Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login Redirect #8

Closed
fmatuszewski opened this issue Oct 3, 2017 · 10 comments
Closed

Login Redirect #8

fmatuszewski opened this issue Oct 3, 2017 · 10 comments
Assignees
@felixheck
Labels
enhancement

Comments

@fmatuszewski
Copy link

How to make actual redirection to keycloak login window.
I thouth it will be done if request is not authorized.
But I just get 401 Unauthorized.
@felixheck
Copy link
Owner

felixheck commented Oct 4, 2017
edited
Loading

Hey @fmatuszewski,

this is currently just a solution for handling api rests and so on.
If you want such an option/feature, I'd like if you contribute to because I'm currently really busy — don't know when there'll be some time to solve this issue.

What's in my mind:

  • route-specific plugin option called redirect or something like that.
  • Accepts boolean. Default: false
  • keycloak-hapi has an existing concept

Just let me know if you'll push a PR, thanks!

@felixheck felixheck self-assigned this Oct 4, 2017
@felixheck felixheck mentioned this issue Oct 22, 2017
Closed
6 tasks
@nickrobillard nickrobillard mentioned this issue Dec 4, 2017
Closed
@felixheck
Copy link
Owner

Closed because of inactivity.
If the feature is needed please provide a proposal as PR.

@phal0r
Copy link

phal0r commented Jul 5, 2018

Hi @felixheck ,

thanks for this awesome plugin. I was making my way from keycloak-hapi, via your JIRA-Ticket in Keycloak to this repo :)

I am also interested in the authentication flow, since I use hapi also for ui routes. I think it would make sense to stick close to the configuration of the keycloak-connect middleware, where this is called bearerOnly: true/false. I will probably need it for one of my projects, so I will dig into this the next weeks/months.

@felixheck felixheck reopened this Jul 5, 2018
@felixheck
Copy link
Owner

felixheck commented Jul 5, 2018
edited
Loading

Hi @phal0r — thanks for your feedback, happy to hear that :)

I would like to discuss the details first.
So what exactly do you need, how would you expect it to work,...?

By personal preference would be:

  1. Add a plugin-specific route option like { ... plugins: { kjwt: { bearerOnly: false }}}
    Default is true.
  2. Use the concepts of the keycloak-connect middleware to get login url.
  3. Redirect if bearerOnly is falsy.

@felixheck
Copy link
Owner

felixheck commented Jul 5, 2018
edited
Loading

https://github.com/felixheck/hapi-auth-keycloak/tree/redirect

Feel free to use the release candidate.
See the API docs for further details.

Please provide feedback as soon as you've tried it.
I've currently no keycloak instance running, so it's hard to test :)

@phal0r
Copy link

phal0r commented Jul 7, 2018

@felixheck
wow, that was fast. What I have in mind currently is, that my hapi app should work out of the box with keycloak authentication (open id connect is fine). For APIs it is straight-forward, as they just expect a token via Authorization header and return 401/403 on missing token or missing scopes. For the app this means, there should be a way for the user to get valid credentials from the centralized login. I can think of 2 scenarios:

  1. I want my app to be secured and therefore auth mode is set to required. Hapi should automatically redirect to the centralized login if no valid credentials are present

  2. I want a mixed mode, where everyone can access the app meaning auth mode is set to optional or even try. The app wil be delivered and the business logic is responsible to take this into account. But anyways I would configure a /login-route, which should use the construction methods of the keycloak-connect middleware to construct a valid redirect url to the centralized login (looking at the source code, there are a lot of parameters with properties derived based on the config), which I don't want to reimplement :)

For redirecting to the keyloak login, the plugin should also automatically create callback-urls and handle the return values after a successful login. At this point the plugin will retrieve auth tokens and probably refresh tokens and they need to be stored somewhere. I open for debate on how this should be handled. Should the plugin just set a cookie with the token and handle everything related to it or do we need an extension point for more advanced integration regarding sessions. There will be a lot of scenarios, where business logic wants to access the token to get user information or other custom information.

I don't know, if there will be more requirements, but for now this would be a good starting point. I will definitely check your branch and provide feedback as soon as I engage authentication, but this might take some time. So please don't expect an answer on next monday :) But thanks a lot of for this fast implementation, I appreciate it very much.

@felixheck
Copy link
Owner

Feel free to contribute.
I'm currently quite busy with my master thesis and not able to add such features.

@felixheck
Copy link
Owner

Closed because of inactivity. Reopened on demand.

@phal0r
Copy link

phal0r commented Nov 26, 2018

Yeah, ok. It is still on our agenda, but there is still some conceptual stuff to do.

@felixheck
Copy link
Owner

If you wanna chat in a user-friendlier environment drop a line. We can discuss this stuff in Slack or the like. Really open for this feature but I don't have enough specification to implement it as a whole :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@felixheck felixheck

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@phal0r @fmatuszewski @felixheck