_endpoint", "oauth_token_endpoint", "oauth_userinfo_endpoint".
• You will need to find out which scopes are needed by the provider in question in order to get access to the user_id, name and email. The scopes will need to be set under "oauth_scopes" and you will need to fill the "oauth_id_claim" and "oauth_name_claim" fields to tell Lemmy the name of the properties containing the user_id and the user name as returned by your OIDC provider.
• To simplify this step we added a preset configuration to Lemmy-ui for the Privacy Portal OIDC provider. Additional preset providers can be added at any time by opening Pull Requests.

8- The remaining fields "oauth_client_id" and "oauth_client_secret" are instance specific and require you to create an account with your preferred OIDC provider. With Privacy Portal, you can create a free account and test this setup like the following:

• Sign up at https://app.privacyportal.org
• Go to "Developer Settings"
• Create a "New Application"
• Register the application with the following information { "Name": "Lemmy Test", "Homepage URL": "http://localhost:1234", "Callback URL": "http://localhost:1234/oauth/callback" }
• Under Credentials, you should now get a "client_id" that you can use on Lemmy-ui to fill the "oauth_client_id" field.
• Also under Credentials, tap on "Generate Secret" to get a secret that you can use to fill the "oauth_client_secret" in Lemmy-ui.

9- Now you should have all the fields filled in your configuration, click "save" and sign out from the admin account.
10- Go to the Lemmy Login page, you should now see the SSO button to login with your configured provider.

[dessalines]

This is great! We should def try to get it into 0.20.0 .

I'll mark it as draft, bc we're doing that for all the breaking changes PRs atm.

[dessalines]

There's already local_site.registration_mode. I'm not sure how registration applications would work with this, but I don't think they should be bypassed if its RequireApplication

[privacyguard]

This was a bit weird to implement because when someone sign up with SSO, there's no room in the sign up process to submit a manual application so we're auto-filling applications with the text "Signed up with X OIDC provider".

We can certainly remove this toggle if you think it's best.

[dullbananas]

I want registration applications to work for SSO

[dessalines]

Agree, I think this column should be removed, because registration applications should still work with SSO.

[privacyguard]

Just to make sure we're on the same page, the way this is currently implemented, the admin can select whether or not they want to auto_approve applications (when applications are required). If this is set to TRUE, signups using SSO bypass the application approval (per provider). If this is set to FALSE, sign ups using SSO fill the application field with the text "Signed up with X OIDC provider" and the application would require approval for the user to be able to sign in with SSO.

The changes that can be made here are:
1- Completely removing the "auto_approve_application" option.
2- Somewhere during SSO sign up, adding an input field for users to fill a custom application text. We're looking into this to see at which stage this could be implemented while staying compliant with OAUTH.

[dessalines]

Both those sound correct, but I don't know how possible it is. Seems like it should be a pretty common use-case tho.

If its absolutely not possible, then I spose we have no choice but to ignore the registration_mode when using SSO signups, although that scares me a little. Nothing has stopped spam attacks better than registration applications.

To clarify tho, yes remove the auto_approve_application column, as that overlaps with the local_site.registration_mode

[privacyguard]

• Removed the "auto_approve_application" field.

Looking into the custom application field part...

[privacyguard]

Added support for registration applications with custom user text.

[dessalines]

Something tells me there's a better way to organize this. Like maybe it should be added as an impl function on the OAuthProvider struct.

[privacyguard]

Do you mean the whole filter function or are you talking about the highlighted part?

[dessalines]

The whole filter function, but I wouldn't worry about it for now, I can always fix later.

[dessalines]

Isn't the only difference that client_secret is included in the unsafe?

In that case you might not need any of the extra types and functions below, since you already have serde_skip on that field.

Check out the site table, which just has pub private_key: Option<SensitiveString>, , and doesn't need a separate SiteSafe / SiteUnsafe version.

@Nutomic might be able to give better guidance than I can on this.

