Remove the 'Authorize Access' screen from the login flow #1534
Comments
EnMasse doesn't actually need the |
From looking at keycloak I see EnMasse doesn't need the information from the The way we can solve this problem is switch from the use of the service account constrained form of OAuth client to a normal oauth client. The full form supports a I've tested this approach on the command line, switch from the service account to the created one. It confirms that the step from the workflow is removed. Implementing this solution should be a case of refactoring templates/build/enmasse-latest/ansible/roles/standard_authservice_config/tasks/main.yml to create the oauth client (and a secret) rather than use the service account. No changes to keycloak controller required. The tests that interact with the authorise step will need to be changed. |
…t form. Allows finer control of the login workflow when authenticating with openshift credentials. Fixes EnMasseProject#1534
…t form. Allows finer control of the login workflow when authenticating with openshift credentials. Fixes EnMasseProject#1534
…t form. Allows finer control of the login workflow when authenticating with openshift credentials. Fixes EnMasseProject#1534
…t form. Allows finer control of the login workflow when authenticating with openshift credentials. Fixes EnMasseProject#1534
…t form. Allows finer control of the login workflow when authenticating with openshift credentials. Also automatically push clientId, clientSecret and base url changes from keycloak configmap to the realms of exsiting addressspace spaces. Fixes EnMasseProject#1534
Remove this
The reason I'm asking for this is improve the login flow & user experience for a setup where multiple middleware products are running on an OpenShift cluster.
The goal in this scenario is to have a smooth single signon experience where the user only signs in once e.g. to openshift, and is seamlessly signed into all other products that are pre-installed in the openshift cluster
This
Authorize Access
screen doesn't make sense in the context of single signon across a number of products from the 1 provider.It introduces an extra step in the flow, which:
It is my understanding the reason for this message popping up is because a ServiceAccount OAuth Client is used to provide openshift identity against EnMasse's keycloak.
One option to avoid this is to use a full OAuth Client that has a
grandMethod
ofauto
.There may be other options
The text was updated successfully, but these errors were encountered: