feat(auth): SSO support

[leoguillaume]

To do

• Setup Oauth2-proxy
• Support SSO login
• Support SSO logout
• Retrieve user info from issuer and filter system
• Setup domain filtering in oauth2-proxy (if needed)
• Replace SSO_OPENGATELLM_ADMIN_API_KEY to secret auth key to never store keys on Postgres base
• Refacto JWT key construction with followings claims :

    {
    "sub": "user_id", # previous user_id
    "jti": 0 # previous token_id
    "scope": "playground",
    "exp": 1713300000,
    "iat": 1713296400,
    "iss": "albert.playground.etalab.gouv.fr" # can be "proconnect", default : playground
     "aud": "albert.api.etalab.gouv.fr" # default : api
    }

• Deploy latest version of oauth2-proxy
• Align expiration duration with SSO spec
• Documentation
• Support None password in update user

Configuration

• Add following settings in config.yml:

playground_opengatellm_url: ${OPENGATELLM_URL:-http://localhost:8000}
playground_sso_enabled: True
playground_sso_opengatellm_default_role_id: 2
playground_sso_opengatellm_admin_api_key: ${SSO_OPENGATELLM_ADMIN_API_KEY}

• Replace API et Playground by following services and a Oauth2proxy in compose.yml:

name: opengatellm

services:
  api:
    build:
      context: .
      dockerfile: api/Dockerfile
    restart: always
    env_file: .env
    ports:
      - "${API_PORT:-8000}:8000"
    volumes:
      - "${CONFIG_FILE:-./config.yml}:/config.yml:ro" # outside the container, do not change this line
    depends_on:
      redis:
        condition: service_healthy
      postgres:
        condition: service_healthy
      elasticsearch:
        condition: service_healthy

  playground:
    build:
      context: .      
      dockerfile: playground/Dockerfile
      args:
        - CONFIG_FILE=${CONFIG_FILE:-./config.yml}
        - REFLEX_BACKEND_URL=${PLAYGROUND_PUBLIC_URL:-http://localhost:${OAUTH2_PROXY_PORT:-4180}}
        - REFLEX_FRONTEND_URL=${PLAYGROUND_PUBLIC_URL:-http://localhost:${OAUTH2_PROXY_PORT:-4180}}
    environment:
      - "OPENGATELLM_URL=${OPENGATELLM_URL:-http://api:8000}"
      - "SSO_OPENGATELLM_ADMIN_API_KEY=${SSO_OPENGATELLM_ADMIN_API_KEY}"
      - "REDIS_HOST=redis"
      - "REDIS_PORT=${REDIS_PORT:-6379}"
    ports:
      - "${PLAYGROUND_PORT:-8501}:8501"
    volumes:
      - "./${CONFIG_FILE:-config.yml}:/config.yml:ro"
    healthcheck:
      test: [ "CMD-SHELL", "curl -sf http://localhost:8501/ping || exit 1" ]
      interval: 5s
      timeout: 5s
      retries: 10
      start_period: 30s
    depends_on:
      redis:
        condition: service_healthy
      postgres:
        condition: service_healthy

  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
    profiles: ["proconnect"]
    command: --config /oauth2-proxy.cfg
    ports:
      - "${OAUTH2_PROXY_PORT:-4180}:4180"
    volumes:
      - "./oauth2-proxy.cfg:/oauth2-proxy.cfg:ro"
    environment:
      - "OAUTH2_PROXY_CLIENT_ID=${PROCONNECT_CLIENT_ID}"
      - "OAUTH2_PROXY_CLIENT_SECRET=${PROCONNECT_CLIENT_SECRET}"
      - "OAUTH2_PROXY_COOKIE_SECRET=${OAUTH2_PROXY_COOKIE_SECRET}"
    depends_on:
      playground:
        condition: service_healthy


  postgres:
    image: postgres:16.5
    restart: always
    user: postgres
    environment:
      - "POSTGRES_USER=${POSTGRES_USER:-postgres}"
      - "POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-changeme}"
      - "POSTGRES_DB=postgres"
    ports:
      - "${POSTGRES_PORT:-5432}:5432"
    volumes:
      - postgres:/var/lib/postgresql/data
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready", "-U", "postgres" ]
      interval: 4s
      timeout: 10s
      retries: 5
      start_period: 60s

  redis:
    image: redis/redis-stack-server:7.4.0-v7
    restart: always
    environment:
      REDIS_ARGS: "--dir /data --requirepass ${REDIS_PASSWORD:-changeme} --user ${REDIS_USER:-redis} on >password ~* allcommands --save 60 1 --appendonly yes"
    ports:
      - "${REDIS_PORT:-6379}:6379"
    volumes:
      - redis:/data
    healthcheck:
      test: [ "CMD", "redis-cli", "--raw", "incr", "ping" ]
      interval: 4s
      timeout: 10s
      retries: 5
      start_period: 60s

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:9.0.2
    restart: always
    ports:
      - "${ELASTICSEARCH_PORT:-9200}:9200"
    environment:
      - discovery.type=single-node
      - xpack.security.enabled=false
      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
      - "ELASTIC_USERNAME=elasticsearch"
      - "ELASTIC_PASSWORD=changeme"
    volumes:
      - elasticsearch:/usr/share/elasticsearch/data
    healthcheck:
      test: [ "CMD-SHELL", "bash", "-c", ":> /dev/tcp/127.0.0.1/9200" ]
      interval: 4s
      timeout: 10s
      retries: 5
      start_period: 60s

volumes:
  elasticsearch:
  postgres:
  redis:

• Add following variables in .env

PROCONNECT_CLIENT_ID=557aea...
PROCONNECT_CLIENT_SECRET=868...
OAUTH2_PROXY_COOKIE_SECRET=dpUIcF...
OAUTH2_PROXY_PORT=4180
SSO_OPENGATELLM_ADMIN_API_KEY=sk-eyJhbG...

Retrieve PROCONNECT_CLIENT_ID and PROCONNECT_CLIENT_SECRET from https://partenaires.moncomptepro.beta.gouv.fr/

Generate OAUTH2_PROXY_COOKIE_SECRET with openssl rand -base64 32