Add OIDC auth support

opentakserver/app.py

@@ -39,7 +39,16 @@
 from opentakserver.controllers.meshtastic_controller import MeshtasticController
 from opentakserver.defaultconfig import DefaultConfig
 from opentakserver.EmailValidator import EmailValidator
-from opentakserver.extensions import apscheduler, babel, db, ldap_manager, logger, mail, socketio
+from opentakserver.extensions import (
+    apscheduler,
+    babel,
+    db,
+    ldap_manager,
+    logger,
+    mail,
+    oidc,
+    socketio,
+)
 from opentakserver.models.Group import Group, GroupTypeEnum
 from opentakserver.models.Icon import Icon
 from opentakserver.models.role import Role
@@ -67,6 +76,52 @@ def get_timezone():
     return pytz.timezone("UTC")
 
 
+def _normalize_samesite(value):
+    if value is None:
+        return None
+
+    value = str(value).strip()
+    return value.lower() or None
+
+
+def _init_oidc(app):
+    if not app.config.get("OTS_ENABLE_OIDC"):
+        return
+
+    logger.info("Enabling OIDC via flask-oidc")
+    if oidc is None:
+        raise RuntimeError(
+            "OTS_ENABLE_OIDC is enabled but flask-oidc is not installed. Install flask-oidc to use OIDC."
+        )
+
+    if _normalize_samesite(app.config.get("SESSION_COOKIE_SAMESITE")) == "strict":
+        logger.warning(
+            "SESSION_COOKIE_SAMESITE=strict breaks browser OIDC callbacks; overriding it to Lax"
+        )
+        app.config["SESSION_COOKIE_SAMESITE"] = "Lax"
+
+    oidc.init_app(app)
+
+
+def _build_security_identity_attributes(app):
+    identity_attributes = [
+        {"username": {"mapper": uia_username_mapper, "case_insensitive": True}}
+    ]
+
+    if app.config.get("OTS_ENABLE_EMAIL"):
+        identity_attributes.append(
+            {"email": {"mapper": uia_email_mapper, "case_insensitive": True}}
+        )
+
+    if app.config.get("OTS_ENABLE_LDAP"):
+        identity_attributes.append({"ldap": {}})
+
+    if app.config.get("OTS_ENABLE_OIDC"):
+        identity_attributes.append({"oidc": {}})
+
+    return identity_attributes
+
+
 def init_extensions(app):
     db.init_app(app)
     Migrate(app, db)
@@ -95,13 +150,10 @@ def init_extensions(app):
             }
         }
     )
-    identity_attributes = [{"username": {"mapper": uia_username_mapper, "case_insensitive": True}}]
+    identity_attributes = _build_security_identity_attributes(app)
 
     # Don't allow registration unless email is enabled
     if app.config.get("OTS_ENABLE_EMAIL"):
-        identity_attributes.append(
-            {"email": {"mapper": uia_email_mapper, "case_insensitive": True}}
-        )
         app.config.update(
             {
                 "SECURITY_REGISTERABLE": True,
@@ -123,7 +175,8 @@ def init_extensions(app):
     if app.config.get("OTS_ENABLE_LDAP"):
         logger.info("Enabling LDAP")
         ldap_manager.init_app(app)
-        identity_attributes.append({"ldap": {}})
+
+    _init_oidc(app)
 
     app.config.update({"SECURITY_USER_IDENTITY_ATTRIBUTES": identity_attributes})
 
@@ -304,8 +357,6 @@ def create_app(cli=True):
 
         app.register_blueprint(scheduler_blueprint)
 
-        app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_host=1)
-
     else:
         from opentakserver.blueprints.cli import ots, translate
 
@@ -355,6 +406,7 @@ def create_app(cli=True):
 
         app.register_blueprint(scheduler_blueprint)
 
+    app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_host=1, x_proto=1, x_port=1)
     return app
 
 

opentakserver/blueprints/ots_api/__init__.py

@@ -22,6 +22,7 @@
 from .language_api import language_api
 from .ldap_api import ldap_blueprint
 from .tak_gov_link_api import tak_gov_link_blueprint
+from .oidc_api import oidc_blueprint
 
 ots_api = Blueprint("ots_api", __name__)
 ots_api.register_blueprint(api_blueprint)
@@ -41,5 +42,6 @@
 ots_api.register_blueprint(plugin_blueprint)
 ots_api.register_blueprint(token_api_blueprint)
 ots_api.register_blueprint(ldap_blueprint)
+ots_api.register_blueprint(oidc_blueprint)
 ots_api.register_blueprint(tak_gov_link_blueprint)
 ots_api.register_blueprint(language_api)