Skip to main content

Authentication

This page describes the different ways to configure authentication to CI Sense. CI Sense supports OAuth, OIDC, and password based logins.

OAuth

To use SSO with GitHub, Bitbucket, or GitLab you need to create an OAuth app.

GitHub

  1. Open the developer settings
  2. Click Register a new application.
  3. For the Authorization callback URL, use https://<fuzzing_server_domain>/auth/github/callback.
  4. After registering the app, GitHub generates a Client ID and Client Secret. Open /etc/cifuzz/config.env and copy these values toCIFUZZ_GITHUB_CLIENT_ID and CIFUZZ_GITHUB_CLIENT_SECRET respectively.

Bitbucket.org

  1. Go to Bitbucket cloud and select the appropriate workspace
  2. Click Settings
  3. Under Apps and features, select OAuth consumers and click Add consumer.
  4. As the callback URL, use https://<fuzzing_server_domain>:<port>/auth/github/callback.
  5. Give it the email and read permissions in the Account section and then save it.
  6. Expand the section for the consumer you just created to show the Key and Secret.
  7. Open /etc/cifuzz/config.env and copy these values toCIFUZZ_BITBUCKET_CLIENT_ID and CIFUZZ_BITBUCKET_CLIENT_SECRET respectively.
note

The port in Step 4 is mandatory, even if it's the default port 443.

GitLab

  1. Go to Preferences and click Applications.
  2. Choose a name and set the Redirect URI to https://<fuzzing_server_domain>/auth/github/callback.
  3. Enable the read_user scope.
  4. Click Save application and then select the app from Your applications.
  5. Open /etc/cifuzz/config.env and copy Application ID and Secret toCIFUZZ_GITLAB_CLIENT_ID and CIFUZZ_GITLAB_CLIENT_SECRET respectively.

OIDC

This section describes to setup your own OIDC provider with CI Sense.

Create an OIDC-capable app

In the OIDC provider, create an OIDC-capable app with:

  • Redirect URL: <baseURL>/auth/<provider>/callback, where:
    • <baseURL> is the URL that the CI Sense web app is available at, for example https://cifuzz.example.com.
    • <provider> is a name of your choice, that you use for this OIDC provider in the CI Sense web app.
  • If configurable at the provider, permissions that allow reading user profile information, like the name and email address, via OIDC.

Take note of the app's client ID and client secret, you need those below.

Configure the CI Sense server

If the OIDC provider implements the OpenID Connect Discovery spec, for example a JSON document exists at .well-known/openid-configuration, the setup is simpler. In that case, create the file /etc/cifuzz/oidc.yaml as:

auth:
  oidc:
    <provider>:
      id: <client_id>
      secret: <client_secret>
      issuer_url: <issuer_URL>

where:

  • <provider> is the name for the OIDC provider you chose preceding.
  • <client ID> and <client secret> are the client ID and secret of the app you created preceding.
  • <issuer URL> is the base URL of the OIDC provider, for example https://gitlab.com.

If the OIDC provider doesn't support OpenID Connect Discovery, add these settings to the configuration file instead:

auth:
  oidc:
    <provider>:
      id: <client ID>
      secret: <client secret>
      auth_endpoint: <auth endpoint URL>
      token_endpoint: <token endpoint URL>
      userinfo_endpoint: <UserInfo endpoint URL>
      jwks_url: <JWKS URL>

where:

  • <provider> is the name for the OIDC provider you chose preceding.
  • <client ID> and <client secret> are the client ID and secret of the app you created preceding.
  • <auth endpoint URL> is the URL of the authorization endpoint of the OIDC provider, for example https://gitlab.com/oauth/authorize.
  • <token endpoint URL> is the URL of the token endpoint of the OIDC provider, for example https://gitlab.com/oauth/token.
  • <UserInfo endpoint URL> is the URL of the UserInfo endpoint of the  OIDC provider, for example https://gitlab.com/oauth/userinfo.
    • This setting is optional. If you don't specify a UserInfo endpoint, only the Claims of the ID Token are used.
  • <JWKS URL> is the URL of the OIDC provider's JSON Web Key Set document, for example https://gitlab.com/oauth/discovery/keys.

Self-signed certificates

If you have an internal Certificate Authority, you may need to add the CA certs to the gateway. To do this:

  • create the directory /etc/cifuzz/compose-files.d/
  • add a .yaml file in that directory that applies updates to the containers.
  • add a volume to mount the certificates in the gateway container
version: "3"

services:
  gateway:
    volumes:
      - <directory_containing_certs>:<directory_to_place_certs>:ro

Password

If you are just trying out CI Sense, it may be more convenient to use a password as the authentication method. In /etc/cifuzz/cifuzz.env there are two options you need to set:

  • CIFUZZ_ENABLE_PASSWORD_LOGIN=1
  • DEMO_ORG_ADMIN_TOKEN=<your_password_here>
note

This is not the recommended authentication approach for CI Sense with multiple users. Password authentication is only intended for initial testing and setup until you are ready to implement OAuth.