Support alternate OIDC providers, to prepare for the switch from Keycloak to fabric8_auth
#8650
Conversation
davidfestal
requested review from
ashumilova,
benoitf,
riuvshin,
skabashnyuk and
vparfonov
as code owners
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
1 similar comment
|
Can one of the admins verify this patch? |
benoitf
added
the
status/code-review
| @@ -117,3 +121,18 @@ che.keycloak.github.endpoint=NULL | |||
|
|
|||
| # The number of seconds to tolerate for clock skew when verifying exp or nbf claims. | |||
| che.keycloak.allowed_clock_skew_sec=3 | |||
|
|
|||
| # Use the OIDC optional `nonce` feature to increase security. | |||
| che.keycloak.use_nonce=true | |||
There was a problem hiding this comment.
Hello @davidfestal , it seems it's missing properties in che.env
There was a problem hiding this comment.
wdym ? I see them in che.env here
dockerfiles/init/manifests/che.env
Outdated
| @@ -543,6 +543,9 @@ CHE_SINGLE_PORT=false | |||
| #CHE_KEYCLOAK_CLIENT__ID=che-public | |||
| #CHE_KEYCLOAK_ALLOWED__CLOCK__SKEW__SEC=3 | |||
| #CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD=true | |||
| #CHE_KEYCLOAK_USE__NONCE=true | |||
There was a problem hiding this comment.
properties should be documented as it's for user editing (while the properties file is quite hidden)
There was a problem hiding this comment.
documented in the che.env file or in the docs as a separate PR ?
There was a problem hiding this comment.
in che.env like https://github.com/eclipse/che/blob/6897a6e8b45c3084639d748edc802247a90a6bc9/dockerfiles/init/manifests/che.env#L18-L21 (based on what you've commented on properties file
| @@ -43,4 +48,25 @@ public KeycloakConfigurationService(KeycloakSettings keycloakSettings) { | |||
| public Map<String, String> settings() { | |||
| return keycloakSettings.get(); | |||
| } | |||
|
|
|||
| @GET | |||
| @Path("/OIDCKeycloak.js") | |||
There was a problem hiding this comment.
I propose to make it in such way:
@Path("/{filename}")
public String javascriptAdapter(@PathParam("filename") String filename)
....
Thread.currentThread().getContextClassLoader().getResource("keycloak/" + filename);
...
if (file_not_found)
throw NotFoundException //(to be like 404 instead of epmty file)
There was a problem hiding this comment.
I would left it as is. Your proposal could be dangerous.
There was a problem hiding this comment.
@mshaposhnik what happens if I use ../ on filename ? could I get some private files ?
There was a problem hiding this comment.
@skabashnyuk @mshaposhnik I'll leave it as is then.
There was a problem hiding this comment.
Very unlikely. They should be under java classpath. But *.properties can be read, probably.
| # URL to the Keycloak Javascript adapter we want to use. | ||
| # if set to NULL, then the default used value is | ||
| # `${che.keycloak.auth_server_url}/js/keycloak.js`, | ||
| # or `<che-server>/wsmaster/keycloak/OIDCKeycloak.js` |
There was a problem hiding this comment.
Maybe call it something like OIDC_client.js ?
There was a problem hiding this comment.
well, it's the keycloak.js file modified to be OIDC compatible, but still the Keycloak Javascript adaper, hence this name.
| # URL to the Keycloak Javascript adapter we want to use. | ||
| # if set to NULL, then the default used value is | ||
| # `${che.keycloak.auth_server_url}/js/keycloak.js`, | ||
| # or `<che-server>/wsmaster/keycloak/OIDCKeycloak.js` |
There was a problem hiding this comment.
There is no /wsmaster URL's. Correct is /api
There was a problem hiding this comment.
Fixed in commit 8951eef
Documentation related to PR eclipse-che/che#8650
davidfestal
force-pushed
the
enable_oidc_providers_che6
branch
from
8951eef
to
bf36a52
Compare
|
Related documentation PR is here |
|
ci-test |
| @Named(CLIENT_ID_SETTING) String clientId, | ||
| @Nullable @Named(OIDC_PROVIDER_SETTING) String oidcProvider, | ||
| @Named(USE_NONCE_SETTING) boolean useNonce, | ||
| @Nullable @Named(OSO_ENDPOINT_SETTING) String osoEndpoint, | ||
| @Nullable @Named(GITHUB_ENDPOINT_SETTING) String gitHubEndpoint) { | ||
|
|
||
| if (serverURL == null && oidcProvider == null) { | ||
| LOG.error("Either the '" + AUTH_SERVER_URL_SETTING + "' or '" + OIDC_PROVIDER_SETTING + "' property should be set"); | ||
| this.settings = Collections.unmodifiableMap(new HashMap<String, String>()); |
There was a problem hiding this comment.
just throw throw new RuntimeExeception("Either the '" + AUTH_SERVER_URL_SETTING + "' or '" + OIDC_PROVIDER_SETTING + "' property should be set")
There was a problem hiding this comment.
or this an acceptable mode or not? maybe Collections.emptyMap()?
There was a problem hiding this comment.
if it's acceptable why log.error?
There was a problem hiding this comment.
Fixed in commit e1e4001
|
|
||
| if (oidcProvider == null && realm == null) { | ||
| LOG.error("The '" + REALM_SETTING + "' property should be set"); | ||
| this.settings = Collections.unmodifiableMap(new HashMap<String, String>()); |
There was a problem hiding this comment.
just throw throw new RuntimeExeception
There was a problem hiding this comment.
Fixed in commit e1e4001
| } | ||
|
|
||
| if (oidcProvider == null && realm == null) { | ||
| LOG.error("The '" + REALM_SETTING + "' property should be set"); |
There was a problem hiding this comment.
It's better to use parametrised method
|
Docs pr? |
|
ci-test build report: |
@skabashnyuk see comment #8650 (comment) |
Signed-off-by: David Festal <dfestal@redhat.com>
Signed-off-by: David Festal <dfestal@redhat.com>
These are exactly the same changes as those already done / approved in the GWT application main HTML file. Signed-off-by: David Festal <dfestal@redhat.com>
Signed-off-by: David Festal <dfestal@redhat.com>
davidfestal
force-pushed
the
enable_oidc_providers_che6
branch
from
5ca0128
to
7d24572
Compare
|
ci-test |
|
ci-test build report: |
|
ci-test |
|
ci-test build report: |
|
@davidfestal: selenium test launcher failed to create test users because it didn't find che realm "Resource not found for url: http://localhost:8080/auth/admin/realms/che/users".
|
|
@davidfestal from what I see che is not able to star from your branch on ocp |
|
@riuvshin David is in PTO until monday but had commented that yesterday:
|
|
@l0rd I deployed it locally, KC server is OK Im able to login as admin to KC but CHE server is down due to problems on start up in che logs: is that expected url based on that I can guess that it is calling wrong url OR this PR missing some other changes related to KC |
|
ci-test |
|
ci-test build report: |
|
Test report is OK |
benoitf
removed
the
status/code-review
* Add documentation for alternate OIDC providers Documentation related to PR eclipse-che/che#8650 * small type fix
…loak to `fabric8_auth` (#8650) Allow switching to an alternate OIDC provider (provided that it emits access tokens as JWT tokens). This is the implementation required in upstream Che, for issues redhat-developer/rh-che#502 and redhat-developer/rh-che#525 Signed-off-by: David Festal <dfestal@redhat.com>
…loak to `fabric8_auth` (eclipse-che#8650) Allow switching to an alternate OIDC provider (provided that it emits access tokens as JWT tokens). This is the implementation required in upstream Che, for issues redhat-developer/rh-che#502 and redhat-developer/rh-che#525 Signed-off-by: David Festal <dfestal@redhat.com>
What does this PR do?
This PR allows switching to an alternate OIDC provider (provided that it emits
access tokens as JWT tokens).
This is the CHE 6 equivalent of PR #8614 that has already been created against the CHE 5 maintenance branch.
What issues does this PR fix or reference?
This is the implementation required in upstream Che, for issues
redhat-developer/rh-che#502 and
redhat-developer/rh-che#525
Changes in dependencies
This PR depends on PR eclipse-che/che-dependencies#96 and the associated CQ.