feat: add keycloak authentication closes #1634 #1716
Conversation
|
For local setup and testing of this I have used the following configuration, which is not included in the PR as its just config: Added a keycloak instance to the docker-compose: # # keycloak for testing oauth integration
keycloak:
image: quay.io/keycloak/keycloak:26.0.6
environment:
- KC_BOOTSTRAP_ADMIN_USERNAME=admin
- KC_BOOTSTRAP_ADMIN_PASSWORD=admin
ports:
- 8888:8080
command: start-devThen in Keycloak I have created an OAuth application with this exported config config.jsonSome Javascript{
"clientId": "bailo-app",
"name": "",
"description": "",
"rootUrl": "",
"adminUrl": "",
"baseUrl": "",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "rG59lqdDgfhWBmZuV7uOP3RfVCLPlYPD",
"redirectUris": [
"http://localhost:8080/api/connect/keycloak/callback"
],
"webOrigins": [
"*"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": true,
"publicClient": false,
"frontchannelLogout": true,
"protocol": "openid-connect",
"attributes": {
"realm_client": "false",
"oidc.ciba.grant.enabled": "false",
"client.secret.creation.time": "1735734708",
"backchannel.logout.session.required": "true",
"post.logout.redirect.uris": "+",
"oauth2.device.authorization.grant.enabled": "true",
"display.on.consent.screen": "false",
"backchannel.logout.revoke.offline.tokens": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
{
"name": "Client Host",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientHost",
"id.token.claim": "true",
"introspection.token.claim": "true",
"access.token.claim": "true",
"claim.name": "clientHost",
"jsonType.label": "String"
}
},
{
"name": "Client IP Address",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientAddress",
"id.token.claim": "true",
"introspection.token.claim": "true",
"access.token.claim": "true",
"claim.name": "clientAddress",
"jsonType.label": "String"
}
},
{
"name": "Client ID",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "client_id",
"id.token.claim": "true",
"introspection.token.claim": "true",
"access.token.claim": "true",
"claim.name": "client_id",
"jsonType.label": "String"
}
}
],
"defaultClientScopes": [
"web-origins",
"acr",
"profile",
"roles",
"basic",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"organization",
"offline_access",
"microprofile-jwt"
],
"access": {
"view": true,
"configure": true,
"manage": true
}
}And then ensure the inherited user roles allow users to call realm management to list user just if needed as a reference for local testing (myself included incase I lost this!) |
There was a problem hiding this comment.
Did you consider having two separate connectors, one for oauthCognito and one for oauthKeyloak? It might be slightly clearer to keep them separate rather than have one with conditional logic. The conditional logic might just be one if statement currently but more will be needed when support for groups and roles are added. Having them separate will probably make adding changes to either the Cognito or Keycloak implementations easier. I don't think there is much difference though, let me know your thoughts.
There was a problem hiding this comment.
I think this bullet point you've included in an earlier comment summarises the drawback in have a single connector like you have here "enabling a toggle system based on the config for the application to load the correct provider". The connector design itself is a toggle and so your implementation is adding a toggle within a toggle.
There was a problem hiding this comment.
I think the reasoning for going with this implementation is then each client type say you had a google oauth or azure entra is a future version, the flexibility provided comes from each client has a config and then the main oauth connector acts as a 'resolver'. So this implementation seemed to fit with the existing design to an extent with code seperated for the client and connector type
The challenge of splitting the connectors/clients completely apart would probably be duplication of code despite simplifying the configuration. I was aiming to take inspiration from next-auth where you have a general OAuth Connector and then configure your client to use for that OAuth connection. e.g?
/~https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/index.ts
/~https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/cognito.ts
I think your lead on which way to implement is obviously best as I want to alter your codebase, so for the rest of comments for now I'll fix with the current implementation where possible but we can look at how this get structured. Either way is a trade of in flexibility at either a config or code level really.
backend/src/clients/keycloak.ts
Outdated
| } catch (err) { | ||
| throw InternalError('Error when querying Keycloak for users.', { err }) | ||
| } | ||
| const resultsData = await results.json() as any[] |
There was a problem hiding this comment.
I would recommend using a type guard here rather than using a type assertion with an array of type any
There was a problem hiding this comment.
See here for an example /~https://github.com/gchq/Bailo/blob/main/backend/src/clients/registry.ts#L61
There was a problem hiding this comment.
added in new commit
backend/src/clients/keycloak.ts
Outdated
| }, | ||
| body: params | ||
| }) | ||
| const data = await response.json() as { access_token: string } |
There was a problem hiding this comment.
See other comment about using type guards rather type assertions.
There was a problem hiding this comment.
added as above let me know if anything else needed
|
|
||
| let results | ||
| try { | ||
| results = await fetch(url, { |
There was a problem hiding this comment.
Please use node-fetch as we have done for similar clients.
There was a problem hiding this comment.
utilised node-fetch and added types of Response to results
There was a problem hiding this comment.
Please update the helm chart configuration with these changes here /~https://github.com/gchq/Bailo/blob/main/infrastructure/helm/bailo/templates/bailo/bailo.configmap.yaml and the values file.
There was a problem hiding this comment.
updated chart with configmap and values changes.
backend/src/utils/config.ts
Outdated
| !config.oauth.keycloak && | ||
| !config.oauth.cognito | ||
| ) { | ||
| throw new Error('If OAuth is configured, either Keycloak or Cognito configuration must be provided.') |
There was a problem hiding this comment.
This error type would be well suited here
Bailo/backend/src/utils/error.ts
Line 55 in 7b4b784
backend/src/clients/keycloak.ts
Outdated
| let dnName: string | ||
| let realm: string | ||
| try { | ||
| if (!config?.oauth?.keycloak) { |
There was a problem hiding this comment.
For readability, I would recommend moving this if statement to just before the try statement.
There was a problem hiding this comment.
both this an configurationerror have been fixed, just missed them on a proof read
| @@ -114,11 +114,17 @@ export interface Config { | |||
| oauth: { | |||
| provider: string | |||
| grant: grant.GrantConfig | grant.GrantOptions | |||
| cognito: { | |||
| cognito?: { | |||
There was a problem hiding this comment.
Having optional blocks of configuration isn't something we've decided to do for things like this previously as you can see from the oauth block which would only be used if the oauth connector is selected. We define everything anyway in the default configuration as a method of documenting example configuration so everything should always been defined there. This is another reason (in addition to /~https://github.com/gchq/Bailo/pull/1716/files#r190195685) why I'd have two separate connectors that can be chosen using the existing authentication connector config value rather than the presence of an optional config block. Most of the other existing optional config like the oauth config is very similar to this and is connector related and it only get used if the relevant connector is selected. As we don't explicitly define any of the configuration as optional though, it probably would a good idea to include this in documentation. I'll make a note to include this information in the connector documentation we're planning on adding.
There was a problem hiding this comment.
I've added my thoughts around this to the top comment, let me know what you would prefer and I'm happy to add around this as needed
|
Hi @JR40159! I've responded to comments to add fixes/test and added my thoughts around the oauth config stuff. lmk what you think! |
Affected core subsystem(s)
Alterations of the backend to support keycloak as an OAuth mechanism for user lookup functionality.
Description of change
I've got grant working with keycloak using the below config:
To support this authentication mechanism the backend needs updating to support another client from cognito so the code changes made are in aim of supporting multiple providers naively. This required the following changes:
The aim is you can do this with the config:
so you could use either keycloak or cognito and dont need to specifiy one or the other if they are not required, but i'll take your guidance on how we do this multiple provider interactivity!
Appreciate this is naïve implementation so feedback is appreciated!