Generic OIDC provider #337
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mirror repositories store metadata and zipballs on the local filesystem, which prevents running Packeton in stateless container deployments. When using S3 for regular package storage (`STORAGE_SOURCE=s3`), the `/data` directory still accumulates mirror data that cannot be shared across replicas. This change extends the existing Flysystem-based S3 storage abstraction to mirror repositories. Both metadata (packages.json, provider includes, package JSON files) and distribution archives are now stored in S3 when configured. For zipball storage, hash-based path sharding is implemented to optimize S3 performance. S3 partitions data by key prefix, so distributing files across prefixes like `ab/cd/...` prevents hot spots when mirroring large repositories like packagist.org. Local caching is optional and configurable via `MIRROR_METADATA_CACHE_DIR` and `MIRROR_DIST_CACHE_DIR` environment variables. When empty, all operations go directly to S3 for fully stateless operation. When set to `/tmp` paths, ephemeral caching improves read performance while maintaining statelessness across container restarts. The streaming fallback in `MirrorController` handles cases where local cache writes fail, ensuring zipball downloads still work by streaming directly from S3.
Author
|
@wimwenigerkind Hey, here is reimplementation of your PR. I'm adding a support for Authentik OIDC, but that would work for any provider. |
Packeton currently supports a predefined list of OAuth providers (GitHub, GitLab, Gitea, Bitbucket, Google). Organizations using identity providers like Authentik, Keycloak, Azure AD, or Okta cannot integrate without writing custom code. This adds a generic OIDC provider that leverages OpenID Connect Discovery to automatically configure endpoints from the issuer URL. The provider: - Fetches and caches OIDC discovery metadata (.well-known/openid-configuration) - Supports configurable claim mapping for non-standard providers - Maps OIDC groups/roles claims directly to Packeton roles, providing a simpler alternative to login_control_expression for role assignment - Falls back to default_roles when no role mapping matches The role mapping feature addresses a common need where organizations want to assign Packeton roles based on IdP group membership. Users in 'packeton-admins' group can automatically receive ROLE_ADMIN, for example. This is a login-only provider following the Google provider pattern, as repository synchronization requires provider-specific APIs.
For a container environment we can use ServiceAccount annotation to pass assumed role credentials. Underlying package AsyncAWS already supports it. TO make it easier for newcomers, I'm adding an explicit doc.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Packeton currently supports a predefined list of OAuth providers (GitHub,
GitLab, Gitea, Bitbucket, Google). Organizations using identity providers
like Authentik, Keycloak, Azure AD, or Okta cannot integrate without
writing custom code.
This adds a generic OIDC provider that leverages OpenID Connect Discovery
to automatically configure endpoints from the issuer URL. The provider:
simpler alternative to login_control_expression for role assignment
The role mapping feature addresses a common need where organizations want
to assign Packeton roles based on IdP group membership. Users in 'packeton-admins'
group can automatically receive ROLE_ADMIN, for example.
This is a login-only provider following the Google provider pattern,
as repository synchronization requires provider-specific APIs.
As suggested in #323 (comment)