[privacyguard]

Besides the client_secret, OAuthProvider is a version of UnsafeOAuthProvider that is decoupled from the DB schema and contains multiple Optional fields that are filtered out depending on whether the user is an admin or not.

The following fields are getting filtered out for normal users: ["issuer", "token_endpoint", "userinfo_endpoint", "id_claim", "name_claim", "auto_verify_email", "auto_approve_application", "account_linking_enabled", "enabled", "published", "updated"].

There's no security risk in leaking this data to the UI. It's just data that is not needed in the UI and that will be loaded on every login page.

[dessalines]

We could also just add serde skip to all of those also.

I'm good with either way I spose, but I'd like to hear @Nutomic 's thoughts on this.

[privacyguard]

The reason for the complexity here is that we're using the "Site" data both for the login page and for the admin oauth settings. This is something that existed in the original PR that we didn't change.

We have 3 options here:
1- If the current implementation is acceptable we keep it.
2- We simply allow these fields to be sent to the login page (We could still filter disabled OAUTH providers).
3- We could use serde skip for all these fields for the "Site" data and we create separate API call for the admin settings containing the rest of the data. We would need an additional struct for this solution too though.

[Nutomic]

I would definitely like to get rid of these duplicate struct and implementations because it makes maintenance more difficult. Though I agree that we shouldnt include unnecessary data in GetSiteResponse to avoid bloated data. To keep it simple I would consider always sending these fields for admin accounts, and skipping them for normal users. I would also move the fields into a separate struct (and table?) so this can be done more easily.

[privacyguard]

Using #[diesel(embed)] created a lot of issues because it's not compatible with Identifiable and a couple other things which created problems with Crud.

We had to go a bit deeper into rust and dealt with it with custom serialization using a single Struct and a wrapper Struct. Any concerns about this approach?

[dessalines]

I don't fully understand why that's necessary, you could just:

• Eliminate the duplicate struct, and use serde_skip for all the necessary fields.
• Make oauth_providers in GetSiteResponse optional, and only include it for admins.

[phiresky]

a separation of structs imo does kind of make sense because these optionals are always dangerous since setting/leaving them out are a contract based on purely comments and easy to misuse later.

i don't have a strong opinion though (except i think it's better to avoid too much bike shedding and only block merged for more important issues)

[privacyguard]

@dessalines oauth_providers in GetSiteResponse is always needed. It's needed (with limited fields) for the login page to display the SSO buttons. It's also needed with all fields (except client_secret) for admin pages.

In the latest changes we:

• Use serde_skip to skip fields that should never be sent to the UI such as client_secret.
• Removed the duplication in structs. We use a single struct containing all the fields needed for admin data.
• Wrap the struct with a transparent struct to use custom serialization that skips more fields and only keeps public data.

[dessalines]

Sweet

[privacyguard]

@dessalines @dullbananas we've addressed most of the issues raised. Is there anything we're missing? Thanks!

[dessalines]

Mainly just need @Nutomic to look at this also, about the Safe/Unsafe variants.

Also test this to make sure that it works correctly with registration applications, that is a must.

I don't see anything else besides those two things.

Also it might be a while till this gets merged into main since we're not merging breaking changes at the moment, but that's on us to do once we get everything major resolved.

[dessalines]

The whole filter function, but I wouldn't worry about it for now, I can always fix later.

[dessalines]

These look good, thx.

[dessalines]

Agree, I think this column should be removed, because registration applications should still work with SSO.

[dessalines]

We could also just add serde skip to all of those also.

I'm good with either way I spose, but I'd like to hear @Nutomic 's thoughts on this.

[dessalines]

Also there's this clippy error: https://woodpecker.join-lemmy.org/repos/129/pipeline/8173/17

[privacyguard]

@Nutomic @dessalines Yesterday we rebased this branch, resolved all conflicts, and addressed the remaining issues raised. Please let us know if there's anything else remaining or whether this can be merged. Thanks!

[Nutomic]

Good job, thank you!

[anderspitman]

@privacyguard any chance of adding PKCE support?