Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit keycloak redirect urls #491

Merged
merged 5 commits into from
Oct 20, 2020
Merged

Limit keycloak redirect urls #491

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7696a7c
Limit keycloak redirect urls
tolusha Oct 12, 2020
d3298ac
Fixes
tolusha Oct 19, 2020
16d926a
Fix
tolusha Oct 19, 2020
855d8de
Fixes
tolusha Oct 19, 2020
7fbb48a
Fixes
tolusha Oct 19, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion templates/keycloak_provision
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ if [ $? -eq 0 ]; then echo "Realm exists"; exit 0; fi \
-s clientId=$keycloakClientId \
-s id=$keycloakClientId \
-s 'webOrigins=["http://$cheHost", "https://$cheHost"]' \
-s 'redirectUris=["http://$cheHost/*", "https://$cheHost/*"]' \
-s 'redirectUris=["http://$cheHost/dashboard/", "https://$cheHost/dashboard/", "http://$cheHost/workspace-loader/", "https://$cheHost/workspace-loader/", "http://$cheHost/_app/loader.html", "https://$cheHost/_app/loader.html"]' \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about an ability to get token from localhost? I kept in mind running local dashboard/workspace-loader instance without modifying redirects uris manually on each new cluster, but I assume it could also help chectl server:login do login through web interface, as https://github.com/int128/kubelogin is able to do.

I assume it should be safe to do since it's allowed on OpenShift.io oauth.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure that it is secure, who can confirm that?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ibuziuk Could you help to discover the answer here?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems _app/oauth.html needs to be added here as well https://github.com/eclipse/che/blob/master/assembly/assembly-root-war/src/main/webapp/_app/oauth.html.

What if we even add _app/* since we are sure that _app is an application hosted by Che Server and we don't really need to list them one by one. @skabashnyuk WDYT?

-s 'directAccessGrantsEnabled'=true \
-s publicClient=true \
&& $script create users -s username=admin \
Expand Down