Add generic OIDC login option (#10614)

dandersonsw · Maffooch · web-flow · commit 7afa3c72b22a · 2025-03-06T10:37:11.000-07:00
* fixing conflicts and removing code formatting

* sha file deleted

* remove settings sha

* Make some settings optional

* Fix ruff

* Restore some vuln ids

---------

Co-authored-by: Cody Maffucci &lt;46459665+Maffooch@users.noreply.github.com&gt;
diff --git a/docs/content/en/open_source/archived_docs/integrations/social-authentication.md b/docs/content/en/open_source/archived_docs/integrations/social-authentication.md
@@ -307,6 +307,35 @@ Here are suggestion on how to configure Keycloak and DefectDojo:
 7. In your realm settings -> general -> endpoints: look into openId endpoint configuration
    and look up your authorization and token endpoint (use them below)
 
+### Configure OIDC
+Provides the option to authenticate users using a generic OIDC provider.
+
+The minimum configuration requires:
+
+    {{< highlight python >}}
+    DD_SOCIAL_AUTH_OIDC_AUTH_ENABLED=True,
+    DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT=(str, 'https://example.com'),
+    DD_SOCIAL_AUTH_OIDC_KEY=(str, 'YOUR_CLIENT_ID'),
+    DD_SOCIAL_AUTH_OIDC_SECRET=(str, 'YOUR_CLIENT_SECRET')
+    {{< /highlight >}}
+
+The rest of the OIDC configuration will be auto-detected by fetching data from:
+ - <DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT>/.well-known/open-id-configuration/
+
+You can also optionally set the following:
+
+    {{< highlight python >}}
+    DD_SOCIAL_AUTH_OIDC_ID_KEY=(str, ''),                           #the key associated with the OIDC user IDs
+    DD_SOCIAL_AUTH_OIDC_USERNAME_KEY=(str, ''),                     #the key associated with the OIDC usernames
+    DD_SOCIAL_AUTH_OIDC_WHITELISTED_DOMAINS=(list, ['']),           #list of domains allowed for login
+    DD_SOCIAL_AUTH_OIDC_JWT_ALGORITHMS=(list, ["RS256","HS256"]),
+    DD_SOCIAL_AUTH_OIDC_ID_TOKEN_ISSUER=(str, ''),
+    DD_SOCIAL_AUTH_OIDC_ACCESS_TOKEN_URL=(str, ''),
+    DD_SOCIAL_AUTH_OIDC_AUTHORIZATION_URL=(str, ''),
+    DD_SOCIAL_AUTH_OIDC_USERINFO_URL=(str, ''),
+    DD_SOCIAL_AUTH_OIDC_JWKS_URI=(str, ''),
+    {{< /highlight >}}
+
 ### Configure Defect Dojo
 Edit the settings (see [Configuration](../../open_source/installation/configuration)) with the following
    information:
diff --git a/dojo/context_processors.py b/dojo/context_processors.py
@@ -11,6 +11,7 @@ def globalize_vars(request):
         "FORGOT_PASSWORD": settings.FORGOT_PASSWORD,
         "FORGOT_USERNAME": settings.FORGOT_USERNAME,
         "CLASSIC_AUTH_ENABLED": settings.CLASSIC_AUTH_ENABLED,
+        "OIDC_ENABLED": settings.OIDC_AUTH_ENABLED,
         "AUTH0_ENABLED": settings.AUTH0_OAUTH2_ENABLED,
         "GOOGLE_ENABLED": settings.GOOGLE_OAUTH_ENABLED,
         "OKTA_ENABLED": settings.OKTA_OAUTH_ENABLED,
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
@@ -104,6 +104,19 @@
     DD_SOCIAL_AUTH_CREATE_USER=(bool, True),  # if True creates user at first login
     DD_SOCIAL_LOGIN_AUTO_REDIRECT=(bool, False),  # auto-redirect if there is only one social login method
     DD_SOCIAL_AUTH_TRAILING_SLASH=(bool, True),
+    DD_SOCIAL_AUTH_OIDC_AUTH_ENABLED=(bool, False),
+    DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT=(str, ""),
+    DD_SOCIAL_AUTH_OIDC_ID_KEY=(str, ""),
+    DD_SOCIAL_AUTH_OIDC_KEY=(str, ""),
+    DD_SOCIAL_AUTH_OIDC_SECRET=(str, ""),
+    DD_SOCIAL_AUTH_OIDC_USERNAME_KEY=(str, ""),
+    DD_SOCIAL_AUTH_OIDC_WHITELISTED_DOMAINS=(list, []),
+    DD_SOCIAL_AUTH_OIDC_JWT_ALGORITHMS=(list, ["RS256", "HS256"]),
+    DD_SOCIAL_AUTH_OIDC_ID_TOKEN_ISSUER=(str, ""),
+    DD_SOCIAL_AUTH_OIDC_ACCESS_TOKEN_URL=(str, ""),
+    DD_SOCIAL_AUTH_OIDC_AUTHORIZATION_URL=(str, ""),
+    DD_SOCIAL_AUTH_OIDC_USERINFO_URL=(str, ""),
+    DD_SOCIAL_AUTH_OIDC_JWKS_URI=(str, ""),
     DD_SOCIAL_AUTH_AUTH0_OAUTH2_ENABLED=(bool, False),
     DD_SOCIAL_AUTH_AUTH0_KEY=(str, ""),
     DD_SOCIAL_AUTH_AUTH0_SECRET=(str, ""),
@@ -484,6 +497,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 
 # These are the individidual modules supported by social-auth
 AUTHENTICATION_BACKENDS = (
+    "social_core.backends.open_id_connect.OpenIdConnectAuth",
     "social_core.backends.auth0.Auth0OAuth2",
     "social_core.backends.google.GoogleOAuth2",
     "social_core.backends.okta.OktaOAuth2",
@@ -576,6 +590,31 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 if GITLAB_PROJECT_AUTO_IMPORT:
     SOCIAL_AUTH_GITLAB_SCOPE += ["read_repository"]
 
+# Mandatory settings
+OIDC_AUTH_ENABLED = env("DD_SOCIAL_AUTH_OIDC_AUTH_ENABLED")
+SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env("DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT")
+SOCIAL_AUTH_OIDC_KEY = env("DD_SOCIAL_AUTH_OIDC_KEY")
+SOCIAL_AUTH_OIDC_SECRET = env("DD_SOCIAL_AUTH_OIDC_SECRET")
+# Optional settings
+if value := env("DD_SOCIAL_AUTH_OIDC_ID_KEY"):
+    SOCIAL_AUTH_OIDC_ID_KEY = value
+if value := env("DD_SOCIAL_AUTH_OIDC_USERNAME_KEY"):
+    SOCIAL_AUTH_OIDC_USERNAME_KEY = value
+if value := env("DD_SOCIAL_AUTH_OIDC_WHITELISTED_DOMAINS"):
+    SOCIAL_AUTH_OIDC_WHITELISTED_DOMAINS = env("DD_SOCIAL_AUTH_OIDC_WHITELISTED_DOMAINS")
+if value := env("DD_SOCIAL_AUTH_OIDC_JWT_ALGORITHMS"):
+    SOCIAL_AUTH_OIDC_JWT_ALGORITHMS = env("DD_SOCIAL_AUTH_OIDC_JWT_ALGORITHMS")
+if value := env("DD_SOCIAL_AUTH_OIDC_ID_TOKEN_ISSUER"):
+    SOCIAL_AUTH_OIDC_ID_TOKEN_ISSUER = value
+if value := env("DD_SOCIAL_AUTH_OIDC_ACCESS_TOKEN_URL"):
+    SOCIAL_AUTH_OIDC_ACCESS_TOKEN_URL = value
+if value := env("DD_SOCIAL_AUTH_OIDC_AUTHORIZATION_URL"):
+    SOCIAL_AUTH_OIDC_AUTHORIZATION_URL = value
+if value := env("DD_SOCIAL_AUTH_OIDC_USERINFO_URL"):
+    SOCIAL_AUTH_OIDC_USERINFO_URL = value
+if value := env("DD_SOCIAL_AUTH_OIDC_JWKS_URI"):
+    SOCIAL_AUTH_OIDC_JWKS_URI = value
+
 AUTH0_OAUTH2_ENABLED = env("DD_SOCIAL_AUTH_AUTH0_OAUTH2_ENABLED")
 SOCIAL_AUTH_AUTH0_KEY = env("DD_SOCIAL_AUTH_AUTH0_KEY")
 SOCIAL_AUTH_AUTH0_SECRET = env("DD_SOCIAL_AUTH_AUTH0_SECRET")
@@ -628,6 +667,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
     rf"^{URL_PREFIX}api/v2/",
     r"complete/",
     r"empty_questionnaire/([\d]+)/answer",
+    r"oauth2/idpresponse",
     rf"^{URL_PREFIX}password_reset/",
     rf"^{URL_PREFIX}forgot_username",
     rf"^{URL_PREFIX}reset/",
diff --git a/dojo/templates/dojo/login.html b/dojo/templates/dojo/login.html
@@ -47,6 +47,12 @@ <h3>{% trans "Login" %}</h3>
                 {% endif %}
             </div>
             <div class="form-group">
+                {% if OIDC_ENABLED is True %}
+                    <div class="col-sm-offset-1 col-sm-2">
+                        <a href="{% url 'social:begin' 'oidc' %}?next={{ request.GET.next }}" style="color: rgb(255, 255, 255)" class="btn btn-success" type="button">{% trans "Login with OIDC" %}</a>
+                    </div>
+                {% endif %}
+
                 {% if GOOGLE_ENABLED is True %}
                     <div class="col-sm-offset-1 col-sm-2">
                         <a href="{% url 'social:begin' 'google-oauth2' %}?next={{ request.GET.next }}" style="color: rgb(255,255,255)" class="btn btn-success" type="button">{% trans "Login with Google" %}</a>
diff --git a/dojo/user/views.py b/dojo/user/views.py
@@ -126,6 +126,7 @@ def login_view(request):
         settings.AUTH0_OAUTH2_ENABLED,
         settings.KEYCLOAK_OAUTH2_ENABLED,
         settings.GITHUB_ENTERPRISE_OAUTH2_ENABLED,
+        settings.OIDC_AUTH_ENABLED,
         settings.SAML2_ENABLED,
     ]) == 1 and "force_login_form" not in request.GET:
         if settings.GOOGLE_OAUTH_ENABLED:
@@ -138,6 +139,8 @@ def login_view(request):
             social_auth = "gitlab"
         elif settings.KEYCLOAK_OAUTH2_ENABLED:
             social_auth = "keycloak"
+        elif settings.OIDC_AUTH_ENABLED:
+            social_auth = "oidc"
         elif settings.AUTH0_OAUTH2_ENABLED:
             social_auth = "auth0"
         elif settings.GITHUB_ENTERPRISE_OAUTH2_ENABLED:
