feat(OAuth): Add SSO support for OAuth EE-390 (#5087)

* add updateSettingsToDB28 func and test * update DBversion const * migration func naming modification * feat(oauth): add sso, hide internal auth teaser and logout options. (#5039) * cleanup and make helper func for unit testing * dbversion update * feat(publicSettings): public settings response modification for OAuth SSO EE-608 (#5062) * feat(oauth): updated logout logic with logoutUrl. (#5064) * add exclusive token generation for OAuth * swagger annotation revision * add unit test * updates based on tech review feedback * feat(oauth): updated oauth settings model * feat(oauth): added oauth logout url * feat(oauth): fixed SSO toggle and logout issue. * set SSO to ON by default * update migrator unit test * set SSO to true by default for new instance * prevent applying the SSO logout url to the initial admin user Co-authored-by: fhanportainer <79428273+fhanportainer@users.noreply.github.com> Co-authored-by: Felix Han <felix.han@portainer.io>
2025-07-19 13:29:41 +02:00 · 2021-06-11 10:09:04 +12:00 · 2021-06-11 10:09:04 +12:00 · f674573cdf
commit f674573cdf
parent 14ac005627
16 changed files with 412 additions and 84 deletions
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@ -5,6 +5,7 @@ import (
 	"log"
 	"net/http"
 	"strings"
+	"time"

 	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
@ -130,19 +131,21 @@ func (handler *Handler) authenticateLDAPAndCreateUser(w http.ResponseWriter, use
 }

 func (handler *Handler) writeToken(w http.ResponseWriter, user *portainer.User) *httperror.HandlerError {
-	tokenData := &portainer.TokenData{
-		ID:       user.ID,
-		Username: user.Username,
-		Role:     user.Role,
-	}
+	return handler.persistAndWriteToken(w, composeTokenData(user))
+}

-	return handler.persistAndWriteToken(w, tokenData)
+func (handler *Handler) writeTokenForOAuth(w http.ResponseWriter, user *portainer.User, expiryTime *time.Time) *httperror.HandlerError {
+	token, err := handler.JWTService.GenerateTokenForOAuth(composeTokenData(user), expiryTime)
+	if err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to generate JWT token", Err: err}
+	}
+	return response.JSON(w, &authenticateResponse{JWT: token})
 }

 func (handler *Handler) persistAndWriteToken(w http.ResponseWriter, tokenData *portainer.TokenData) *httperror.HandlerError {
 	token, err := handler.JWTService.GenerateToken(tokenData)
 	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to generate JWT token", err}
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to generate JWT token", Err: err}
 	}

 	return response.JSON(w, &authenticateResponse{JWT: token})
@ -204,3 +207,11 @@ func teamMembershipExists(teamID portainer.TeamID, memberships []portainer.TeamM
 	}
 	return false
 }
+
+func composeTokenData(user *portainer.User) *portainer.TokenData {
+	return &portainer.TokenData{
+		ID:       user.ID,
+		Username: user.Username,
+		Role:     user.Role,
+	}
+}