OpenID Connect login as second method

MANIFEST.in

@@ -1,4 +1,4 @@
-include AUTHORS LICENSE NOTICE pycroft/model/alembic.ini web/default_config.toml
+include AUTHORS LICENSE NOTICE pycroft/model/alembic.ini web/default_config.toml web/client_secrets.json
 recursive-include pycroft/templates/ *
 recursive-include pycroft/helpers/printing/assets *
 recursive-include pycroft/messages *.mo *.po *.pot

docker-compose.base.yml

@@ -47,6 +47,11 @@ services:
       # alternative: `scripts.server_run:prepare_server(echo=True)`
       FLASK_APP: scripts.server_run:prepare_server
       FLASK_ENV: development
+      # OIDC Authentication
+      OIDC_CLIENT_SECRETS: 'web/client_secrets.json'
+      OIDC_SCOPES: 'openid email profile'
+      OIDC_INTROSPECTION_AUTH_METHOD: 'client_secret_post'
+      OIDC_ENABLED: true
   dev:
     extends: dev-base
     volumes:

pycroft/model/user.py

@@ -45,6 +45,7 @@
     validates,
     Mapped,
     mapped_column,
+    Session,
 )
 from sqlalchemy.orm.attributes import flag_modified
 from sqlalchemy.orm.collections import attribute_keyed_dict
@@ -395,6 +396,10 @@ def wifi_password(self, value):
     def has_wifi_access(self):
         return self.wifi_passwd_hash is not None
 
+    @staticmethod
+    def get(login: str, session: Session) -> User | None:
+        return session.scalar(select(User).where(User.login == login))
+
     @staticmethod
     def verify_and_get(login: str, plaintext_password: str) -> User | None:
         try:

pyproject.toml

@@ -40,6 +40,7 @@ dependencies = [
     "Flask-Login ~= 0.6.2",
     "Flask-RESTful ~= 0.3.7",
     "Flask-WTF ~= 1.1.1",
+    "Flask-OIDC ~= 2.4.0",
     "GitPython ~= 3.1.43",
     "netaddr ~= 1.3.0",
     "Jinja2 ~= 3.1.4",

tests/frontend/user/test_oidc_login.py

@@ -0,0 +1,35 @@
+#  Copyright (c) 2026. The Pycroft Authors. See the AUTHORS file.
+#  This file is part of the Pycroft project and licensed under the terms of
+#  the Apache License, Version 2.0. See the LICENSE file for details
+
+import pytest
+from flask import url_for
+from sqlalchemy.orm import Session
+
+from tests.factories import UserFactory
+from tests.frontend.assertions import TestClient
+
+
+@pytest.fixture(scope="module")
+def client(module_test_client: TestClient) -> TestClient:
+    return module_test_client
+
+
+@pytest.mark.usefixtures("session")
+class TestUserOidcLogin:
+    @pytest.fixture(scope="class")
+    def user(self, class_session: Session):
+        user = UserFactory(
+            login="oidc",
+        )
+        class_session.flush()
+        return user
+
+    def test_oidc_login(self, client: TestClient, app, user):
+        app.config["OIDC_ENABLED"] = False
+        client.assert_ok("login.login")
+        app.config["OIDC_TESTING_PROFILE"] = {"email": "email", "preferred_username": "oidc"}
+        with client.flashes_message("Erfolgreich angemeldet.", category="success"):
+            response = client.get(url_for("login.login"))
+            assert response.status_code == 302
+            assert response.location == url_for("user.overview")

tests/model/test_user.py

@@ -17,6 +17,10 @@ class Test_User_Passwords:
     def user(self, class_session):
         return factories.UserFactory()
 
+    def test_get(self, user, session):
+        assert User.get(user.login, session) == user
+        assert User.get(user.login + "_wrong", session) is None
+
     def test_password_hash_validator(self, user, session):
         password = generate_password(4)
         pw_hash = hash_password(password)

web/app.py

@@ -42,7 +42,7 @@
     mpskclient,
 )
 
-from .blueprints.login import login_manager
+from .blueprints.login import oidc, login_manager
 from .commands import register_commands
 from .templates import page_resources
 
