-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Implement oauth2 monitors #3119
Conversation
Sorry for asking in a PR: Any way to hotpatch a docker-install or get a fresh docker install based on a PR? I don't have a npm build environment, but would love to give this a try. |
Just to make it clear again: I opened this as a starting point for a discussion and as a reference. But for quick testing it might be useful to provide a quick way to try it: FROM louislam/uptime-kuma:base-debian
WORKDIR /app
COPY package.json /app/
RUN npm install --force
COPY . .
RUN npm run build && chmod +x /app/extra/entrypoint.sh
EXPOSE 3001
VOLUME ["/app/data"]
ENTRYPOINT ["/usr/bin/dumb-init", "--", "extra/entrypoint.sh"]
CMD ["node", "server/server.js"] Run cc: @DennisGaida |
This feature will be very helpful for our team too, thank you! |
Thanks for testing and for the feedback @kzkvv
Per spec the Since it is not provided in the fronted, the backend and the function receives I have the following solutions in mind:
In all cases I will forward any oauth/oidc error to the monitor and the user can fix the monitor settings. Any suggestions? |
Could you add |
# Conflicts: # server/database.js
Trying to test it using Google oauth, but no luck. Did I do something wrong? URL: https://example.com I tried Desktop and Web Application. |
@louislam No, you did nothing wrong. I messed up: The time I created the initial draft and tested it with Azure and Google I must have made a mistake. Google does not support the OAuth2 client credential grant, yet. Currently they use Service Accounts which are not compatible with the OAuth2 spec. However, there is a plan to integrate that into the GCP. I was either in some kind of preview program or tested with the wrong grant type. Unfraternally I cant verify that anymore since I final splitted my personal and development Google account and I did the testing with the old one :/ I retested my Azure setup to make sure I avoid any mistakes. if you want I can provide some instructions within the next few days on how to setup the provider and a demo app to help people to test it and get started. The Azure provider setup is not the without some gotchas. Thanks for pointing this out. I'm truly sorry for this mistake. |
Thanks for understanding. I will provide a small example here anyway(in the coming days), since I know getting started with oauh is hard. I don't know abou you time plannings with uptime kuma 1.23 but if you have no hurry just wait a little and maybe some else might provide additional feedback. Total up to you, I have no preference here |
You can check the 1.23.0 milestone, probably not be released soon. |
Setting up a OAuth2 ProviderAzure ADFor setting up a Azure AD OAuth2 client you need a Microsoft or a MS work account. As far as I know the is no need to provide a payment method and no cost associated with the free tier of AAD.
Now you have setup a the Azure AD provider!
This token can be used to access applications protected with oauth authentication. It can be inspected using jwt.io. An possibility is to protect any website put behind a reverse proxy like nginx or traefik that is configured with the oauth2 proxy If you have an application that is configured with the oauth2 proxy you can put in its URL into uptime-kuma and transfer the settings from the Postman parameters into uptime-kuma. Uptime-kuma should obtain a token from azure and will use it to access the url in the monitor settings. |
# Conflicts: # server/database.js
Thanks. It is working. |
@hegerdes thanks for adding this much needed feature, I've been waiting for it to be released. I'm trying to use it with Auth0 behind an oauth2-proxy. I was able to generate an access token from the CLI following the client credentials flow, but it seems I need to add an extra field called audience to get it work (see image). Do you think we should add an extra 'meta' field that would allow for custom parameters to be set depending on the provider? |
Thanks for raising this @kdubb1337. This is one of the main problems that the OAuth2/OIDC standard has. It is too open for providers to implement. The audience field strictly speaking is a:
The description form Auth0 (see here) sounds more like the I definitely could add an extra field for arbitrary headers to set for the auth request but that would open the door for a lot more not common ways of handling OAuth and I don't know if this is wise - specially in the first iteration of this feature. Can you please check if Auth0 accepts the request with |
@hegerdes I was able to bypass it by setting a default audience, now it will work without setting the audience which is good enough for me. I'm still getting some error on the monitor but I will look into that further. I'll update with an Auth0 guide if I get it working. I'd like to put it in a docs/wiki area so people have a place to find how to do their specific oauth2 provider, since these will grow and have their unique quirks. |
I actually just ran into needing a different When attempting to integrate with an OAuth endpoint there are 2 different |
Sorry, am I blind? Where do I find the settings to setup keycloak in the Uptime-Kuma-Admin-UI? |
You can configure the oauth2 montor authentification in the respecitve Http monitors Note Since you asked for how to setup keycloak and seached in the settings part, you are likely referring to user management. That is not CURRENTLY a feature we have, but likely will in the future.
|
Ah got it. Yes you are right, I was looking for Keycloak-Login. Now I understand what this PR is offering. |
The feature implemented OAuth2 for monitors, not for logging in and manage uptimekuma itself via OAuth2. This is a seperat (pending) feature. Go to monitors create a new and when you add auth to the monitoring target you can select OAuth2 |
https://github.com/louislam/uptime-kuma/blob/master/CONTRIBUTING.md#can-i-create-a-pull-request-for-uptime-kuma
Tick the checkbox if you understand [x]:
Description
In times of increasing security threats, securing sensitive data is becoming more and more important. Long-lived credentials pose an increasing risk. The Oauth2 standard tries to solve this and other threats by creating short-lived tokens that are only authorized to access specific parts (scopes) of the services. The list of Oauth2 providers is ever-growing (Azure AD, AWS Cognito, Google Auth, Facebook, GitHub...). Companies and individuals use these authentication techniques to provide a central user management level while also providing a low entry barrier for new users without sacrificing security.
Testing tool need to keep up with this development and support these authentication methods. For machine to machine communication the Oauth2 Spec suggest the Client-Credential Flow (explained here)
With this PR I want to implement the Oauth2 client-credential flow to support these new authentication methods. I already provided a example implementation since one of my clients needed it. It also implements the feature requested in #659 and #2280.
So far it was tested with:
The library is used (openid-client) is one of the recommended libs by the official oauth2 site and is created/maintained by one of the contributes of the oauth2 spec.
Fixes #659, #2280
Update:
Since the OAuth2 spec is so broad, I made the provided implementation more specific to allow for future changes without having to break old setups. I also added the missing error handling.
The following setup is implemented with this PR:
client_secret_basic
client_secret_post
Not implemented are
client_secret_jwt
andprivate_key_jwt
since both methods require continuous crafting and signing new JWTs that are based on user provided input and time. Providing a user interface supporting this is quiet hard, therefore hardly any other application support this out of the box, not even Postman. The usage of these not implemented authentication method is also quiet low so the effort needed to support these is not justified at the time of writing. More about these methods can be read heare.The following providers don't support the client credential grant (yet):
I added some docs below on how to set up the Azure AD provider.
Type of change
Please delete any options that are not relevant.
Checklist
(including JSDoc for methods)
Screenshots (if any)
UI Demo: