Merge 95da39bb8d into c004f2d3e6

api/v2.0/swagger.yaml

@@ -9366,6 +9366,11 @@ definitions:
         description: Logout OIDC user session
         x-omitempty: true
         x-isnullable: true
+      oidc_auto_login:
+        type: boolean
+        description: Auto login OIDC user session to bypass login screen when already authenticated
+        x-omitempty: true
+        x-isnullable: true
       robot_token_duration:
         type: integer
         description: The robot account token duration in days

src/common/const.go

@@ -120,6 +120,7 @@ const (
 	OIDCScope                        = "oidc_scope"
 	OIDCUserClaim                    = "oidc_user_claim"
 	OIDCLogout                       = "oidc_logout"
+	OIDCAutoLogin                    = "oidc_auto_login"
 
 	CfgDriverDB                       = "db"
 	NewHarborAdminName                = "admin@harbor.local"

src/core/controllers/oidc.go

@@ -78,6 +78,22 @@ func (oc *OIDCController) RedirectLogin() {
 		oc.SendInternalServerError(err)
 		return
 	}
+	
+	// Check if auto_login is enabled and add prompt=none for silent authentication
+	oidcSettings, err := config.OIDCSetting(oc.Context())
+	if err != nil {
+		log.Errorf("failed to get OIDC settings, error: %v", err)
+		oc.SendInternalServerError(err)
+		return
+	}
+	if oidcSettings.AutoLogin {
+		// Add prompt=none to attempt silent authentication
+		if strings.Contains(url, "?") {
+			url += "&prompt=none"
+		} else {
+			url += "?prompt=none"
+		}
+	}
 	redirectURL := oc.Ctx.Request.URL.Query().Get("redirect_url")
 	if !utils.IsLocalPath(redirectURL) {
 		log.Errorf("invalid redirect url: %v", redirectURL)

src/lib/config/metadata/metadatalist.go

@@ -148,6 +148,7 @@ var (
 		{Name: common.OIDCAutoOnboard, Scope: UserScope, Group: OIDCGroup, DefaultValue: "false", ItemType: &BoolType{}, Description: `Auto onboard the OIDC user`},
 		{Name: common.OIDCExtraRedirectParms, Scope: UserScope, Group: OIDCGroup, DefaultValue: "{}", ItemType: &StringToStringMapType{}, Description: `Extra parameters to add when redirect request to OIDC provider`},
 		{Name: common.OIDCLogout, Scope: UserScope, Group: OIDCGroup, DefaultValue: "false", ItemType: &BoolType{}, Description: `Enable OIDC logout to log out user session from the identity provider.`},
+		{Name: common.OIDCAutoLogin, Scope: UserScope, Group: OIDCGroup, DefaultValue: "false", ItemType: &BoolType{}, Description: `Enable OIDC auto login to bypass the login screen when user is already authenticated with the OIDC provider.`},
 
 		{Name: common.WithTrivy, Scope: SystemScope, Group: BasicGroup, EnvKey: "WITH_TRIVY", DefaultValue: "false", ItemType: &BoolType{}, Editable: true},
 		// the unit of expiration is days

src/lib/config/models/model.go

@@ -45,6 +45,7 @@ type OIDCSetting struct {
 	UserClaim          string            `json:"user_claim"`
 	ExtraRedirectParms map[string]string `json:"extra_redirect_parms"`
 	Logout             bool              `json:"logout"`
+	AutoLogin          bool              `json:"auto_login"`
 }
 
 // QuotaSetting wraps the settings for Quota

src/portal/src/app/base/left-side-nav/config/auth/config-auth.component.html

@@ -992,6 +992,32 @@
                     [(ngModel)]="currentConfig.oidc_logout.value" />
             </clr-checkbox-wrapper>
         </clr-checkbox-container>
+        <clr-checkbox-container>
+            <label for="oidcAutoLogin"
+                >{{ 'CONFIG.OIDC.OIDC_AUTO_LOGIN' | translate }}
+                <clr-tooltip>
+                    <clr-icon
+                        clrTooltipTrigger
+                        shape="info-circle"
+                        size="24"></clr-icon>
+                    <clr-tooltip-content
+                        clrPosition="top-right"
+                        clrSize="lg"
+                        *clrIfOpen>
+                        <span>{{ 'TOOLTIP.OIDC_AUTO_LOGIN' | translate }}</span>
+                    </clr-tooltip-content>
+                </clr-tooltip>
+            </label>
+            <clr-checkbox-wrapper>
+                <input
+                    type="checkbox"
+                    clrCheckbox
+                    name="oidcAutoLogin"
+                    id="oidcAutoLogin"
+                    [disabled]="disabled(currentConfig.oidc_auto_login)"
+                    [(ngModel)]="currentConfig.oidc_auto_login.value" />
+            </clr-checkbox-wrapper>
+        </clr-checkbox-container>
         <clr-input-container>
             <label for="oidcUserClaim"
                 >{{ 'CONFIG.OIDC.USER_CLAIM' | translate }}

src/portal/src/app/shared/router-guard/auth-user-activate.service.ts

@@ -67,12 +67,14 @@ export class AuthCheckGuard {
                             let navigatorExtra: NavigationExtras = {
                                 queryParams: { redirect_url: state.url },
                             };
-                            // if primary auth mode enabled, skip the first step
+                            // if primary auth mode or auto login enabled, skip the first step
                             if (
                                 this.appConfigService.getConfig().auth_mode ==
                                     CONFIG_AUTH_MODE.OIDC_AUTH &&
-                                this.appConfigService.getConfig()
-                                    .primary_auth_mode
+                                (this.appConfigService.getConfig()
+                                    .primary_auth_mode ||
+                                 this.appConfigService.getConfig()
+                                    .oidc_auto_login)
                             ) {
                                 window.location.href =
                                     '/c/oidc/login?redirect_url=' +