From eaad696666bf6a713907a0672c0e54a4d2ec8507 Mon Sep 17 00:00:00 2001 From: "Skye A. Fugate" Date: Thu, 3 Jul 2025 13:12:52 -0500 Subject: [PATCH 1/2] feat: add SSO environment variable support for OKTA and Google OAuth2 Add native support for SSO configuration through environment variables and Docker secrets, eliminating the need to modify configuration.py for common SSO providers. Changes: - Add OKTA OpenID Connect configuration variables: - SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY (env var) - SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET (env var + Docker secret: okta_openidconnect_secret) - SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL (env var) - Add Google OAuth2 configuration variables: - SOCIAL_AUTH_GOOGLE_OAUTH2_KEY (env var) - SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET (env var + Docker secret: google_oauth2_secret) Follows existing patterns with _read_secret() for sensitive data and environ.get() for non-sensitive configuration. Resolves: netbox-community/netbox-docker#1139 --- configuration/configuration.py | 6 ++++++ docker-compose.override.yml.example | 8 +++++++- env/netbox.env | 8 ++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/configuration/configuration.py b/configuration/configuration.py index 577c3f4f3..4af0fedaf 100644 --- a/configuration/configuration.py +++ b/configuration/configuration.py @@ -303,6 +303,12 @@ def _environ_get_and_map(variable_name: str, default: str | None = None, map_fn: REMOTE_AUTH_SUPERUSERS = _environ_get_and_map('REMOTE_AUTH_SUPERUSERS', '', _AS_LIST) REMOTE_AUTH_STAFF_GROUPS = _environ_get_and_map('REMOTE_AUTH_STAFF_GROUPS', '', _AS_LIST) REMOTE_AUTH_STAFF_USERS = _environ_get_and_map('REMOTE_AUTH_STAFF_USERS', '', _AS_LIST) +# SSO Configuration +SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY = environ.get('SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY') +SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET = _read_secret('okta_openidconnect_secret', environ.get('SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET', '')) +SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL = environ.get('SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL') +SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = environ.get('SOCIAL_AUTH_GOOGLE_OAUTH2_KEY') +SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = _read_secret('google_oauth2_secret', environ.get('SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET', '')) # This repository is used to check whether there is a new release of NetBox available. Set to None to disable the # version check or use the URL below to check for release in the official NetBox repository. diff --git a/docker-compose.override.yml.example b/docker-compose.override.yml.example index d7ef96167..7ab69da1d 100644 --- a/docker-compose.override.yml.example +++ b/docker-compose.override.yml.example @@ -19,4 +19,10 @@ services: # SUPERUSER_EMAIL: "" # SUPERUSER_NAME: "" # SUPERUSER_PASSWORD: "" - + # SSO Configuration + # SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY: "your_okta_client_id" + # SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL: "https://your-domain.okta.com" + # SOCIAL_AUTH_GOOGLE_OAUTH2_KEY: "your_google_client_id" + # secrets: + # - okta_openidconnect_secret + # - google_oauth2_secret \ No newline at end of file diff --git a/env/netbox.env b/env/netbox.env index ca2254917..f5c13e47f 100644 --- a/env/netbox.env +++ b/env/netbox.env @@ -31,4 +31,12 @@ REDIS_SSL=false RELEASE_CHECK_URL=https://api.github.com/repos/netbox-community/netbox/releases SECRET_KEY='r(m)9nLGnz$(_q3N4z1k(EFsMCjjjzx08x9VhNVcfd%6RF#r!6DE@+V5Zk2X' SKIP_SUPERUSER=true +# SSO Configuration (uncomment and configure as needed) +# OKTA OpenID Connect +# SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY=your_okta_client_id +# SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET=your_okta_client_secret +# SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL=https://your-domain.okta.com +# Google OAuth2 +# SOCIAL_AUTH_GOOGLE_OAUTH2_KEY=your_google_client_id +# SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET=your_google_client_secret WEBHOOKS_ENABLED=true From 39d2b726af353c1036acc1fc57960f6093e796a6 Mon Sep 17 00:00:00 2001 From: "Skye A. Fugate" Date: Thu, 3 Jul 2025 13:18:34 -0500 Subject: [PATCH 2/2] Secrets example --- docker-compose.override.yml.example | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docker-compose.override.yml.example b/docker-compose.override.yml.example index 7ab69da1d..aea9c1c6d 100644 --- a/docker-compose.override.yml.example +++ b/docker-compose.override.yml.example @@ -25,4 +25,11 @@ services: # SOCIAL_AUTH_GOOGLE_OAUTH2_KEY: "your_google_client_id" # secrets: # - okta_openidconnect_secret - # - google_oauth2_secret \ No newline at end of file + # - google_oauth2_secret + +# Uncomment to use Docker secrets for SSO credentials +# secrets: +# okta_openidconnect_secret: +# file: ./secrets/okta_secret.txt +# google_oauth2_secret: +# file: ./secrets/google_secret.txt \ No newline at end of file