Replies: 14 comments 15 replies
-
I finally got this to work, but I had to subclass open_id_connect.py to set a backend name and override some settings to work with Vault.
I don't have group sync working, and I can only see group sync code in Netbox for the Only two other existing social-auth backends return groups: mediawiki and discourse. If I try to return groups like this:
then I get a Django ORM exception:
This suggests to me that it's trying to assign a list of groups directly to the |
Beta Was this translation helpful? Give feedback.
-
I am having also the same issue using our company SSO with netbox. Can you elaborate a bit more how you fixed the URL error?
This is the error I got:
|
Beta Was this translation helpful? Give feedback.
-
Did you ever figure out group sync support? |
Beta Was this translation helpful? Give feedback.
-
I'm wondering if switching to django-allauth would work better for authenticating with external providers. Not sure how much work it would be to switch, or if it's even possible without changes to the core. |
Beta Was this translation helpful? Give feedback.
-
Having gone through the work of setting up OIDC with apache and using the remote auth code, I'm wondering what would be the advantage to me switching to the python-social implementation? |
Beta Was this translation helpful? Give feedback.
-
I don't know all what benefits integrating authentication directly to the netbox app server brings, it works better for some people in some deployment scenerios, but for me the on-ramp to configuring the front-end reverse-proxy webserver with SSO was way easier (we already do this for other apps) and I prefer the peace of mind knowing that not a single line of (my own or 3rdparty) app code runs before authn/authz are complete, so the only exposure is to authorized users. Which method is better probably depends on the auth provider and what they best support.
—
Mark Tinberg ***@***.***>
Division of Information Technology-Network Services
University of Wisconsin-Madison
…________________________________
From: Jon Schewe ***@***.***>
Sent: Friday, April 28, 2023 5:06 PM
To: netbox-community/netbox ***@***.***>
Cc: Subscribed ***@***.***>
Subject: Re: [netbox-community/netbox] Anyone integrated with OpenID Connect provider? (Discussion #8579)
Having gone through the work of setting up OIDC with apache and using the remote auth code, I'm wondering what would be the advantage to me switching to the python-social implementation?
—
Reply to this email directly, view it on GitHub<#8579 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAS7UM6EB5VWN2THK7HFDXDXDQ5O7ANCNFSM5NX23GGQ>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
@jschewebbn I exactly had the same question after i made the HTTP header auth approach working and started to look into PSA. Without any detailed analysis, I assumed HTTP Header Auth introduces an additional hop (apache server in front of gunicorn) and an additional component/config to manage. But reading this page https://demo.netbox.dev/static/docs/installation/5-http-server/ on how to secure netbox installation using HTTPS, i understand that a web server at the front is unavoidable. So I have decided to take the HTTP header auth approach and ignore PSA. Thanks everyone for your valuable inputs. |
Beta Was this translation helpful? Give feedback.
-
@rakesh-p based on my experience and the comments here, I'm going the same route. |
Beta Was this translation helpful? Give feedback.
-
I think of it less as an additional hop and more of a separation of concerns, let the app server deal with app technology (templates, business logic, db connections) and the web server deal with the network protocols (ssl/tls, high-performance socket handling, http protocol, virtualhosting and security) rather than make the app framework grow all those features, it really only needs a basic http service for testing and as a proxy target.
—
Mark Tinberg ***@***.***>
Division of Information Technology-Network Services
University of Wisconsin-Madison
…________________________________
From: Rakesh P ***@***.***>
Sent: Tuesday, May 2, 2023 3:21 AM
To: netbox-community/netbox ***@***.***>
Cc: Mark Tinberg ***@***.***>; Mention ***@***.***>
Subject: Re: [netbox-community/netbox] Anyone integrated with OpenID Connect provider? (Discussion #8579)
@jschewebbn<https://github.com/jschewebbn> I exactly had the same question after i made the HTTP header auth approach working and started to look into PSA. Without any detailed analysis, I assumed HTTP Header Auth introduces an additional hop (apache server in front of gunicorn) and an additional component/config to manage. But reading this page https://demo.netbox.dev/static/docs/installation/5-http-server/ on how to secure netbox installation using HTTPS, i understand that a web server at the front is unavoidable. So I have decided to take the HTTP header auth approach and ignore PSA. Thanks everyone for your valuable inputs.
—
Reply to this email directly, view it on GitHub<#8579 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAS7UM6K7SPFWDXXY6WOPP3XEC7Y7ANCNFSM5NX23GGQ>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
I was wrong when i said above "Only downside of using HTTP header auth is i cannot get option to login as local accounts without disabling the Remote auth first." There is way to access the local accounts and also use OIDC at the same time. I have netbox running on HTTP but at port 8080 and apache httpd server with OIDC config serves netbox at port 443 (HTTPS). So when I hit https://mynetbox.com, I reach OIDC endpoint (keycloak in this case). When I hit, http://mynetbox.com:8080, I can use local account.. :) |
Beta Was this translation helpful? Give feedback.
