From eaad696666bf6a713907a0672c0e54a4d2ec8507 Mon Sep 17 00:00:00 2001 From: "Skye A. Fugate" Date: Thu, 3 Jul 2025 13:12:52 -0500 Subject: [PATCH 1/2] feat: add SSO environment variable support for OKTA and Google OAuth2 Add native support for SSO configuration through environment variables and Docker secrets, eliminating the need to modify configuration.py for common SSO providers. Changes: - Add OKTA OpenID Connect configuration variables: - SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY (env var) - SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET (env var + Docker secret: okta_openidconnect_secret) - SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL (env var) - Add Google OAuth2 configuration variables: - SOCIAL_AUTH_GOOGLE_OAUTH2_KEY (env var) - SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET (env var + Docker secret: google_oauth2_secret) Follows existing patterns with _read_secret() for sensitive data and environ.get() for non-sensitive configuration. Resolves: netbox-community/netbox-docker#1139 --- configuration/configuration.py | 6 ++++++ docker-compose.override.yml.example | 8 +++++++- env/netbox.env | 8 ++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/configuration/configuration.py b/configuration/configuration.py index 577c3f4..4af0fed 100644 --- a/configuration/configuration.py +++ b/configuration/configuration.py @@ -303,6 +303,12 @@ REMOTE_AUTH_SUPERUSER_GROUPS = _environ_get_and_map('REMOTE_AUTH_SUPERUSER_GROUP REMOTE_AUTH_SUPERUSERS = _environ_get_and_map('REMOTE_AUTH_SUPERUSERS', '', _AS_LIST) REMOTE_AUTH_STAFF_GROUPS = _environ_get_and_map('REMOTE_AUTH_STAFF_GROUPS', '', _AS_LIST) REMOTE_AUTH_STAFF_USERS = _environ_get_and_map('REMOTE_AUTH_STAFF_USERS', '', _AS_LIST) +# SSO Configuration +SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY = environ.get('SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY') +SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET = _read_secret('okta_openidconnect_secret', environ.get('SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET', '')) +SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL = environ.get('SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL') +SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = environ.get('SOCIAL_AUTH_GOOGLE_OAUTH2_KEY') +SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = _read_secret('google_oauth2_secret', environ.get('SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET', '')) # This repository is used to check whether there is a new release of NetBox available. Set to None to disable the # version check or use the URL below to check for release in the official NetBox repository. diff --git a/docker-compose.override.yml.example b/docker-compose.override.yml.example index d7ef961..7ab69da 100644 --- a/docker-compose.override.yml.example +++ b/docker-compose.override.yml.example @@ -19,4 +19,10 @@ services: # SUPERUSER_EMAIL: "" # SUPERUSER_NAME: "" # SUPERUSER_PASSWORD: "" - + # SSO Configuration + # SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY: "your_okta_client_id" + # SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL: "https://your-domain.okta.com" + # SOCIAL_AUTH_GOOGLE_OAUTH2_KEY: "your_google_client_id" + # secrets: + # - okta_openidconnect_secret + # - google_oauth2_secret \ No newline at end of file diff --git a/env/netbox.env b/env/netbox.env index ca22549..f5c13e4 100644 --- a/env/netbox.env +++ b/env/netbox.env @@ -31,4 +31,12 @@ REDIS_SSL=false RELEASE_CHECK_URL=https://api.github.com/repos/netbox-community/netbox/releases SECRET_KEY='r(m)9nLGnz$(_q3N4z1k(EFsMCjjjzx08x9VhNVcfd%6RF#r!6DE@+V5Zk2X' SKIP_SUPERUSER=true +# SSO Configuration (uncomment and configure as needed) +# OKTA OpenID Connect +# SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY=your_okta_client_id +# SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET=your_okta_client_secret +# SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL=https://your-domain.okta.com +# Google OAuth2 +# SOCIAL_AUTH_GOOGLE_OAUTH2_KEY=your_google_client_id +# SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET=your_google_client_secret WEBHOOKS_ENABLED=true From 39d2b726af353c1036acc1fc57960f6093e796a6 Mon Sep 17 00:00:00 2001 From: "Skye A. Fugate" Date: Thu, 3 Jul 2025 13:18:34 -0500 Subject: [PATCH 2/2] Secrets example --- docker-compose.override.yml.example | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docker-compose.override.yml.example b/docker-compose.override.yml.example index 7ab69da..aea9c1c 100644 --- a/docker-compose.override.yml.example +++ b/docker-compose.override.yml.example @@ -25,4 +25,11 @@ services: # SOCIAL_AUTH_GOOGLE_OAUTH2_KEY: "your_google_client_id" # secrets: # - okta_openidconnect_secret - # - google_oauth2_secret \ No newline at end of file + # - google_oauth2_secret + +# Uncomment to use Docker secrets for SSO credentials +# secrets: +# okta_openidconnect_secret: +# file: ./secrets/okta_secret.txt +# google_oauth2_secret: +# file: ./secrets/google_secret.txt \ No newline at end of file