NetBox-Docker Okta & Google SSO Environment Additions (#1475)

* feat: add SSO environment variable support for OKTA and Google OAuth2

Add native support for SSO configuration through environment variables
and Docker secrets, eliminating the need to modify configuration.py
for common SSO providers.

Changes:
- Add OKTA OpenID Connect configuration variables:
  - SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY (env var)
  - SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET (env var + Docker secret: okta_openidconnect_secret)
  - SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL (env var)

- Add Google OAuth2 configuration variables:
  - SOCIAL_AUTH_GOOGLE_OAUTH2_KEY (env var)
  - SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET (env var + Docker secret: google_oauth2_secret)

Follows existing patterns with _read_secret() for sensitive data and
environ.get() for non-sensitive configuration.

Resolves: #1139

* Secrets example

* fix: add newline at end of file

---------

Co-authored-by: skyefugate <[email protected]>

Author: skyefugate

configuration/configuration.py

@@ -310,6 +310,12 @@ def _environ_get_and_map(variable_name: str, default: str | None = None, map_fn:
 REMOTE_AUTH_SUPERUSERS = _environ_get_and_map('REMOTE_AUTH_SUPERUSERS', '', _AS_LIST)
 REMOTE_AUTH_STAFF_GROUPS = _environ_get_and_map('REMOTE_AUTH_STAFF_GROUPS', '', _AS_LIST)
 REMOTE_AUTH_STAFF_USERS = _environ_get_and_map('REMOTE_AUTH_STAFF_USERS', '', _AS_LIST)
+# SSO Configuration
+SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY = environ.get('SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY')
+SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET = _read_secret('okta_openidconnect_secret', environ.get('SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET', ''))
+SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL = environ.get('SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL')
+SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = environ.get('SOCIAL_AUTH_GOOGLE_OAUTH2_KEY')
+SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = _read_secret('google_oauth2_secret', environ.get('SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET', ''))
 
 # This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
 # version check or use the URL below to check for release in the official NetBox repository.

docker-compose.override.yml.example

@@ -16,3 +16,18 @@ services:
       # SUPERUSER_EMAIL: ""
       # SUPERUSER_NAME: ""
       # SUPERUSER_PASSWORD: ""
+      # SSO Configuration
+      # SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY: "your_okta_client_id"
+      # SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL: "https://your-domain.okta.com"
+      # SOCIAL_AUTH_GOOGLE_OAUTH2_KEY: "your_google_client_id"
+    # secrets:
+      # - okta_openidconnect_secret
+      # - google_oauth2_secret
+
+# Uncomment to use Docker secrets for SSO credentials
+# secrets:
+#   okta_openidconnect_secret:
+#     file: ./secrets/okta_secret.txt
+#   google_oauth2_secret:
+#     file: ./secrets/google_secret.txt
+

env/netbox.env

@@ -33,4 +33,12 @@ REDIS_SSL=false
 RELEASE_CHECK_URL=https://api.github.com/repos/netbox-community/netbox/releases
 SECRET_KEY='r(m)9nLGnz$(_q3N4z1k(EFsMCjjjzx08x9VhNVcfd%6RF#r!6DE@+V5Zk2X'
 SKIP_SUPERUSER=true
+# SSO Configuration (uncomment and configure as needed)
+# OKTA OpenID Connect
+# SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY=your_okta_client_id
+# SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET=your_okta_client_secret
+# SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL=https://your-domain.okta.com
+# Google OAuth2
+# SOCIAL_AUTH_GOOGLE_OAUTH2_KEY=your_google_client_id
+# SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET=your_google_client_secret
 WEBHOOKS_ENABLED=true