Identity provider login from mediator CLI

[eleftherias]

Relates to #691.

To try out this PR:

• Regenerate protobuf stubs make gen
• Regenerate queries make sqlc
• Drop existing database and re-run migration make migrateup
• Start Keycloak (make sure post 8081 is free on your machine) docker-compose up -d keycloak
• Rebuild make build
• Add new configuration parameters under identity to your config.yaml (see updates to config/config.yaml.example)
• Log in with the usual command, minus the username and password ./bin/medic auth login. The superadmin credentials are the same.

Things that you can try:

• Log in with the same superadmin credentials
• Superadmin is forced to change their password
• Additional users can create an account and log in, but they are not authorized to perform any actions yet

To add Social login:

• For GitHub, create an OAuth2 application here. The callback URL should be http://localhost:8081/realms/stacklok/broker/github/endpoint
• Open the file identity/import/stacklok-realm-with-user-and-client.json
• Replace ”identityProviders" : [ ], with the following, using your generated client ID and client secret:

”identityProviders" : [
  {
  "alias" : "github",
  "internalId" : "afb4fd44-b6d7-4cff-a4ff-12735ca09b02",
  "providerId" : "github",
  "enabled" : true,
  "updateProfileFirstLoginMode" : "on",
  "trustEmail" : false,
  "storeToken" : false,
  "addReadTokenRoleOnCreate" : false,
  "authenticateByDefault" : false,
  "linkOnly" : false,
  "firstBrokerLoginFlowAlias" : "first broker login",
  "config" : {
    "clientSecret" : "the-client-secret-you-generated",
    "clientId" : "the-client-id-you-generated"
  }
 }
],

To add Google login, the steps are the same, but with a different provider ID. Feel free to reach out if you want to experiment with Google login and want help.

Alternatively, you can add social login via the Keycloak admin console, but note that this configuration will disappear if you restart Keycloak.

Things for a different PR:

• Clean up readme and getting started documentation
• Use refresh token to fetch new access token when needed (currently expires after 5 minutes and log in is required again)
• Add configurable database connection for user storage
• Logout
• Branding and styling on account page
• Account deletion
• Forgot password flow
• Creating organization, group and role for any new users

[jhrozek]

Awesome work!

I started to read the PR and left several comments but I haven't really even read the whole PR yet..

[jhrozek]

Did you have any thoughts on the org admin users going forward, e.g. did you plan on using roles instead of the org admin users?

[JAORMX]

using roles assigned to projects/orgs would be ideal.

[eleftherias]

I was thinking when a user logs in for the first time a new org, group and role would be created, making the user an admin of their own org. The same as what we used to do for self-enrolled users.

[JAORMX]

@eleftherias let's go for that, it goes in accordance to our plans for the initial SaaS

[eleftherias]

I'd like to do this in a separate PR. For now, all users get added to organization 1.

[JAORMX]

Good progress! Left some comments.

[JAORMX]

using roles assigned to projects/orgs would be ideal.

[JAORMX]

I really dig that this also replaces a bunch of the tech debt we had in JWT validation.

I tried this out locally. Had a small hickup when logging in with a GitHub user the first time, but it worked on the second attempt.

There are some next steps to do:

• Generate Keycloak config programmatically
• Allow for a non-git tracked config that folks could overwrite
• roles for users that come from an idp

But this really moves us forward! great work!

[lukehinds]

nit: will need a docs update (can be follow up PR, as long as it gets done at some point) https://mediator-docs.stacklok.dev/run-the-login_medic

[lukehinds]

lgtm