Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenID Connect Integration #178

Open
colin-campbell opened this issue Aug 23, 2024 · 7 comments
Open

OpenID Connect Integration #178

colin-campbell opened this issue Aug 23, 2024 · 7 comments
Labels
enhancement New feature or request

Comments

@colin-campbell
Copy link
Contributor

Since this plugin is generally available in the Chrome Web Store, it would be a real plus for businesses to have it useable over the Internet with proper authentication, authorisation and sign-in.

OpenID Connect, for instance is doable in a browser extension, but with some tricky things in the manifest around site access, etc. Maybe Microsofts MASL.js could help us here.

If there is enough interest here, I will try to make an implementation of this - it would be great for corporate users to be able have this installed through MDM and ready to go out-of-the-box with settings, as it were.

What do you think?

@n4ze3m n4ze3m added the enhancement New feature or request label Aug 23, 2024
@n4ze3m
Copy link
Owner

n4ze3m commented Aug 23, 2024

This is great! I also planned a similar feature after releasing OpenAI API-compatible support. The n4ze3m/page-share-app will be updated to include an admin panel where users can add their Ollama, Llama.cpp, or any OpenAI-compatible endpoint. It will then act as a proxy with role-based controls, etc., for the Page Assist extension

@therealtimex
Copy link

This is great! I also planned a similar feature after releasing OpenAI API-compatible support. The n4ze3m/page-share-app will be updated to include an admin panel where users can add their Ollama, Llama.cpp, or any OpenAI-compatible endpoint. It will then act as a proxy with role-based controls, etc., for the Page Assist extension

Love this idea.

@colin-campbell
Copy link
Contributor Author

I have a basic working version that has successfully authenticated against Keycloak OpenId Connect using Authorization Code Flow with PKCE from background.ts.

I had to "roll my own" using the WebCrypto API, https://www.w3.org/TR/WebCryptoAPI because MSAL, and other available libs are relying on node builtins which are playing havoc with the Vite config and are proving difficult to shim - vite-plugin-node-polyfills for example doesn't work for this use-case unless I am missing something.

I don't think it's a biggie, because of the simple flow ACF-PKCE being the only one really suitable for this type of application, and the available libs are over-engineered to the max to support all standard flows.

So just some scaffold to do around token expiry, refresh and collecting the config parameters, and I should have an experimental PR by the end of the week.

One question: I was thinking of keeping all that stuff hidden from the user unless the initial call to /api/tags returns 401 Unauthorized, then we should display a "sign in" button. What do you think @n4ze3m @therealtimex?

Of course centralising all this in some sort of proxy makes some sense, but having standalone operation with only the extension is a worthy effort too.

@therealtimex
Copy link

Why not adding a menu here:

Screenshot 2024-08-29 at 13 18 59

@colin-campbell
Copy link
Contributor Author

I will of course add a menu for settings/endpoints there. But the auth itself should happen in the service worker using launchWebAuthFlow() which will take care of the authentication lifecycle without using the UI at all.

@n4ze3m
Copy link
Owner

n4ze3m commented Aug 30, 2024

Wow, this is amazing! I'm pinning this issue as a v2.0.0 discussion.

@n4ze3m n4ze3m pinned this issue Aug 30, 2024
@therealtimex
Copy link

I will of course add a menu for settings/endpoints there. But the auth itself should happen in the service worker using launchWebAuthFlow() which will take care of the authentication lifecycle without using the UI at all.

definitely

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants