-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support alternate OIDC providers, to prepare for the switch from Keycloak to fabric8_auth
#8650
Conversation
Can one of the admins verify this patch? |
Can one of the admins verify this patch? |
1 similar comment
Can one of the admins verify this patch? |
@@ -117,3 +121,18 @@ che.keycloak.github.endpoint=NULL | |||
|
|||
# The number of seconds to tolerate for clock skew when verifying exp or nbf claims. | |||
che.keycloak.allowed_clock_skew_sec=3 | |||
|
|||
# Use the OIDC optional `nonce` feature to increase security. | |||
che.keycloak.use_nonce=true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @davidfestal , it seems it's missing properties in che.env
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wdym ? I see them in che.env
here
dockerfiles/init/manifests/che.env
Outdated
@@ -543,6 +543,9 @@ CHE_SINGLE_PORT=false | |||
#CHE_KEYCLOAK_CLIENT__ID=che-public | |||
#CHE_KEYCLOAK_ALLOWED__CLOCK__SKEW__SEC=3 | |||
#CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD=true | |||
#CHE_KEYCLOAK_USE__NONCE=true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
properties should be documented as it's for user editing (while the properties file is quite hidden)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
documented in the che.env
file or in the docs as a separate PR ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in che.env like https://github.com/eclipse/che/blob/6897a6e8b45c3084639d748edc802247a90a6bc9/dockerfiles/init/manifests/che.env#L18-L21 (based on what you've commented on properties file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -43,4 +48,25 @@ public KeycloakConfigurationService(KeycloakSettings keycloakSettings) { | |||
public Map<String, String> settings() { | |||
return keycloakSettings.get(); | |||
} | |||
|
|||
@GET | |||
@Path("/OIDCKeycloak.js") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I propose to make it in such way:
@Path("/{filename}")
public String javascriptAdapter(@PathParam("filename") String filename)
....
Thread.currentThread().getContextClassLoader().getResource("keycloak/" + filename);
...
if (file_not_found)
throw NotFoundException //(to be like 404 instead of epmty file)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would left it as is. Your proposal could be dangerous.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mshaposhnik what happens if I use ../ on filename ? could I get some private files ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@skabashnyuk @mshaposhnik I'll leave it as is then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very unlikely. They should be under java classpath. But *.properties can be read, probably.
# URL to the Keycloak Javascript adapter we want to use. | ||
# if set to NULL, then the default used value is | ||
# `${che.keycloak.auth_server_url}/js/keycloak.js`, | ||
# or `<che-server>/wsmaster/keycloak/OIDCKeycloak.js` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe call it something like OIDC_client.js
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
well, it's the keycloak.js
file modified to be OIDC compatible, but still the Keycloak Javascript adaper, hence this name.
# URL to the Keycloak Javascript adapter we want to use. | ||
# if set to NULL, then the default used value is | ||
# `${che.keycloak.auth_server_url}/js/keycloak.js`, | ||
# or `<che-server>/wsmaster/keycloak/OIDCKeycloak.js` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no /wsmaster
URL's. Correct is /api
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in commit 8951eef
Documentation related to PR eclipse-che/che#8650
8951eef
to
bf36a52
Compare
Related documentation PR is here |
ci-test |
@Named(CLIENT_ID_SETTING) String clientId, | ||
@Nullable @Named(OIDC_PROVIDER_SETTING) String oidcProvider, | ||
@Named(USE_NONCE_SETTING) boolean useNonce, | ||
@Nullable @Named(OSO_ENDPOINT_SETTING) String osoEndpoint, | ||
@Nullable @Named(GITHUB_ENDPOINT_SETTING) String gitHubEndpoint) { | ||
|
||
if (serverURL == null && oidcProvider == null) { | ||
LOG.error("Either the '" + AUTH_SERVER_URL_SETTING + "' or '" + OIDC_PROVIDER_SETTING + "' property should be set"); | ||
this.settings = Collections.unmodifiableMap(new HashMap<String, String>()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just throw throw new RuntimeExeception("Either the '" + AUTH_SERVER_URL_SETTING + "' or '" + OIDC_PROVIDER_SETTING + "' property should be set")
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or this an acceptable mode or not? maybe Collections.emptyMap()
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if it's acceptable why log.error?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in commit e1e4001
|
||
if (oidcProvider == null && realm == null) { | ||
LOG.error("The '" + REALM_SETTING + "' property should be set"); | ||
this.settings = Collections.unmodifiableMap(new HashMap<String, String>()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just throw throw new RuntimeExeception
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in commit e1e4001
} | ||
|
||
if (oidcProvider == null && realm == null) { | ||
LOG.error("The '" + REALM_SETTING + "' property should be set"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's better to use parametrised method
Docs pr? |
ci-test build report: |
@skabashnyuk see comment #8650 (comment) |
Signed-off-by: David Festal <dfestal@redhat.com>
Signed-off-by: David Festal <dfestal@redhat.com>
These are exactly the same changes as those already done / approved in the GWT application main HTML file. Signed-off-by: David Festal <dfestal@redhat.com>
Signed-off-by: David Festal <dfestal@redhat.com>
5ca0128
to
7d24572
Compare
ci-test |
ci-test build report: |
ci-test |
ci-test build report: |
@davidfestal: selenium test launcher failed to create test users because it didn't find che realm "Resource not found for url: http://localhost:8080/auth/admin/realms/che/users".
|
@davidfestal from what I see che is not able to star from your branch on ocp |
@riuvshin David is in PTO until monday but had commented that yesterday:
|
@l0rd I deployed it locally, KC server is OK Im able to login as admin to KC but CHE server is down due to problems on start up in che logs:
is that expected url based on that I can guess that it is calling wrong url OR this PR missing some other changes related to KC |
ci-test |
ci-test build report: |
Test report is OK |
* Add documentation for alternate OIDC providers Documentation related to PR eclipse-che/che#8650 * small type fix
…loak to `fabric8_auth` (#8650) Allow switching to an alternate OIDC provider (provided that it emits access tokens as JWT tokens). This is the implementation required in upstream Che, for issues redhat-developer/rh-che#502 and redhat-developer/rh-che#525 Signed-off-by: David Festal <dfestal@redhat.com>
…loak to `fabric8_auth` (eclipse-che#8650) Allow switching to an alternate OIDC provider (provided that it emits access tokens as JWT tokens). This is the implementation required in upstream Che, for issues redhat-developer/rh-che#502 and redhat-developer/rh-che#525 Signed-off-by: David Festal <dfestal@redhat.com>
What does this PR do?
This PR allows switching to an alternate OIDC provider (provided that it emits
access tokens as JWT tokens).
This is the CHE 6 equivalent of PR #8614 that has already been created against the CHE 5 maintenance branch.
What issues does this PR fix or reference?
This is the implementation required in upstream Che, for issues
redhat-developer/rh-che#502 and
redhat-developer/rh-che#525
Changes in dependencies
This PR depends on PR eclipse-che/che-dependencies#96 and the associated CQ.