smartcontractkit · harry-anderson · Jul 1, 2025 · Sep 12, 2024 · Feb 25, 2025 · Feb 24, 2025
@@ -196,6 +196,38 @@ StartTimeout = '15s' # Default
 # ListenIP specifies the IP to bind the HTTP server to
 ListenIP = '0.0.0.0' # Default
 
+# Optional OIDC config if WebServer.AuthenticationMethod is set to 'oidc'
+[WebServer.OIDC]
+# Expected audience of the token, usually expected to be the ID of the client 
+# that initialized the login flow/the auth client application ID 
+ClientID = ""
+# ProviderDomain is the URL identifier for the provider service. 
+ProviderDomain = 'accounts[.]example[.]com'
+# OAuth2ProviderRouteSuffix is route suffix appended to the ProviderDomain, varies per provider
+OAuth2ProviderRouteSuffix = '/oauth2/default' # Default
+# OIDCCallbackURL is the URL (FQDN) that this running instance of the chainlink application listens on 
+# for the OIDC provider callback containing the authenticated user's claims. This should be the domain
+# that the user accesses the operator UI from. OIDCCallbackURLSuffix is appended to the end
+OIDCCallbackURL = 'http://localhost:8080/'
+# OIDCCallbackURLSuffix is the API route name suffix used when registering the router endpoint
+OIDCCallbackURLSuffix = '/auth/oidc-callback' # Default
+# HTTPPort of the OIDC self contained HTTP router used to listen for the provider callback request
+HTTPPort = 6689 # Default
+# AdminUserGroupClaim is string label of the group returned by the OIDC claim that maps the core node's 'Admin' role
+AdminUserGroupClaim = 'NodeAdmins' # Default
+# EditUserGroupClaim is string label of the group returned by the OIDC claim that maps the core node's 'Edit' role
+EditUserGroupClaim = 'NodeEditors' # Default
+# RunUserGroupClaim is string label of the group returned by the OIDC claim that maps the core node's 'Run' role
+RunUserGroupClaim = 'NodeRunners' # Default
+# ReadUserGroupClaim is string label of the group returned by the OIDC claim that maps the core node's 'Read' role
+ReadUserGroupClaim = 'NodeReadOnly' # Default
+# SessionTimeout determines the amount of idle time to elapse before session cookies expire. This signs out GUI users from their sessions.
+SessionTimeout = '15m0s' # Default
+# UserApiTokenEnabled enables the users to issue API tokens with the same access of their role
+UserApiTokenEnabled = false # Default
+# UserAPITokenDuration is the duration of time an API token is active for before expiring
+UserAPITokenDuration = '240h0m0s' # Default
+
 # Optional LDAP config if WebServer.AuthenticationMethod is set to 'ldap'
 # LDAP queries are all parameterized to support custom LDAP 'dn', 'cn', and attributes 
 [WebServer.LDAP]

@@ -14,6 +14,11 @@ BackupURL = "postgresql://user:[email protected]:5432/dbname?sslmode
 # Environment variable: `CL_DATABASE_ALLOW_SIMPLE_PASSWORDS`
 AllowSimplePasswords = false # Default
 
+# Optional OIDC config
+[WebServer.OIDC]
+# Auth client application secret
+clientSecret = "secret" # Example
+
 # Optional LDAP config
 [WebServer.LDAP]
 # ServerAddress is the full ldaps:// address of the ldap server to authenticate with and query

@@ -749,6 +749,7 @@
 	ListenIP                *net.IP
 
 	LDAP      WebServerLDAP      `toml:",omitempty"`
+	OIDC      WebServerOIDC      `toml:",omitempty"`
 	MFA       WebServerMFA       `toml:",omitempty"`
 	RateLimit WebServerRateLimit `toml:",omitempty"`
 	TLS       WebServerTLS       `toml:",omitempty"`
@@ -793,43 +794,86 @@
 	}
 
 	w.LDAP.setFrom(&f.LDAP)
+	w.OIDC.setFrom(&f.OIDC)
 	w.MFA.setFrom(&f.MFA)
 	w.RateLimit.setFrom(&f.RateLimit)
 	w.TLS.setFrom(&f.TLS)
 }
 
