POC: Generic multiprovider OIDC support without dependence on Apache

[adamlazik1]

Still work in progress but the basic functionality works.

For more details see the created README.

Overview

This Proof of Concept implements native OpenID Connect (OIDC) authentication in Foreman, eliminating the dependency on Apache's mod_auth_openidc. This implementation was developed with assistance from AI (Claude/Cursor).

Key Features

1. Multiple OIDC Providers

• Support for multiple OIDC identity providers simultaneously
• Each provider is configured as an AuthSourceOidc record
• Users can choose which provider to authenticate with from the login page

2. Native Application Authentication

• OIDC logic entirely within the Rails application
• No dependency on Apache or external web server modules

3. Vendor Agnostic

• Should work with any OIDC-compliant provider.

4. Automatic Discovery

• Uses OIDC Discovery (.well-known/openid-configuration) by default
• Discovery happens automatically at authentication time
• Manual endpoint configuration available for IdPs without discovery support

5. Secure Token Validation

• JWT signature verification using JWKS
• Audience (aud) claim validation
• Issuer (iss) claim validation
• Nonce and state validation for replay protection
• Single trust boundary (application layer only)

6. Flexible User Provisioning

• Auto-provision users on first login (per provider)
• Link existing users by email (per provider)
• Configurable role mapping from IdP groups (per provider)

7. Full API & UI Support

• RESTful API for CRUD operations on OIDC providers
• Web UI for managing OIDC providers (Administer → Authentication Sources)
• Connection testing via API

Managing OIDC Providers

1. Navigate to Administer → Authentication Sources
2. Click Create OIDC Source
3. Fill in the required fields:
   • Name: Descriptive name (e.g., "Google", "Keycloak")
   • Issuer URL: OIDC issuer URL (must be HTTPS)
   • Client ID: From your IdP
   • Client Secret: From your IdP
4. (Optional) Configure manual endpoints if your IdP doesn't support discovery
5. Configure options in the Options tab:
   • Auto-provision users
   • Link by email
   • Groups claim
6. Submit the form
7. Restart Foreman to activate the new provider

Login Page

Once OIDC providers are configured and Foreman is restarted:

• The login page will show "Login with " buttons
• Clicking a button initiates OIDC authentication via POST request
• After successful authentication, the user is logged in

Testing

1. Navigate to the Foreman login page
2. Click "Login with " button
3. Authenticate at the IdP
4. You should be redirected back and logged in

Implemented Features

• Multiple OIDC providers support
• API for managing OIDC providers (CRUD + status + test)
• UI for managing OIDC providers
• OIDC provider buttons on login page
• Automatic OIDC discovery (default)
• Manual endpoint configuration (fallback for non-discovery IdPs)
• User auto-provisioning
• User linking by email
• Secure token validation
• POST-only login initiation (CSRF protection)

TODO

• Configure permissions needed to manipulate AuthSourceOidc
• OIDC Authentication via API/hammer
• Update of redirect uri when the foreman url setting changes.
• RP-Initiated Logout support (single sign-out)
• Token refresh handling
• Group sync/mapping automation
• Migration from Apache mod_auth_openidc

[adamlazik1]

I am not sure how to handle the Faraday dependency issue.