-
That's a good idea, combined with another technique I use when the app server only listens on localhost or is blocked from remote access by firewall rules, ssh with port-forwarding or SOCKS proxying can fill that gap.
eg. ssh netbox.example.com -D 1080
with a proxy auto-config (PAC) file on a webserver you have access to
# https://netbox.example.com/static/netbox.pac
function FindProxyForURL(url, host) {
if (host == "netbox.example.com") {
return "SOCKS5 localhost:1080";
} else {
return "";
}
}
then configure your browser proxy auto-config to that url and you'll tunnel all your netbox web traffic over SSH but nothing else, so the browser traffic is local to the target server. That works if your organization isn't using web proxies for outbound access control, but you often can have more than one browser installed (Firefox/Chrome/Edge/Safari) so you can use a different browser with the proxy settings without breaking your normal web access.
—
Mark Tinberg ***@***.***>
Division of Information Technology-Network Services
University of Wisconsin-Madison
…________________________________
From: Rakesh P ***@***.***>
Sent: Wednesday, May 3, 2023 3:22 AM
To: netbox-community/netbox ***@***.***>
Cc: Mark Tinberg ***@***.***>; Mention ***@***.***>
Subject: Re: [netbox-community/netbox] Anyone integrated with OpenID Connect provider? (Discussion #8579)
I was wrong when i said above "Only downside of using HTTP header auth is i cannot get option to login as local accounts without disabling the Remote auth first." There is way to access the local accounts and also use OIDC at the same time. I have netbox running on HTTP but at port 8080 and apache httpd server with OIDC config serves netbox at port 443 (HTTPS). So when I hit https://mynetbox.com, I reach OIDC endpoint (keycloak in this case). When I hit, http://mynetbox.com:8080, I can use local account.. :)
—
Reply to this email directly, view it on GitHub<#8579 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAS7UM2Y4SJCJBU6UIA6BVLXEIIUDANCNFSM5NX23GGQ>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
I just set up full integration (with PingID/PingOne), using this approach
Notice that python module change all header names to CAPITAL and adds HTTP_ in front. Having this, netbox config looks this way
In addition, I enable logging and turn on debug
(I CAN turn on debug, it is already disabled) And then, patch one more file to see metadata (so if I enable debug I see all headers, how they come to netbox)
Then, I need to reconfigure LOGOUT so it really LOG you OUT. I use /redirect_uri OAUTH2 redirect url so I configure it here: LOGOUT_REDIRECT_URL = '/redirect_uri?logout=%2Flogout.html' (If you do not do it, user can not logout to change user-s id, for example - he can use incognito window etc, through). Works well. OIDC, OAUTH2 modules (ones documented in netbox docs) looks as a joke (OIDC for example REQUIRE ISSUER or METADATA URL, CLIENT ID and SHARED KEY, and nothing is supported, and so on - so I decided that it do not make any sense to try - if someone, instead of full scale OIDC module created 'okta oidc' | 'MS oidc' then likely no one follow standards). SAML module looks reasonable (at least it contains mapping, metafile and so on) but SAML is terrible, over-blown protocol, and I skip it as much as I can. Apache front end is standard for OIDC with reverse proxy and contains this (be careful, if user has too many groups, it may create a very big header which may violate http standard)
and OIDC include
|
Beta Was this translation helpful? Give feedback.
-
And it converts dash to underscore. Note that Gunicorn 22.0.0 (which Netbox 3.7.6 picks up) has stopped accepting header names containing underscores by default, so the best thing to do now is to use a dash in the header:
After mapping, this will still give you
I don't believe the HTTP standard specifies any limit. However, various implementations have limits for the length of a single header and/or the total size of all headers, which may or may not be configurable. For example, Apache has LimitRequestFieldSize. |
Beta Was this translation helpful? Give feedback.
-
I checked OIDC provider, and I did not like what I see. SO I instead set up
OIDC on reverse proxy and passed user etc to the application thru it; it
works great (and apache OIDC module was designed by PingID engineers, so it
is fully up to the standards).
…On Wed, Jun 19, 2024 at 6:23 PM Vishnu ***@***.***> wrote:
@aprudnev <https://github.com/aprudnev> @candlerb
<https://github.com/candlerb> What should be the redirect url and login
url configured on the OIDC provider?
I am using the below values, whenever I click on the app created in the
OIDC provider console, it again goes back to the console page, not
redirecting to netbox link.
redirect url: https://netbox.ABC.com/oauth2callback
login url: https://netbox.ABC.com/
—
Reply to this email directly, view it on GitHub
<#8579 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFQ2RZLT6TNKQSMLBH7MBZTZIIVHVAVCNFSM5NX23GG2U5DIOJSWCZC7NNSXTOKENFZWG5LTONUW63SDN5WW2ZLOOQ5TSOBSGMYTGMQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***
com>
|
Beta Was this translation helpful? Give feedback.
-
Does anyone have any experience to share with integrating with a local OpenID Connect provider using the python-social-auth stuff in Netbox 3.1? Documentation appears to be minimal.
I have a local OIDC provider (Hashicorp Vault). After going through some python-social-auth source code, I reckoned I would need something like this:
First problem:
I tried installing
jose
inside the venv but that was a mistake; it is ancient python2 code. So I uninstalledjose
and installedpython-jose[cryptography]
instead.Now I can get to the Netbox home page. But when I click on the "Login" button:
Backtrace:
Any clues?
Beta Was this translation helpful? Give feedback.
All reactions