WebChat 多租户 spec ④:企业 SSO(OIDC 统一认证)#757
Merged
Merged
Conversation
调研国内主流统一认证厂商(派拉/玉符/阿里云/腾讯云/宁盾/Authing/竹云/ 华为 OneAccess/TOPIAM),确认 OIDC 是 100% 覆盖的最大公约数。 设计要点: - 标准 OIDC Authorization Code flow + PKCE(一个实现覆盖全部厂商) - 多 provider 配置(oauth.providers[]),独立于 bot 配置 - 与 spec ① 密码登录并存,均为一等公民 - 首次 SSO 登录自动建号(provider+subject→users),不自动合并 - user_identities 表解耦 OAuth 身份与 users(migration 020) - go-oidc/v3 + golang.org/x/oauth2(已 indirect 在 go.mod) - 安全:state CSRF 防护 + PKCE + ID Token 签名验证 - 顺带 wire spec ① auth_handlers(routes.go TODO(spec ⑥) 解除) - spec ④ 不含前端 UI,归 spec ⑥
标准 OIDC Authorization Code flow + PKCE,一个实现覆盖全部国内主流统一认证 厂商(派拉/玉符/阿里云 IDaaS/腾讯云 IDaaS/宁盾/Authing/竹云/华为 OneAccess/ TOPIAM)及国际 IdP(Keycloak/Okta/Azure AD/Google Workspace)。 核心组件: - OAuthProvider: OIDC 客户端(discovery + token exchange + ID Token 验证) - OAuthManager: 多 provider 注册表(支持热重载) - OAuthHandlers: login/callback/providers HTTP 端点 - user_identities 表(migration 020): (provider, subject) → user_id 映射 - State cookie: HMAC 签名,CSRF 防护 + PKCE 绑定 + provider 校验 安全设计: - Authorization Code flow + 强制 PKCE(S256) - State 参数 CSRF 防护(HMAC 签名 cookie,5min TTL) - ID Token 签名验证(JWKS)+ iss/aud/exp 校验 - Provider name 注入防护([a-z0-9-]+ + 注册表查找) - 不自动合并账号(首次 SSO 登录自动建号,provider+subject 唯一映射) 与 spec ① 密码登录并存,均为一等公民。顺带 wire spec ① auth_handlers (routes.go TODO(spec ⑥) 解除)。 依赖:coreos/go-oidc/v3 + golang.org/x/oauth2(已 indirect → direct) 测试覆盖: - store: identity CRUD + UNIQUE 约束(4 test) - state cookie: set/verify/CSRF/expired/tampered/missing(7 test) - config: validate/scopes/claims/callback URL(10 test) - OAuthProvider: mock IdP 端到端 discovery→exchange→verify→claims(3 test) make quality 全绿。
…grade warnings (#749) - Bridge.resolveWorkspaceOverrides: dedup degrade warnings per workspaceID via sync.Map (LoadOrStore), re-arm on successful resolution — prevents log spam under high-crash session loops - ScanWorkspaceOverrides: one-time startup sweep of all active workspaces' agent_config_overrides, logs Warn for invalid JSON written before spec ② write-time validation existed — non-blocking, no data modified - ListAllWorkspaces: new store method (SQLite + PG) backing the startup scan - Tests: warn dedup lifecycle, startup scan (nil/valid/dirty/error), store Closes #749
P1: Make first-login user+identity creation idempotent. A prior crashed
first-login could leave an orphaned users row (CreateUser ok, identity
insert failed on transient DB error). On retry, re-check by the
deterministic 'provider:subject' username and reuse the existing row,
avoiding a UNIQUE(username) violation that permanently locked out the
SSO identity.
P2: Callback now checks for IdentityError{ErrCodeUserDisabled} via
errors.As and redirects to ?auth_error=USER_DISABLED instead of the
generic USER_CREATE_FAILED.
The SSO/OAuth landmine (spec ④) added oauth_manager.go (7 funcs) with no tests, dropping internal/security coverage to 78.3% — below the CI 80% threshold. Add oauth_manager_test.go covering all 7 functions and every Reload branch (empty, success, clear, discovery error, partial error, preserve-unchanged, rediscover-on-client_id-change). Reuses the existing mockOIDCServer. Package coverage 78.1% → 84.8%, oauth_manager.go 0% → 100%.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #756
标准 OIDC Authorization Code flow + PKCE,一个实现覆盖全部国内主流统一认证厂商(派拉/玉符/阿里云 IDaaS/腾讯云 IDaaS/宁盾/Authing/竹云/华为 OneAccess/TOPIAM)及国际 IdP(Keycloak/Okta/Azure AD/Google Workspace)。
核心组件
OAuthProviderinternal/security/oauth_provider.goOAuthManagerinternal/security/oauth_manager.goOAuthHandlersinternal/gateway/oauth_handlers.gointernal/security/oauth_state.gouser_identities表(provider, subject)→user_id唯一映射internal/config/oauth_types.gooauth.providers[]配置 + 验证安全设计
name只允许[a-z0-9-]++ 注册表精确匹配(provider, subject)首次登录自动建号,email 不参与关联与 spec ① 的关系
与密码登录并存,均为一等公民。顺带 wire spec ① 的 auth_handlers(
routes.go的TODO(spec ⑥)解除)——spec ④ 交付后 WebChat 后端认证体系完整。配置示例
测试(24 test,make quality 全绿)
mock IdP 测试使用
httptest.Server模拟完整 OIDC provider(discovery + JWKS + token endpoint),用 RSA RS256 签名真实 JWT,验证 go-oidc 完整验证链路。依赖
github.com/coreos/go-oidc/v3v3.18.0(新增)golang.org/x/oauth2v0.36.0(indirect → direct)Checklist
user_identities表 + store 方法(SQLite + PG)OAuthProviderOIDC 客户端OAuthManager多 provider 管理OAuthHandlersHTTP 端点make quality全绿