 func (w *WebServer) ValidateConfig() (err error) {
-	// Validate LDAP fields when authentication method is LDAPAuth
-	if *w.AuthenticationMethod != string(sessions.LDAPAuth) {
-		return
+	switch *w.AuthenticationMethod {
+	case string(sessions.LDAPAuth):
+		// Assert LDAP fields when AuthMethod set to LDAP
+		if *w.LDAP.BaseDN == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "LDAP.BaseDN", Msg: "LDAP BaseDN can not be empty"})
+		}
+		if *w.LDAP.BaseUserAttr == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "LDAP.BaseUserAttr", Msg: "LDAP BaseUserAttr can not be empty"})
+		}
+		if *w.LDAP.UsersDN == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "LDAP.UsersDN", Msg: "LDAP UsersDN can not be empty"})
+		}
+		if *w.LDAP.GroupsDN == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "LDAP.GroupsDN", Msg: "LDAP GroupsDN can not be empty"})
+		}
+		if *w.LDAP.AdminUserGroupCN == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "LDAP.AdminUserGroupCN", Msg: "LDAP AdminUserGroupCN can not be empty"})
+		}
+		if *w.LDAP.EditUserGroupCN == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "LDAP.RunUserGroupCN", Msg: "LDAP ReadUserGroupCN can not be empty"})
+		}
+		if *w.LDAP.RunUserGroupCN == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "LDAP.RunUserGroupCN", Msg: "LDAP RunUserGroupCN can not be empty"})
+		}
+		if *w.LDAP.ReadUserGroupCN == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "LDAP.ReadUserGroupCN", Msg: "LDAP ReadUserGroupCN can not be empty"})
+		}
+		return err
+	case string(sessions.OIDCAuth):
+		fmt.Println("%#v", w.OIDC)
+		if *w.OIDC.ClientID == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "OIDC.ClientID", Msg: "OIDC ClientID can not be empty"})
+		}
+		if *w.OIDC.ProviderDomain == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "OIDC.ProviderDomain", Msg: "OIDC ProviderDomain can not be empty"})
+		}
+		if *w.OIDC.OAuth2ProviderRouteSuffix == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "OIDC.OAuth2ProviderRouteSuffix", Msg: "OIDC OAuth2ProviderRouteSuffix can not be empty"})
+		}
+		if *w.OIDC.OIDCCallbackURL == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "OIDC.OIDCCallbackURL", Msg: "OIDC OIDCCallbackURL can not be empty"})
+		}
+		if *w.OIDC.OIDCCallbackURLSuffix == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "OIDC.OIDCCallbackURLSuffix", Msg: "OIDC OIDCCallbackURLSuffix can not be empty"})
+		}
+		if w.OIDC.HTTPPort == 0 {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "OIDC.HTTPPort", Msg: "OIDC HTTPPort can not be empty"})
+		}
+		if *w.OIDC.AdminUserGroupClaim == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "OIDC.AdminUserGroupClaim", Msg: "OIDC AdminUserGroupClaim can not be empty"})
+		}
+		if *w.OIDC.EditUserGroupClaim == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "OIDC.EditUserGroupClaim", Msg: "OIDC EditUserGroupClaim can not be empty"})
+		}
+		if *w.OIDC.RunUserGroupClaim == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "OIDC.RunUserGroupClaim", Msg: "OIDC RunUserGroupClaim can not be empty"})
+		}
+		if *w.OIDC.ReadUserGroupClaim == "" {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "OIDC.ReadUserGroupClaim", Msg: "OIDC ReadUserGroupClaim can not be empty"})
+		}
+		if w.OIDC.SessionTimeout == commonconfig.MustNewDuration(0) {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "OIDC.SessionTimeout", Msg: "OIDC SessionTimeout can not be empty"})
+		}
+		if w.OIDC.UserApiTokenEnabled == nil {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "OIDC.UserApiTokenEnabled", Msg: "OIDC UserApiTokenEnabled can not be empty"})
+		}
+		if w.OIDC.UserAPITokenDuration == commonconfig.MustNewDuration(0) {
+			err = multierr.Append(err, configutils.ErrInvalid{Name: "OIDC.UserAPITokenDuration", Msg: "OIDC UserAPITokenDuration can not be empty"})
+		}
+		return err
 	}
 
