feat(OAuth): Add SSO support for OAuth EE-390 (#5087)

* add updateSettingsToDB28 func and test * update DBversion const * migration func naming modification * feat(oauth): add sso, hide internal auth teaser and logout options. (#5039) * cleanup and make helper func for unit testing * dbversion update * feat(publicSettings): public settings response modification for OAuth SSO EE-608 (#5062) * feat(oauth): updated logout logic with logoutUrl. (#5064) * add exclusive token generation for OAuth * swagger annotation revision * add unit test * updates based on tech review feedback * feat(oauth): updated oauth settings model * feat(oauth): added oauth logout url * feat(oauth): fixed SSO toggle and logout issue. * set SSO to ON by default * update migrator unit test * set SSO to true by default for new instance * prevent applying the SSO logout url to the initial admin user Co-authored-by: fhanportainer <79428273+fhanportainer@users.noreply.github.com> Co-authored-by: Felix Han <felix.han@portainer.io>
2025-07-19 13:29:41 +02:00 · 2021-06-11 10:09:04 +12:00 · 2021-06-11 10:09:04 +12:00 · f674573cdf
commit f674573cdf
parent 14ac005627
16 changed files with 412 additions and 84 deletions
--- a/api/oauth/oauth.go
+++ b/api/oauth/oauth.go
@ -4,14 +4,16 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"golang.org/x/oauth2"
 	"io/ioutil"
 	"log"
 	"mime"
 	"net/http"
 	"net/url"
+	"time"

-	"github.com/portainer/portainer/api"
+	"golang.org/x/oauth2"
+
+	portainer "github.com/portainer/portainer/api"
 )

 // Service represents a service used to authenticate users against an authorization server
@ -23,31 +25,35 @@ func NewService() *Service {
 }

 // Authenticate takes an access code and exchanges it for an access token from portainer OAuthSettings token endpoint.
-// On success, it will then return the username associated to authenticated user by fetching this information
+// On success, it will then return the username and token expiry time associated to authenticated user by fetching this information
 // from the resource server and matching it with the user identifier setting.
-func (*Service) Authenticate(code string, configuration *portainer.OAuthSettings) (string, error) {
-	token, err := getAccessToken(code, configuration)
+func (*Service) Authenticate(code string, configuration *portainer.OAuthSettings) (string, *time.Time, error) {
+	token, err := getOAuthToken(code, configuration)
 	if err != nil {
 		log.Printf("[DEBUG] - Failed retrieving access token: %v", err)
-		return "", err
+		return "", nil, err
 	}
-
-	return getUsername(token, configuration)
+	username, err := getUsername(token.AccessToken, configuration)
+	if err != nil {
+		log.Printf("[DEBUG] - Failed retrieving oauth user name: %v", err)
+		return "", nil, err
+	}
+	return username, &token.Expiry, nil
 }

-func getAccessToken(code string, configuration *portainer.OAuthSettings) (string, error) {
+func getOAuthToken(code string, configuration *portainer.OAuthSettings) (*oauth2.Token, error) {
 	unescapedCode, err := url.QueryUnescape(code)
 	if err != nil {
-		return "", err
+		return nil, err
 	}

 	config := buildConfig(configuration)
 	token, err := config.Exchange(context.Background(), unescapedCode)
 	if err != nil {
-		return "", err
+		return nil, err
 	}

-	return token.AccessToken, nil
+	return token, nil
 }

 func getUsername(token string, configuration *portainer.OAuthSettings) (string, error) {