EE: OpenID Connect

Owned by Dennis Kittrell (Deactivated)
Last updated: Nov 19, 2020
2 min read

Target release

Q3 2020

Epic

https://mattermost.atlassian.net/browse/MM-26776

Edition

E20

Document status

50%

Document owner

@Dennis Kittrell (Deactivated)

Designer

@Michael Gamble (Deactivated)

Tech lead

@Scott Bishel

Technical writers

@Sebastian Faase (Deactivated)

QA

@Rohitesh Gupta (Deactivated)

OKR

 

ProductBoard

OpenID Connect Authentication

Design Spec

<pending>

Technical Spec

https://mattermost.atlassian.net/wiki/spaces/EN/pages/794198017

Test Plan

<pending>

Objective

OpenID Connect (like SAML) is a federated authentication (sign-up/sign-in) standard.

Open ID Connect sits on top of the OAuth framework (which is used for both Authentication and Authorization)

This feature will enable sign-up/sign-in to mattermost using any OAuth 2.0 provider that adheres to the OpenID Connect specification.

Background

Customers and prospective customers have explicitly asked for OpenID Connect support by name, as well as individual Identity Providers who follow the specification.

Examples:

Mattermost currently supports 3 specific identity providers for SSO via OAuth 2.0 (Google, GitLab & O365) however this implementation does not currently adhere to the OpenID Connect specification. Which means:

  • Mattermost is unable to to benefit from OpenID Connect formatted ID tokens

  • New providers require mattermost engineering teams to build

Success metrics

Goal

Metric

Goal

Metric

 

 

 

 

User Scenarios

  • Mattermost Admin

    • I want to sync my users to mattermost with my (currently unsupported) SSO provider, so that they can sign-up and login using those credentials and I won’t have to worry about security issues/password management.

    • I want to configure my SSO provider by simply providing the link to the standardized OpenID connect discovery document along with the Application ID and Application Secret.

  • Mattermost member

    • I want to easily sign-up and login to mattermost with existing organization credentials, so that I do not have to worry about security or pain of managing another set of credentials.

    • I want a clear sign-up/sign-in button on web, desktop and mobile interfaces.

Assumptions

OpenID Connect support will replace the Oauth 2.0 section of the System Console since we currently only use that section for OAuth authentication (not authorization of access) and all supported OAuth sign-in methods will be supported by OpenID Connect.

Future OAuth integrations will be implemented via plugin and will also be capable of utilizing the authorization/access functionality of OAuth.

Phases & Milestones

Jun2020JulAugSepOctNovDecJan2021
Design
Develop
QA
Launch

iOS App

Android

Areas Touched

  • Authentication

  • System Console UI (Authentication)

  • Mobile (sign-up/sign-in)

Requirements

Requirement

User Story

Importance

Jira Issue

Mobile Ticket

Notes

Requirement

User Story

Importance

Jira Issue

Mobile Ticket

Notes

1

Rename OAuth 2.0 section of system console to OpenID Connect Providers

 

Medium

https://mattermost.atlassian.net/browse/MM-27670

N/A

 

2

Redesign/Rebuild Identity Provider form. In addition to choosing from the 3 existing and most popular identity providers, the option of “other” will enable a custom provider that adheres to the OpenID connect specification.

 

HIGH

N/A

 

3

Redesign/Rebuild Identity Provider form to include standard fields for OpenID Connect - including the URL to the discovery document

 

HIGH

N/A

 

4

Add ability to customize text and color of sign-up/sign-in button for each provider (Web/Mobile)

 

Medium

 

5

GitLab identity provider is currently supported via OAuth 2.0 and current customers using this method will need to be migrated to OpenID Connect

 

HIGH

N/A

 

6

Google Apps identity provider is currently supported via OAuth 2.0 and current customers using this method will need to be migrated to OpenID Connect

 

HIGH

N/A

 

7

O365 identity provider is currently supported via OAuth 2.0 and current customers using this method will need to be migrated to OpenID Connect

 

HIGH

N/A

 

8

Telemetry

  • SSO using OpenID Connect is enabled on server

  • URL for enabled provider

  • Count of users who registered using an OpenID Connect identity provider

  • Count of users with active OpenID Connect identity provider listed as their current sign-in method

 

MEDIUM

N/A

 

9

Google SSO supported on mobile

 

 

 

N/A

 

10

 

 

 

 

N/A

 

Open Questions

Question

Answer

Date Answered

Question

Answer

Date Answered

Can we work with the HW PR submitter to re-use the google mobile button?

 

 

Will this work well as a solution for:

  • Amazon Cognito?

  • Atlassian Crowd?

  • Sign in with Apple?

 

 

Out of Scope for MVP

  • Multiple OpenID Connect providers enabled at one time

  • Google sign-in/signup button on mobile