Authentication Strategy Consolidation & User Migration#7419
Authentication Strategy Consolidation & User Migration#7419mstrhakr wants to merge 1 commit intoYlianst:masterfrom
Conversation
…sets - Replace passport-saml with @node-saml/passport-saml v5.x - Add 7 OIDC presets: azure, google, okta, auth0, keycloak, github, twitter - Add 11 SAML presets: azure, okta, onelogin, jumpcloud, auth0, keycloak, adfs, pingfederate, google, intel, generic - Deprecate old OAuth2 strategies (azure, google, github, twitter) with migration warnings - Deprecate old SAML strategies (intel, jumpcloud) with migration warnings - Add group synchronization support to unified SAML strategy - Update config schema with deprecation warnings and new preset enums - Move old passport libraries to optionalDependencies for backward compatibility Resolves Ylianst#4531 - Azure OAuth2 unique_name bug (migrate to OIDC with stable oid claim) BREAKING CHANGE: User IDs will change when migrating strategies: - Old azure: ~azure:user@domain.com -> New oidc: ~oidc:guid - Old google: ~google:123 -> New oidc: ~oidc:123 - Old intel/jumpcloud: ~intel:/~jumpcloud: -> New saml: ~saml: See documentation for migration guide.
|
Wanted to add #7394 and other related issues to tag them. |
|
i can tell this is AI generated but i have a few issues
|
Hey si, so yea it's kinda obvious.
Yes sorry, AI love emojii, they will need normalized with other fields, AI can do it but this is literally one pass, no major fixes after the AI wrote what I actually wanted logically. Please forgive my sins lol
I knew it. It's been a long time since I was working in here and I literally told the AI this haha, I can remove those changes myself.
A few things. The short version is remove all legacy (some are unsupported I think) passport auth strategies and upgrade them to use two overarching strategies, OIDC and SAML. These two are the backbone of the rest already, I'm just giving us the tools. Like OIDC did in the past, SAML has presets you can use to make setup easier. The old configs work in place, the only big breaking change is migration of users to new accounts under the oidc heading with corrected uids, that means this will likely never see production. This covers migration of user accounts as they log in to the proper OIDC/SAML user IDs to fix things like the azure naming breaking under certain circumstances. I think it's super cool but won't be able to test anything but azure, I can probably test the user migration for azure also but the rest are beyond my ability to even test. |
2 participants
Authentication Strategy Consolidation & User Migration
Author Note
I've had this project in the back of my mind for a long time, AI allowed me to get something built. I don't believe this is without issues, but I don't have the ability to check most of these or check migrations easily. Testing and fixing this as a community is the only way it could ever be merged. Right now I see it as a starting point or inspiration for the community to get some of these features implemented.
PS: This PR was, besides this note, generated by AI. Sorry, I guess its the future or something.
Summary
Consolidates 6 disparate OAuth2/SAML strategies into 2 modern implementations (OIDC + SAML) with 18 IdP presets, runtime config auto-migration, and automatic user account migration.
Status:⚠️ NEEDS TESTING - Framework complete, requires validation before merge
Motivation
This long-planned refactor addresses:
unique_nameinstability causing duplicate accountsAI Disclosure: Implementation framework built with GitHub Copilot assistance over one night. Design, testing requirements, and validation are manual. Not production-ready without thorough testing.
Changes
Strategy Consolidation (Breaking - Auto-Migrated)
Removed strategies (runtime auto-migration provided):
azure,google,github,twitter→oidcwith presetsintel,jumpcloud→samlwith presetsRemoved dependencies:
passport-azure-oauth2,passport-google-oauth20,passport-github2,passport-twitter,passport-samlv3.xAdded dependencies:
@node-saml/node-saml^5.1.0,@node-saml/passport-saml^5.1.0Presets Added
OIDC: azure, google, okta, auth0, keycloak, github, twitter (7 total)
SAML: azure, okta, onelogin, jumpcloud, auth0, keycloak, adfs, pingfederate, google, intel, generic (11 total)
Runtime Auto-Migration
Old configs work unchanged - automatically converted in memory with console warnings. Admins can update config files at their convenience.
User Account Migration
When users log in after auto-migration:
~azure:user@example.com)~oidc:guid)_migratedTometadataLogin UI Updates
All 3 login pages updated with preset-specific buttons, reusing existing icons where available.
Testing
Automated: 53/53 tests passing⚠️ REQUIRED - Need validation of:
Manual:
Files Modified
Breaking Changes
Old config format deprecated but still works via runtime auto-migration. Users automatically migrated on first login. Old accounts preserved.
Help Needed
Need testing with real IdP configurations across all 18 presets. Don't have access to all IdPs myself.
To test: Checkout
auth-refactorbranch, test your IdP, report issues.Rollback
Safe to revert - old configs unchanged, old user accounts preserved in database.