-	// Assert LDAP fields when AuthMethod set to LDAP
-	if *w.LDAP.BaseDN == "" {
-		err = multierr.Append(err, configutils.ErrInvalid{Name: "LDAP.BaseDN", Msg: "LDAP BaseDN can not be empty"})
-	}
-	if *w.LDAP.BaseUserAttr == "" {
-		err = multierr.Append(err, configutils.ErrInvalid{Name: "LDAP.BaseUserAttr", Msg: "LDAP BaseUserAttr can not be empty"})
-	}
-	if *w.LDAP.UsersDN == "" {
-		err = multierr.Append(err, configutils.ErrInvalid{Name: "LDAP.UsersDN", Msg: "LDAP UsersDN can not be empty"})
-	}
-	if *w.LDAP.GroupsDN == "" {
-		err = multierr.Append(err, configutils.ErrInvalid{Name: "LDAP.GroupsDN", Msg: "LDAP GroupsDN can not be empty"})
-	}
-	if *w.LDAP.AdminUserGroupCN == "" {
-		err = multierr.Append(err, configutils.ErrInvalid{Name: "LDAP.AdminUserGroupCN", Msg: "LDAP AdminUserGroupCN can not be empty"})
-	}
-	if *w.LDAP.EditUserGroupCN == "" {
-		err = multierr.Append(err, configutils.ErrInvalid{Name: "LDAP.RunUserGroupCN", Msg: "LDAP ReadUserGroupCN can not be empty"})
-	}
-	if *w.LDAP.RunUserGroupCN == "" {
-		err = multierr.Append(err, configutils.ErrInvalid{Name: "LDAP.RunUserGroupCN", Msg: "LDAP RunUserGroupCN can not be empty"})
-	}
-	if *w.LDAP.ReadUserGroupCN == "" {
-		err = multierr.Append(err, configutils.ErrInvalid{Name: "LDAP.ReadUserGroupCN", Msg: "LDAP ReadUserGroupCN can not be empty"})
-	}
-	return err
+	return nil
 }
 
 type WebServerMFA struct {
@@ -993,15 +1037,87 @@
 	}
 }
 
+type WebServerOIDC struct {
+	ClientID *string
+	ProviderDomain *string
+	OAuth2ProviderRouteSuffix *string
+	OIDCCallbackURL *string
+	OIDCCallbackURLSuffix *string
+	HTTPPort uint16
+	AdminUserGroupClaim *string
+	EditUserGroupClaim *string
+	RunUserGroupClaim *string
+	ReadUserGroupClaim *string
+	SessionTimeout *commonconfig.Duration
+	UserApiTokenEnabled *bool
+	UserAPITokenDuration *commonconfig.Duration
+}
+
+func (w *WebServerOIDC) setFrom(f *WebServerOIDC) {
+	if v := f.ClientID; v != nil {
+		w.ClientID = v
+	}
+	if v := f.ProviderDomain; v != nil {
+		w.ProviderDomain = v
+	}
+	if v := f.OAuth2ProviderRouteSuffix; v != nil {
+		w.OAuth2ProviderRouteSuffix = v
+	}
+	if v := f.OIDCCallbackURL; v != nil {
+		w.OIDCCallbackURL = v
+	}
+	if v := f.OIDCCallbackURLSuffix; v != nil {
+		w.OIDCCallbackURLSuffix = v
+	}
+	if v := f.HTTPPort; v != 0 {
+		w.HTTPPort = v
+	}
+	if v := f.AdminUserGroupClaim; v != nil {
+		w.AdminUserGroupClaim = v
+	}
+	if v := f.EditUserGroupClaim; v != nil {
+		w.EditUserGroupClaim = v
+	}
+	if v := f.RunUserGroupClaim; v != nil {
+		w.RunUserGroupClaim = v
+	}
+	if v := f.ReadUserGroupClaim; v != nil {
+		w.ReadUserGroupClaim = v
+	}
+	if v := f.SessionTimeout; v != nil {
+		w.SessionTimeout = v
+	}
+	if v := f.UserApiTokenEnabled; v != nil {
+		w.UserApiTokenEnabled = v
+	}
+	if v := f.UserAPITokenDuration; v != nil {
+		w.UserAPITokenDuration = v
+	}
+}
+
+type WebServerOIDCSecrets struct {
+	ClientSecret *string
+}
+
+func (w *WebServerOIDCSecrets) setFrom(f *WebServerOIDCSecrets) {
+	if v := f.ClientSecret; v != nil {
+			w.ClientSecret = v
+	}
+}
+
 type WebServerSecrets struct {
 	LDAP WebServerLDAPSecrets `toml:",omitempty"`
+	OIDC WebServerOIDCSecrets `toml:",omitempty"`
 }
 
 func (w *WebServerSecrets) SetFrom(f *WebServerSecrets) error {
 	w.LDAP.setFrom(&f.LDAP)
+	w.OIDC.setFrom(&f.OIDC)
 	return nil
 }
 
