add oauth

[jackielii]

No description provided.

[tedeling]

Thanks! This adds oauth with Slack? Is it finished?

[jackielii]

@tedeling this add OAuth2 capability to it. I have deployed internally and started using it. Sorry I had to add a few things unrelated. I can find some time later on to clean up and open another pull request.

If you want to test, here is my config file:

ehour.standalone.port=18080
# derby, mysql and postgresql are supported. When derby is selected you can ignore the ehour.database lines
ehour.database=postgresql

# for mysql uncomment the following lines (and make sure postgresql lines below are commented out)
#ehour.database.driver=com.mysql.jdbc.Driver
#ehour.database.url=jdbc:mysql://127.0.0.1:3306/ehour?zeroDateTimeBehavior=convertToNull&amp
#ehour.database.username=
#ehour.database.password=

# for postgresql uncomment the following lines (and make sure mysql lines above are commented out)
ehour.database.driver=org.postgresql.Driver
ehour.database.url=jdbc:postgresql://127.0.0.1:5432/ehour
ehour.database.username=ehour
ehour.database.password=ehour

ehour.configurationType=DEVELOPMENT

ehour.translations=../eHour-wicketweb/src/dist/i18n

#ehour.disableAuth=true
ehour.enableOAuth=true
ehour.oauth2.callbackURI=/oauth2/callback
ehour.oauth2.hostURL=http://localhost:18080/eh

ehour.oauth2.name=Slack
ehour.oauth2.userAuthorizationUri=https://slack.com/oauth/authorize
ehour.oauth2.accessTokenUri=https://slack.com/api/oauth.access
ehour.oauth2.clientID=xxxxxxxx
ehour.oauth2.clientSecret=xxxxxxxx
ehour.oauth2.scope=identity.basic identity.email

#ehour.oauth2.userAuthorizationUri=http://sso-dex:5556/dex/auth
#ehour.oauth2.accessTokenUri=http://sso-dex:5556/dex/token
#ehour.oauth2.clientID=xxxxxx
#ehour.oauth2.clientSecret=xxxxx
#ehour.oauth2.scope=profile email openid



#ehour.enableBookWholeWeek=false

# enable/disable mail, defaults to true
ehour.enableMail=false

So I tested with two OAuth providers: slack & dex, they all implements the standard OAuth2.0

[tedeling]

Yes if could split the unrelated additions in another PR, that would be great.

[tedeling]

Why are they so lengthy, oauth standard? The datamodel needs changes as well to accommodate the longer username.

[jackielii]

Hi, this change is for when login with oauth, I have to set the username to the email as that's the only reliable field that comes with the claims that is readable. It's probably not necessary to set it to something readable, for example use the "subject" claim. I was trying to let the user able to login with their emails as well after logged in with Oauth the first time.

So I think we should remove this change.

[jackielii]

In general this PR needs a bit improvement to handle different oauth servers, at least make it less error prone.

My comments are the ones I think you can take on. However, I really don't have time to move it forward at the moment.

Hope this helps if some one really needs a oauth adapter.

BTW, my oauth claims response handling is based on slack

[jackielii]

this is excluded because somehow if there the docker build won't pass

[jackielii]

this is a temporary workaround, the customers if empty will generate invalid SQL. didn't have time to look into it

[jackielii]

same workaround as above

[jackielii]

same reason about the docker build

[jackielii]

same reason about the docker build

[jackielii]

same reason about the docker build

[jackielii]

if this needs to be reverted. then the oauth create user logic needs to be updated

[jackielii]

this bit should be re-examined. different oauth server returns different response. in OIDC case, it doesn't return "ok" in response

[jackielii]

this needs changing, if signing in only with Oauth, then probably should use subject as username