Skip to content
This repository has been archived by the owner on Dec 4, 2023. It is now read-only.

Automatically redirect to the 'openshift' identity provider login page instead of the intermediate keycloak page with an 'openshift' option #1533

Closed
david-martin opened this issue Aug 23, 2018 · 3 comments
Closed

Automatically redirect to the 'openshift' identity provider login page instead of the intermediate keycloak page with an 'openshift' option #1533

david-martin opened this issue Aug 23, 2018 · 3 comments
Labels
component/console-backend

Comments

@david-martin
Copy link

i.e. when you first try access the EnMasse console, skip this page
image

and go straight to this page.
image

My understanding is, this is possible by:

  • setting a default Identity Provider Redirector in the Realm > Authetication > Browser settings in Keycloak
  • or sending a 'kc_idp_hint' param when redirecting to the Keycloak login page from the EnMasse console

However, I would like if this could be done automatically for any new realms created in Keycloak by EnMasse.
@rgodfrey rgodfrey mentioned this issue Sep 11, 2018
Closed
@k-wall
Copy link
Member

k-wall commented Sep 11, 2018
edited

We will externalise kc_idp_hint so its value may be set from an environment variable, which can then be set at deployment time. For the deployment case above, it would be configured to redirect the openshift login url directly, answering the requirement.

In addition, where a deployment has been so configured, we think there should be a way to restore the default behaviour on a per login basis. To allow for this, there will be an EnMasse specific url parameter that if set, discards the override provided from the environment and reverts to default keycloak behvaviour (i.e. directing to the keycloak login page). A user requiring a keycloak authentication rather than openshift could then be furnished a specially crafted link that will lead them to the correct authentication page.

@k-wall
Copy link
Member

k-wall commented Sep 18, 2018
edited

Agent uses the Keycloak Node.js Adapter v3.4.3. From what I can see from this API, there is no built in support for adding parameter kc_idp_hintinto the endpoint url and no mechanism either for the adding arbitrary parameters. I checked the latest release v4.4.0 too and the situation is unchanged. Other Keycloak client APIs do allow this option to be overridden.

There is an ugly-duck patch approach to solve this problem as follows. This could be made configurable from the environment/suitably encoded. However as this method doesn't see the request, it wouldn't be possible to allow the affect of override to be undone on a per-request basis. Obviously this approach would be brittle.

        Keycloak.prototype.loginUrl_inner = Keycloak.prototype.loginUrl;
        Keycloak.prototype.loginUrl = function(uuid, redirect)        {
            return this.loginUrl_inner(uuid, redirect) + "&kc_idp_hint=openshift-v3";
        };

Another approach would be stop using the nodejs adapter entirely and implement directly against the endpoints. I'd like talk to the keycloak folks first.

This was referenced Sep 26, 2018
Closed
Open
@k-wall
Copy link
Member

k-wall commented Oct 4, 2018

Fixed by #1651/#1713

@k-wall k-wall closed this as completed Oct 4, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
component/console-backend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@david-martin @vbusch @k-wall