Add generic OIDC login option

[dandersonsw]

⚠️ Note on feature completeness ⚠️

We are narrowing the scope of acceptable enhancements to DefectDojo in preparation for v3. Learn more here:
https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md

Description

This adds the option of using a generic OIDC identity provider for login, rather than a specific one like Google, Keycloak, etc...

Test results

Ideally you extend the test suite in tests/ and dojo/unittests to cover the changed in this PR.
Alternatively, describe what you have and haven't tested.

Tested logging in using an OIDC identity provider

Documentation

Please update any documentation when needed in the documentation folder)

Checklist

This checklist is for your information.

• Make sure to rebase your PR against the very latest dev.
• Features/Changes should be submitted against the dev.
• Bugfixes should be submitted against the bugfix branch.
• Give a meaningful name to your PR, as it may end up being used in the release notes.
• Your code is flake8 compliant.
• Your code is python 3.11 compliant.
• If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
• Model changes must include the necessary migrations in the dojo/db_migrations folder.
• Add applicable tests to the unit tests.
• Add the proper label to categorize your PR.

[dryrunsecurity]

DryRun Security Summary

The code changes introduce support for multiple authentication methods in DefectDojo, including OpenID Connect, OAuth, and SAML, aiming to enhance application security by leveraging trusted identity providers while requiring careful configuration to prevent potential vulnerabilities.

Expand for full summary

Summary:

The provided code changes introduce support for various authentication methods in the DefectDojo application, including OpenID Connect (OIDC), Google OAuth, Azure AD, Gitlab, Keycloak, GitHub Enterprise, and SAML 2.0. These changes aim to provide a more secure and flexible authentication system for the application.

From an application security perspective, the changes are generally positive as they allow the application to leverage trusted identity providers for user authentication. This can help improve the overall security of the application by delegating authentication to these providers and enforcing strong security practices, such as secure token exchange, token signature verification, and proper access control.

However, it is crucial to ensure that the integration with these authentication providers is properly configured and follows security best practices. This includes validating the OIDC token signature and claims, implementing robust session management and token revocation mechanisms, enforcing strong password policies, and enabling multi-factor authentication where possible. Additionally, the application's configuration management and the handling of multiple authentication options should be reviewed to prevent any potential security vulnerabilities.

Files Changed:

1. dojo/context_processors.py: This file adds a new context variable OIDC_ENABLED to the globalize_vars function, which is set based on the value of the settings.OIDC_AUTH_ENABLED setting. This change is relatively straightforward and does not introduce any obvious security concerns.

2. docs/content/en/open_source/archived_docs/integrations/social-authentication.md: This file adds support for various OAuth2 and SAML2 authentication providers in the DefectDojo application, including Google, Azure AD, Gitlab, Keycloak, GitHub Enterprise, and SAML 2.0. The changes provide a secure and flexible authentication system for the application.

3. dojo/templates/dojo/login.html: The changes add an "OIDC (OpenID Connect)" login option to the login page, along with existing options for Google, Okta, Azure AD, Gitlab, Auth0, Keycloak, and GitHub Enterprise, as well as a SAML2 login option. It is essential to ensure that all the third-party authentication integrations are properly configured and follow security best practices.

4. dojo/user/views.py: The changes in this file update the login_view function to handle different types of authentication methods, including OIDC, based on the application's settings. The improvements to the error handling in the DojoPasswordResetForm and DojoForgotUsernameForm are also positive from a security perspective.

5. dojo/settings/settings.dist.py: This file adds support for OIDC authentication by introducing several new configuration variables. It is crucial to ensure that the OIDC configuration is properly set up and that the whitelisted domains are correctly configured to prevent unauthorized access.

Code Analysis

We ran 9 analyzers against 6 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer	Findings
Configured Codepaths Analyzer	3 findings
Authn/Authz Analyzer	5 findings

Overall Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[Maffooch]

Hi @dandersonsw are you able to back out the formatting changes that aren not directly related to this PR? It is making review a little challenging

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[dandersonsw]

Hi @Maffooch I was able to back out the formatting changes on all the files except for the documentation file. Hopefully that makes it easier to review. Happy to make further changes if needed. Thank you.

[mtesauro]

@dandersonsw Just kicked off the tests 🤞

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.