@@ -67,14 +67,20 @@ class PycroftFlask(Flask):
     def __init__(self, *a: t.Any, **kw: t.Any) -> None:
         super().__init__(*a, **kw)
         # config keys to support:
-        self.maybe_add_config_from_env([
-            'PYCROFT_API_KEY',
-            'HADES_CELERY_APP_NAME',
-            'HADES_BROKER_URI',
-            'HADES_RESULT_BACKEND_URI',
-            'HADES_TIMEOUT',
-            'HADES_ROUTING_KEY',
-        ])
+        self.maybe_add_config_from_env(
+            [
+                "PYCROFT_API_KEY",
+                "HADES_CELERY_APP_NAME",
+                "HADES_BROKER_URI",
+                "HADES_RESULT_BACKEND_URI",
+                "HADES_TIMEOUT",
+                "HADES_ROUTING_KEY",
+                "OIDC_CLIENT_SECRETS",
+                "OIDC_SCOPES",
+                "OIDC_INTROSPECTION_AUTH_METHOD",
+                "OIDC_ENABLED",
+            ]
+        )
 
     def maybe_add_config_from_env(self, keys: t.Iterable[str]) -> None:
         """Write keys from the environment to the app's config
@@ -98,6 +104,7 @@ def make_app(hades_logs: bool = True) -> PycroftFlask:
 
     # initialization code
     login_manager.init_app(app)
+    oidc.init_app(app, prefix="/oidc")
     app.register_blueprint(user.bp, url_prefix="/user")
     app.register_blueprint(facilities.bp, url_prefix="/facilities")
     app.register_blueprint(infrastructure.bp, url_prefix="/infrastructure")
@@ -187,6 +194,7 @@ def require_login() -> ResponseReturnValue | None:
             "login",
             "api",
             "health",
+            "oidc_auth",
             None,
         ):
             lm = t.cast(LoginManager, current_app.login_manager)  # type: ignore[attr-defined]

web/blueprints/login/__init__.py

@@ -13,10 +13,12 @@
 import typing as t
 
 from flask import Blueprint, render_template, flash, redirect, url_for, request
+from flask import session as flask_session
 from flask.typing import ResponseValue
 from flask_login import (
     AnonymousUserMixin, LoginManager, current_user, login_required, login_user,
     logout_user)
+from flask_oidc import OpenIDConnect
 
 from pycroft.model.session import session
 from pycroft.model.user import User
@@ -30,6 +32,8 @@ class AnonymousUser(AnonymousUserMixin):
     current_properties_set: t.Container[str] = frozenset()
 
 
+oidc = OpenIDConnect()
+
 login_manager = LoginManager()
 login_manager.anonymous_user = AnonymousUser
 login_manager.login_view = "login.login"
@@ -54,12 +58,22 @@ def login() -> ResponseValue:
             flash("Erfolgreich angemeldet.", "success")
             return redirect(request.args.get("next") or url_for("user.overview"))
         flash("Benutzername und/oder Passwort falsch", "error")
+    if oidc.user_loggedin:
+        info = flask_session["oidc_auth_profile"]
+        username = info.get("pycroft_login", info.get("preferred_username", None))
+        user = User.get(username, session)
+        if info is not None and username is not None and user is not None:
+            login_user(user)
+            flash("Erfolgreich angemeldet.", "success")
+            return redirect(request.args.get("next") or url_for("user.overview"))
     return render_template("login/login.html", form=form, next=request.args.get("next"))
 
 
 @bp.route("/logout")
 @login_required
 def logout() -> ResponseValue:
+    if oidc.user_loggedin:
+        return redirect(url_for("oidc_auth.logout", next=url_for("login.logout")))
     logout_user()
     flash("Sie sind jetzt abgemeldet!", "info")
     return redirect(url_for(".login"))

web/client_secrets.json

@@ -0,0 +1,7 @@
+{
+    "web": {
+        "issuer": "http://localhost:8080/realms/internal",
+        "client_id": "pycroft",
+        "client_secret": "lirumlarum loeffelstiel wer das liest der weiss zu viel"
+    }
+}

web/templates/login/login.html

@@ -13,4 +13,6 @@ <h1>Anmelden</h1>
 {% endblock %}
 {% block single_row_content %}
     {{ forms.simple_form(form, url_for(".login", next=next), url_for('facilities.overview'), submit_text="Login"  ) }}
+  <hr/>
+  <a href="{{ url_for('oidc_auth.login') }}">OpenID Connect</a>
 {% endblock %}