Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#71: Keycloak Integration #160

Merged
merged 1 commit into from
Feb 16, 2023
Merged

#71: Keycloak Integration #160

merged 1 commit into from
Feb 16, 2023

Conversation

oliveratfoodcoopx
Copy link
Contributor

I am opening this PR although the integration is not complete yet.

NOTES:

  • I added import json files but commented out the line that handles these imports. The reason is that there is a known bug related to importing/exporting clients with credentials and the Client authentication switch is on.
  • Within the Keycloak server (login url: http://localhost:8080/admin/, credentials admin/admin) a client news to be created and set its Credentials (within the Credentials tab) and generate its Client secret. This information needs to be set within the projects settings, under KEYCLOAK_CONFIG. For KEYCLOAK_ADMIN_CONFIG the same credentials can be used.

Further steps:

  • Replace LdapUser with KeycloakUserApiMixin
  • Disconnect Ldap-related models from Factories.
  • I added several tests throughout the issue. The idea behind these tests, is to map as much as possible, current features the project has. So when the KeycloakUserApiMixin class replaces LdapUser these exact same tests need to pass
  • I am using the master realm for this integration because I was unable to make KeycloakAdmin to work without getting `403: b'{"error":"unknown_error"}'. I might have forgotten some settings, so more research is needed here
  • Replace current Ldap groups with Keycloak Roles
  • Migrate all Ldap users to Keycloak. Exporting users from Ldap and importing them into Keycloak using temporary password should be enough,

Ref: #71

@mk2301 mk2301 force-pushed the feature/#71/keycloak-integration branch from 9daac08 to 6d627f2 Compare January 9, 2023 10:29
@mk2301
Copy link
Collaborator

mk2301 commented Jan 9, 2023

Why are all the tests failing? It seems like keycloak is not running.. I tried to rebase to the latest master

@mk2301
Copy link
Collaborator

mk2301 commented Jan 15, 2023
edited

Regarding the "403: unknown error", it is necessary to add the service account role "manage-users" to the client:

image

I will provide imports as soon as I am done

@mk2301
Copy link
Collaborator

mk2301 commented Jan 24, 2023
edited

TODOs:

  • Registration (create user from backend)
  • Authentication
  • Authorisation
  • Verify Email process
  • Password Change process
  • Password Reset
  • Logout
  • Check that user creation is transactional/synchronized between Tapir and Keycloak
  • Email Change process (Verify mail to new email address -> click on link executes the change)
  • Cleanup (logs, leftover code from previous attempts, ...)
  • Update Tests (or remove for now to get the application working in time)
  • Production Configuration for Keycloak
  • Check that the import of realm and clients works in the keycloak container

@mk2301
Copy link
Collaborator

mk2301 commented Jan 30, 2023

I had to regenerate all migrations because I removed the python ldap module :(

@mk2301 mk2301 force-pushed the feature/#71/keycloak-integration branch 11 times, most recently from 620ddde to f6105cf Compare February 3, 2023 13:45
@mk2301 mk2301 force-pushed the feature/#71/keycloak-integration branch 6 times, most recently from 3da991b to 92903df Compare February 15, 2023 13:51
@mk2301 mk2301 changed the title Feature/#71/keycloak integration #71: Keycloak Integration Feb 15, 2023
This was linked to issues Feb 15, 2023
LdapPerson defines 2 PKs, migrations fail #4
Closed
Duplicates in automatically generated usernames #7
Closed
TapirUser should use non-sequential ID #40
Closed
Change Authentication from LDAP to Keycloak #71
Closed
@mk2301 mk2301 force-pushed the feature/#71/keycloak-integration branch 3 times, most recently from 7efb117 to a586ea7 Compare February 15, 2023 15:02
@mk2301 mk2301 force-pushed the feature/#71/keycloak-integration branch from a586ea7 to e3bf5f1 Compare February 15, 2023 16:56
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 15, 2023
View reviewed changes
tapir/wirgarten/templates/wirgarten/registration/steps/coop_shares.intro.html
@@ -3,7 +3,7 @@
<p>Als Genossenschaftsmitglied wirst du Miteigentümer:in des WirGarten Lüneburg. Das heißt, du
finanzierst
unser Gemeinschaftsunternehmen mit und hast bei allen zentralen Entscheidungen und Wahlen ein
Stimmrecht. Unter <a href="{{'wirgarten.coop.info_link'|parameter}}">Genossenschaft</a> haben
Stimmrecht. Unter <a href="{{'wirgarten.coop.info_link'|parameter}}" target="_blank">Genossenschaft</a> haben

Check warning

Code scanning / CodeQL

Potentially unsafe external link

External links without noopener/noreferrer are a potential security risk.
@mk2301 mk2301 force-pushed the feature/#71/keycloak-integration branch from e3bf5f1 to 1b29d02 Compare February 16, 2023 16:35
@mk2301 mk2301 force-pushed the feature/#71/keycloak-integration branch from 1b29d02 to 331c3e2 Compare February 16, 2023 17:19
@sonarcloud
Copy link

sonarcloud bot commented Feb 16, 2023

SonarCloud Quality Gate failed.    Quality Gate failed

Bug C 12 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot E 5 Security Hotspots
Code Smell A 26 Code Smells

0.0% 0.0% Coverage
0.0% 0.0% Duplication

@mk2301 mk2301 merged commit 78d8891 into master Feb 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@oliveratfoodcoopx @mk2301