Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add keycloak authentication #240

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add keycloak authentication #240

wants to merge 4 commits into from

Conversation

mspasiano
Copy link

Together with my colleague @GiorgioBart we have extended the authentication method to https://github.com/keycloak

@mspasiano
Copy link
Author

mspasiano commented Apr 14, 2022
edited

We have defined some environment variables:

  • KEYCLOAK_ENABLE
  • KEYCLOAK_URL
  • KEYCLOAK_REALM
  • KEYCLOAK_CLIENTID
  • KEYCLOAK_USERINFO_ATTRIBUTE

@lovasoa
Copy link
Owner

lovasoa commented Apr 14, 2022
edited

This sounds useful! A few notes:

  • keycloak implements open authentication standards. I don't think there is a reason to make wbo dependant on keycloak instead of being generic and working with any openid connect provider.
  • If I'm not mistaken, the most important part is missing: the server side token verification logic.

lovasoa
lovasoa requested changes Apr 14, 2022
View reviewed changes
client-data/tools/keycloak/keycloak.js Outdated Show resolved Hide resolved
client-data/tools/keycloak/keycloak.js Outdated
keycloak.loadUserInfo().then(function(userInfo) {
if (Tools.server_config.KEYCLOAK_USERINFO_ATTRIBUTE) {
if (!userInfo[Tools.server_config.KEYCLOAK_USERINFO_ATTRIBUTE]) {
alert("Sitema non disponibile per l'utente " + userInfo.preferred_username);
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shouldn't have an "alert", and all messages should be localized

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have not found anything to replace alert that you do not think about this: https://github.com/t4t5/sweetalert

client-data/tools/keycloak/keycloak.js Outdated Show resolved Hide resolved
README.md
Comment on lines +90 to +94
- `KEYCLOAK_ENABLE` is used for enable OIDC authentication
- `KEYCLOAK_URL` is the URL of Keycloak, eg, `https://keycloak-server/auth`
- `KEYCLOAK_REALM` is the Realm name, eg, **myrealm**
- `KEYCLOAK_CLIENTID` is the Public Client Id, eg, **myapp**
- `KEYCLOAK_USERINFO_ATTRIBUTE` is the attribute name for authorization, and it is not mandatory
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shouldn't have to take more than an optional oidc discovery url

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not think it is necessary, everything is conditioned on the KEYCLOAK_ENABLE variable

@matbgn
Copy link

matbgn commented Jun 7, 2022

Amy further improvements @mspasiano? I'm really looking forward to it ;-)

@lovasoa
Copy link
Owner

lovasoa commented Jun 7, 2022

We shouldn't have to take more than an optional oidc discovery url. Keycloak implements the standard oidc protocol; I don't think this should be keycloak-specific, mention a realm, or need a "userinfo" configuration.

@mspasiano
Copy link
Author

mspasiano commented Jun 8, 2022
edited

We shouldn't have to take more than an optional oidc discovery url. Keycloak implements the standard oidc protocol; I don't think this should be keycloak-specific, mention a realm, or need a "userinfo" configuration.

You could use this https://www.npmjs.com/package/openid-client what do you think? If you think it's appropriate I can take care of it, I did the same thing for PeerTube https://www.npmjs.com/package/peertube-plugin-oidc-cnr

@lovasoa
Copy link
Owner

lovasoa commented Jun 14, 2022

Yes, we can use an external lib. But we should keep compatibility with the existing jwt authentication mechanism described in https://github.com/lovasoa/whitebophir#authentication

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lovasoa lovasoa lovasoa requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@mspasiano @lovasoa @matbgn