+// TODO: harry: add Validate function for WebServerSecrets and LDAPSecrets
+
 type JobPipeline struct {
 	ExternalInitiatorsEnabled *bool
 	MaxRunDuration            *commonconfig.Duration

@@ -55,6 +55,23 @@ type LDAP interface {
 	UpstreamSyncRateLimit() commonconfig.Duration
 }
 
+type OIDC interface {
+	ClientID() string
+	ClientSecret() string
+	ProviderDomain() string
+	OAuth2ProviderRouteSuffix() string
+	OIDCCallbackURL() string
+	OIDCCallbackURLSuffix() string
+	HTTPPort() uint16
+	AdminUserGroupClaim() string
+	EditUserGroupClaim() string
+	RunUserGroupClaim() string
+	ReadUserGroupClaim() string
+	SessionTimeout() commonconfig.Duration
+	UserApiTokenEnabled() bool
+	UserAPITokenDuration() commonconfig.Duration
+}
+
 type WebServer interface {
 	AuthenticationMethod() string
 	AllowOrigins() string
@@ -74,4 +91,5 @@ type WebServer interface {
 	RateLimit() RateLimit
 	MFA() MFA
 	LDAP() LDAP
+	OIDC() OIDC
 }
@@ -92,6 +92,7 @@ import (
 	"github.com/smartcontractkit/chainlink/v2/core/sessions"
 	"github.com/smartcontractkit/chainlink/v2/core/sessions/ldapauth"
 	"github.com/smartcontractkit/chainlink/v2/core/sessions/localauth"
+	"github.com/smartcontractkit/chainlink/v2/core/sessions/oidcauth"
 	"github.com/smartcontractkit/chainlink/v2/core/static"
 	"github.com/smartcontractkit/chainlink/v2/plugins"
 )
@@ -162,7 +163,7 @@ type ChainlinkApplication struct {
 	pipelineRunner           pipeline.Runner
 	bridgeORM                bridges.ORM
 	localAdminUsersORM       sessions.BasicAdminUsersORM
-	authenticationProvider   sessions.AuthenticationProvider
+	authenticationProvider   sessions.AuthenticationProvider // Note: this will be OIDC instance
 	txmStorageService        txmgr.EvmTxStore
 	FeedsService             feeds.Service
 	webhookJobRunner         webhook.JobRunner
@@ -441,7 +442,7 @@ func NewApplication(ctx context.Context, opts ApplicationOpts) (Application, err
 	localAdminUsersORM := localauth.NewORM(opts.DS, cfg.WebServer().SessionTimeout().Duration(), globalLogger, auditLogger)
 
 	// Initialize Sessions ORM based on environment configured authenticator
-	// localDB auth or remote LDAP auth
+	// localDB auth, LDAP auth, or OIDC auth
 	authMethod := cfg.WebServer().AuthenticationMethod()
 	var authenticationProvider sessions.AuthenticationProvider
 	var sessionReaper *utils.SleeperTask
@@ -458,6 +459,15 @@ func NewApplication(ctx context.Context, opts ApplicationOpts) (Application, err
 		syncer := ldapauth.NewLDAPServerStateSyncer(opts.DS, cfg.WebServer().LDAP(), globalLogger)
 		srvcs = append(srvcs, syncer)
 		sessionReaper = utils.NewSleeperTaskCtx(syncer)
+	case sessions.OIDCAuth:
+		var err error
+		authenticationProvider, err = oidcauth.NewOIDCAuthenticator(
+			opts.DS, cfg.WebServer().OIDC(), globalLogger, auditLogger,
+		)
+		if err != nil {
+			return nil, errors.Wrap(err, "NewApplication: failed to initialize OIDC Authentication module")
+		}
+		sessionReaper = oidcauth.NewSessionReaper(opts.DS, cfg.WebServer(), globalLogger)
 	case sessions.LocalAuth:
 		authenticationProvider = localauth.NewORM(opts.DS, cfg.WebServer().SessionTimeout().Duration(), globalLogger, auditLogger)
 		sessionReaper = localauth.NewSessionReaper(opts.DS, cfg.WebServer(), globalLogger)