SSO support : pro-Connect integration for Playground authentication

[leoguillaume]

Context - why is this issue relevant?

The Playground currently lacks a standardized authentication mechanism. Pro-Connect is the official French public sector identity provider and its integration would align the Playground with the authentication standards expected for public administration tools. Prioritizing this work is necessary to unblock users who need a secure and compliant way to authenticate.

Objective – what is the aim of this issue?

Define and kick off the implementation roadmap for integrating Pro-Connect as the authentication solution for the Playground, making it the priority authentication workstream.

Be careful, do we want to open the Playground to everyone in the amdinsitration that have access to Pro-Connnect ? I think, we still need to keep an eye on who got access.

Expected outcomes – what do we expect at the end of this issue?

Outcomes

• Pro-Connect is integrated as the authentication method for the Playground.
• Users can log in to the Playground using their Pro-Connect identity.
• Any previous or temporary authentication mechanism is replaced or deprecated accordingly.

Acceptance criteria

• A user with a valid Pro-Connect account can successfully authenticate to the Playground.
• Unauthorized users are correctly rejected.
• The integration follows Pro-Connect's official documentation and security requirements.
• The implementation is tested and validated in a staging environment before production rollout.

Configuration

• Add following settings in config.yml:

playground_opengatellm_url: ${OPENGATELLM_URL:-http://localhost:8000}
playground_sso_enabled: True
playground_sso_opengatellm_default_role_id: 2
playground_sso_opengatellm_admin_api_key: ${SSO_OPENGATELLM_ADMIN_API_KEY}

• Replace API et Playground by following services and a Oauth2proxy in compose.yml:

name: opengatellm

services:
  api:
    build:
      context: .
      dockerfile: api/Dockerfile
    restart: always
    env_file: .env
    ports:
      - "${API_PORT:-8000}:8000"
    volumes:
      - "${CONFIG_FILE:-./config.yml}:/config.yml:ro" # outside the container, do not change this line
    depends_on:
      redis:
        condition: service_healthy
      postgres:
        condition: service_healthy
      elasticsearch:
        condition: service_healthy

  playground:
    build:
      context: .      
      dockerfile: playground/Dockerfile
      args:
        - CONFIG_FILE=${CONFIG_FILE:-./config.yml}
        - REFLEX_BACKEND_URL=${PLAYGROUND_PUBLIC_URL:-http://localhost:${OAUTH2_PROXY_PORT:-4180}}
        - REFLEX_FRONTEND_URL=${PLAYGROUND_PUBLIC_URL:-http://localhost:${OAUTH2_PROXY_PORT:-4180}}
    environment:
      - "OPENGATELLM_URL=${OPENGATELLM_URL:-http://api:8000}"
      - "SSO_OPENGATELLM_ADMIN_API_KEY=${SSO_OPENGATELLM_ADMIN_API_KEY}"
      - "REDIS_HOST=redis"
      - "REDIS_PORT=${REDIS_PORT:-6379}"
    ports:
      - "${PLAYGROUND_PORT:-8501}:8501"
    volumes:
      - "./${CONFIG_FILE:-config.yml}:/config.yml:ro"
    healthcheck:
      test: [ "CMD-SHELL", "curl -sf http://localhost:8501/ping || exit 1" ]
      interval: 5s
      timeout: 5s
      retries: 10
      start_period: 30s
    depends_on:
      redis:
        condition: service_healthy
      postgres:
        condition: service_healthy

  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
    profiles: ["proconnect"]
    command: --config /oauth2-proxy.cfg
    ports:
      - "${OAUTH2_PROXY_PORT:-4180}:4180"
    volumes:
      - "./oauth2-proxy.cfg:/oauth2-proxy.cfg:ro"
    environment:
      - "OAUTH2_PROXY_CLIENT_ID=${PROCONNECT_CLIENT_ID}"
      - "OAUTH2_PROXY_CLIENT_SECRET=${PROCONNECT_CLIENT_SECRET}"
      - "OAUTH2_PROXY_COOKIE_SECRET=${OAUTH2_PROXY_COOKIE_SECRET}"
    depends_on:
      playground:
        condition: service_healthy


  postgres:
    image: postgres:16.5
    restart: always
    user: postgres
    environment:
      - "POSTGRES_USER=${POSTGRES_USER:-postgres}"
      - "POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-changeme}"
      - "POSTGRES_DB=postgres"
    ports:
      - "${POSTGRES_PORT:-5432}:5432"
    volumes:
      - postgres:/var/lib/postgresql/data
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready", "-U", "postgres" ]
      interval: 4s
      timeout: 10s
      retries: 5
      start_period: 60s

  redis:
    image: redis/redis-stack-server:7.4.0-v7
    restart: always
    environment:
      REDIS_ARGS: "--dir /data --requirepass ${REDIS_PASSWORD:-changeme} --user ${REDIS_USER:-redis} on >password ~* allcommands --save 60 1 --appendonly yes"
    ports:
      - "${REDIS_PORT:-6379}:6379"
    volumes:
      - redis:/data
    healthcheck:
      test: [ "CMD", "redis-cli", "--raw", "incr", "ping" ]
      interval: 4s
      timeout: 10s
      retries: 5
      start_period: 60s

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:9.0.2
    restart: always
    ports:
      - "${ELASTICSEARCH_PORT:-9200}:9200"
    environment:
      - discovery.type=single-node
      - xpack.security.enabled=false
      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
      - "ELASTIC_USERNAME=elasticsearch"
      - "ELASTIC_PASSWORD=changeme"
    volumes:
      - elasticsearch:/usr/share/elasticsearch/data
    healthcheck:
      test: [ "CMD-SHELL", "bash", "-c", ":> /dev/tcp/127.0.0.1/9200" ]
      interval: 4s
      timeout: 10s
      retries: 5
      start_period: 60s

volumes:
  elasticsearch:
  postgres:
  redis:

• Add following variables in .env

PROCONNECT_CLIENT_ID=557aea...
PROCONNECT_CLIENT_SECRET=868...
OAUTH2_PROXY_COOKIE_SECRET=dpUIcF...
OAUTH2_PROXY_PORT=4180
SSO_OPENGATELLM_ADMIN_API_KEY=sk-eyJhbG...

Retrieve PROCONNECT_CLIENT_ID and PROCONNECT_CLIENT_SECRET from https://partenaires.moncomptepro.beta.gouv.fr/

Generate OAUTH2_PROXY_COOKIE_SECRET with openssl rand -base64 32