Description

This PR adds support for OpenID Connect (OIDC) authentication. It resolves #2469.

The code is heavily based on the existing SAML authentication implementation using:

• OidcAuthenticator to hook into Symfony authenticating using Passport.
• OidcProvider to create and hydrate users.
• OidcController to supply the login routes to redirect to the configured OIDC provider.
  The implementation of OIDC in this PR is handled by jumbojett/openid-connect-php which does all of the heavy lifting.

Configuration is very similar to SAML too, but much simplier because ODIC is more standardized and has sensible defaults. Basic configuration would be:

kimai:
    oidc:
        activate: true
        title: "Login with Custom OIDC"
        provider_url: "https://auth.example.com/"
        client_id: "EXAMPLE"
        client_secret: "EXAMPLE"

These are the only configuration values which need to be provided because OIDC is able to automatically detect the others using the "well known" URL. In the example above, it is able to access https://auth.example.com/.well-known/openid-configuration. The response to this will include all of the URLs and other configuration needed to setup OIDC with that specific server.

I have also gone a little further and implemented the same "role mapping" system which SAML has. You can configure this in a very similar way by adding this to the above config:

          roles:
            resetOnLogin: true
            mapping:
                # Insert your role-mapping here (ROLE_USER is added automatically)
                - { oidc: Admin, kimai: ROLE_SUPER_ADMIN }
                - { oidc: Manager, kimai: ROLE_ADMIN }
                - { oidc: Teamlead, kimai: ROLE_TEAMLEAD }

This works example the same as with SAML, however, the attribute configuration value isn't needed as it is standarized in OIDC.

Demo video

How to test this

To test this, you will need to have an OIDC authentication provider. There are many available such as Pocket ID, Ory Hydra, Authentik, VoidAuth, Keycloak, and Forgejo.

However, if you don't have any setup, then by far the easiest is to start a "demo instance" of Pocket ID (they last for 30 minutes before being deleted).

https://demo.pocket-id.org

When you have an instance you can follow these steps to create the required enviornment for testing:

1. Follow the setup instructions to create a new user.
2. Create a passkey when requested, or skip in this case and it will keep you logged in until the demo instance is deleted.
3. Go to "Administration" -> "OIDC Clients" and then click "Add OIDC client"
4. Fill in the name as "Kamai" (or whatever you like) and leave the rest of the settings blank. Press "Save"
5. Scroll down to the "Allowed User Groups", expand it and press "Unrestrict". This will allow all users in the auth provider (just you) to access the client.
6. At the top of the screen there will be the settings. Expand it and then use "client ID", "client secret", and "issuer URL" to fill in this Kamai config:

kimai:
    oidc:
        activate: true
        title: "Login with Pocket ID"
        provider_url: "https://EXAMPLE.demo.podkcet-id.org"
        client_id: "EXAMPLE"
        client_secret: "EXAMPLE"

7. Open the login page of your Kimai instance and there should be a "Login with Pocket ID" button. Pressing that should take you to the Pocket ID login page.
8. Press sign in and then accept the information which will be shared.
9. You will be redirected back to Kimai and logged in. If this was a new user your name, email, and profile picture will be set from Pocket ID.

To test role mapping:

1. In your Pocket ID demo instance, go to "Administration" -> "User groups" and then click "Add Group".
2. Give it a friendly name and optionally change the name which will be sent to Kimai. This example will use admins.
3. On the next page, scroll down to the user list, tick your user and then press "Save". This assigns your user to that group.
4. Modify your Kimai config to include:

          roles:
            resetOnLogin: true
            mapping:
                - { oidc: admins, kimai: ROLE_ADMIN }

5. Sign out of Kimai and then sign in again with the "Login with Pocket ID" button. You will be asked for permissions again and this time it will be requesting "groups" access.
6. When you accept and sign in your user will be assigned to the admin role.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist

• I verified that my code applies to the guidelines (composer code-check)
• I updated the documentation (opened here Add documentation for OIDC authentication www.kimai.org#672)
• I agree that this code is used in Kimai (see license)