Files
hermes-agent/plugins/dashboard_auth/self_hosted/plugin.yaml

9 lines
804 B
YAML
Raw Normal View History

feat(dashboard-auth): add generic self-hosted OIDC provider Adds a bundled dashboard-auth provider plugin that authenticates the web dashboard against any conformant self-hosted OpenID Connect server (Authentik, Keycloak, Zitadel, Authelia, Auth0, Okta, Google, …) using standard OIDC — no per-IDP code. It's a pure drop-in plugin implementing the DashboardAuthProvider protocol; it touches no core auth/runtime/login paths. Mechanics: - OIDC discovery from {issuer}/.well-known/openid-configuration (cached; issuer pinned; endpoints required HTTPS, loopback http allowed for local-dev IDPs) - authorization-code + PKCE (S256), public client - verifies the OIDC ID token (RS256/ES256) against the discovered jwks_uri with iss/aud pinned to the configured issuer/client_id, and maps standard claims (sub/email/name/preferred_username, groups→org) onto a Session - standard refresh_token grant for silent re-auth; RFC 7009 revocation on logout when advertised Verifies the ID token (not the access token) because OIDC guarantees the ID token is a signed JWT carrying identity, while access-token format is opaque to the client per spec — the only universally-correct choice across self-hosted IDPs. Config via dashboard.oauth.self_hosted.{issuer,client_id,scopes} in config.yaml or HERMES_DASHBOARD_OIDC_{ISSUER,CLIENT_ID,SCOPES} env vars (env-wins-config, empty-is-unset — same convention as the nous plugin). Confidential clients (client_secret) left as a documented TODO seam. Docs: adds a Self-hosted OIDC section to the web-dashboard guide, including a copy-paste Keycloak worked example (realm import + docker run + dashboard wiring + login walkthrough). Tests: 65 cases covering construction, discovery (incl. issuer mismatch + https enforcement), start_login/PKCE, complete_login, ID token verification, refresh/revoke, and env/config precedence.
2026-06-04 17:02:01 +10:00
name: self-hosted
version: 1.0.0
description: "Dashboard auth provider — generic self-hosted OpenID Connect (authorization-code + PKCE, public client). Works against any conformant OIDC identity provider (Authentik, Keycloak, Zitadel, Authelia, Auth0, Okta, Google, …) via OIDC discovery. Auto-activates when an issuer + client_id are configured, either under dashboard.oauth.self_hosted.{issuer,client_id} in config.yaml (canonical surface) or via the HERMES_DASHBOARD_OIDC_ISSUER + HERMES_DASHBOARD_OIDC_CLIENT_ID env vars (operator override / secret injection). Scopes default to 'openid profile email'. Verifies the OIDC ID token (RS256/ES256) against the discovered jwks_uri."
author: NousResearch
kind: backend
requires_env:
- HERMES_DASHBOARD_OIDC_ISSUER
- HERMES_DASHBOARD_OIDC_CLIENT_ID