Authentication
This page describes the different ways to configure authentication to CI Sense. CI Sense supports OAuth, OIDC, and password based logins.
OAuth
To use SSO with GitHub, Bitbucket, or GitLab you need to create an OAuth app.
GitHub
- Open the developer settings
- Click Register a new application.
- For the Authorization callback URL, use
https://<fuzzing_server_domain>/auth/github/callback
. - After registering the app, GitHub generates a
Client ID
andClient Secret
. Open/etc/cifuzz/config.env
and copy these values toCIFUZZ_GITHUB_CLIENT_ID
andCIFUZZ_GITHUB_CLIENT_SECRET
respectively.
Bitbucket.org
- Go to Bitbucket cloud and select the appropriate workspace
- Click Settings
- Under Apps and features, select OAuth consumers and click Add consumer.
- As the callback URL, use
https://<fuzzing_server_domain>:<port>/auth/github/callback
. - Give it the email and read permissions in the Account section and then save it.
- Expand the section for the consumer you just created to show the Key and Secret.
- Open
/etc/cifuzz/config.env
and copy these values toCIFUZZ_BITBUCKET_CLIENT_ID
andCIFUZZ_BITBUCKET_CLIENT_SECRET
respectively.
The port in Step 4 is mandatory, even if it's the default port 443.
GitLab
- Go to Preferences and click Applications.
- Choose a name and set the Redirect URI to
https://<fuzzing_server_domain>/auth/github/callback
. - Enable the
read_user
scope. - Click Save application and then select the app from Your applications.
- Open
/etc/cifuzz/config.env
and copy Application ID and Secret toCIFUZZ_GITLAB_CLIENT_ID
andCIFUZZ_GITLAB_CLIENT_SECRET
respectively.
OIDC
This section describes to setup your own OIDC provider with CI Sense.
Create an OIDC-capable app
In the OIDC provider, create an OIDC-capable app with:
- Redirect URL:
<baseURL>/auth/<provider>/callback
, where:<baseURL>
is the URL that the CI Sense web app is available at, for examplehttps://cifuzz.example.com
.<provider>
is a name of your choice, that you use for this OIDC provider in the CI Sense web app.
- If configurable at the provider, permissions that allow reading user profile information, like the name and email address, via OIDC.
Take note of the app's client ID and client secret, you need those below.
Configure the CI Sense server
If the OIDC provider implements the
OpenID Connect Discovery spec,
for example a JSON document exists at .well-known/openid-configuration
, the setup
is simpler. In that case, create the file /etc/cifuzz/oidc.yaml
as:
auth:
oidc:
<provider>:
id: <client_id>
secret: <client_secret>
issuer_url: <issuer_URL>
where:
<provider>
is the name for the OIDC provider you chose preceding.<client ID>
and<client secret>
are the client ID and secret of the app you created preceding.<issuer URL>
is the base URL of the OIDC provider, for examplehttps://gitlab.com
.
If the OIDC provider doesn't support OpenID Connect Discovery, add these settings to the configuration file instead:
auth:
oidc:
<provider>:
id: <client ID>
secret: <client secret>
auth_endpoint: <auth endpoint URL>
token_endpoint: <token endpoint URL>
userinfo_endpoint: <UserInfo endpoint URL>
jwks_url: <JWKS URL>
where:
<provider>
is the name for the OIDC provider you chose preceding.<client ID>
and<client secret>
are the client ID and secret of the app you created preceding.<auth endpoint URL>
is the URL of the authorization endpoint of the OIDC provider, for examplehttps://gitlab.com/oauth/authorize
.<token endpoint URL>
is the URL of the token endpoint of the OIDC provider, for examplehttps://gitlab.com/oauth/token
.<UserInfo endpoint URL>
is the URL of the UserInfo endpoint of the OIDC provider, for examplehttps://gitlab.com/oauth/userinfo
.- This setting is optional. If you don't specify a UserInfo endpoint, only the Claims of the ID Token are used.
<JWKS URL>
is the URL of the OIDC provider's JSON Web Key Set document, for examplehttps://gitlab.com/oauth/discovery/keys
.
Self-signed certificates
If you have an internal Certificate Authority, you may need to add the CA certs to the gateway. To do this:
- create the directory
/etc/cifuzz/compose-files.d/
- add a
.yaml
file in that directory that applies updates to the containers. - add a volume to mount the certificates in the gateway container
version: "3"
services:
gateway:
volumes:
- <directory_containing_certs>:<directory_to_place_certs>:ro
Password
If you are just trying out CI Sense, it may be more convenient to use a password
as the authentication method. In /etc/cifuzz/cifuzz.env
there are two options
you need to set:
CIFUZZ_ENABLE_PASSWORD_LOGIN=1
DEMO_ORG_ADMIN_TOKEN=<your_password_here>
This is not the recommended authentication approach for CI Sense with multiple users. Password authentication is only intended for initial testing and setup until you are ready to implement OAuth.