whitebophir icon indicating copy to clipboard operation
whitebophir copied to clipboard
verified publisher icon lovasoa

Add keycloak authentication

Open mspasiano opened this issue 3 years ago • 7 comments

Together with my colleague @GiorgioBart we have extended the authentication method to https://github.com/keycloak

mspasiano avatar Apr 14 '22 10:04 mspasiano

We have defined some environment variables:

  • KEYCLOAK_ENABLE
  • KEYCLOAK_URL
  • KEYCLOAK_REALM
  • KEYCLOAK_CLIENTID
  • KEYCLOAK_USERINFO_ATTRIBUTE

mspasiano avatar Apr 14 '22 11:04 mspasiano

This sounds useful! A few notes:

  • keycloak implements open authentication standards. I don't think there is a reason to make wbo dependant on keycloak instead of being generic and working with any openid connect provider.
  • If I'm not mistaken, the most important part is missing: the server side token verification logic.

lovasoa avatar Apr 14 '22 13:04 lovasoa

Amy further improvements @mspasiano? I'm really looking forward to it ;-)

matbgn avatar Jun 07 '22 15:06 matbgn

We shouldn't have to take more than an optional oidc discovery url. Keycloak implements the standard oidc protocol; I don't think this should be keycloak-specific, mention a realm, or need a "userinfo" configuration.

lovasoa avatar Jun 07 '22 15:06 lovasoa

We shouldn't have to take more than an optional oidc discovery url. Keycloak implements the standard oidc protocol; I don't think this should be keycloak-specific, mention a realm, or need a "userinfo" configuration.

You could use this https://www.npmjs.com/package/openid-client what do you think? If you think it's appropriate I can take care of it, I did the same thing for PeerTube https://www.npmjs.com/package/peertube-plugin-oidc-cnr

mspasiano avatar Jun 08 '22 09:06 mspasiano

Yes, we can use an external lib. But we should keep compatibility with the existing jwt authentication mechanism described in https://github.com/lovasoa/whitebophir#authentication

lovasoa avatar Jun 14 '22 21:06 lovasoa