Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shell: Add defaultDexConnector option to automatically trigger login on a predefined Dex connector #3443

Merged
merged 2 commits into from
Sep 14, 2021
Merged

shell: Add defaultDexConnector option to automatically trigger login on a predefined Dex connector #3443

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e6346a7
shell: Add defaultDexConnector option to automatically trigger login …
JBWatenbergScality Aug 4, 2021
a06e266
shell: Review logout to clean the cookies of the domain when the end_…
JBWatenbergScality Aug 4, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 59 additions & 21 deletions shell-ui/src/auth/AuthProvider.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import {
} from 'oidc-react';
import { useShellConfig } from '../initFederation/ShellConfigProvider';
import { getUserGroups } from '../navbar/auth/permissionUtils';
import { WebStorageStateStore } from 'oidc-client';
import { MetadataService, WebStorageStateStore } from 'oidc-client';

export function AuthProvider({ children }: { children: Node }) {
const { authConfig } = useAuthConfig();
Expand All @@ -25,6 +25,24 @@ export function AuthProvider({ children }: { children: Node }) {
return <OAuth2AuthProvider>{children}</OAuth2AuthProvider>;
}

function defaultDexConnectorMetadataService(connectorId: string) {
class DexDefaultConnectorMetadataService extends MetadataService {
getAuthorizationEndpoint() {
return this._getMetadataProperty('authorization_endpoint').then(
(authorizationEndpoint) => {
const queryParamas = new URLSearchParams(window.location.search);
if (!queryParamas.has('displayLoginChoice')) {
return authorizationEndpoint + '?connector_id=' + connectorId;
}
return authorizationEndpoint;
},
);
}
}

return DexDefaultConnectorMetadataService;
}

function OAuth2AuthProvider({ children }: { children: Node }) {
const { authConfig } = useAuthConfig();

Expand All @@ -39,6 +57,9 @@ function OAuth2AuthProvider({ children }: { children: Node }) {
loadUserInfo: true,
automaticSilentRenew: true,
monitorSession: false,
MetadataServiceCtor: authConfig.defaultDexConnector
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am wondering should we add this defaultDexConnector prop to type OIDCConfig?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in db1812c

? defaultDexConnectorMetadataService(authConfig.defaultDexConnector)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's more a question:
If we want to use Dex to authenticate the users against a connector-based interface, how should we set the defaultDexConnector in runtime-app-configuration?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didn't we start documenting all this rework of shell-ui? Would be useful IMO, both now for reviewers catching up with the progress, and in the future for maintenance / onboarding.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

defaultDexConnector should take the connector id as defined in dex configuration.
For example given the following Dex connectors configuration :

       connectors:
            - type: oidc
              id: keycloak
              name: Keycloak
              config:
                   //....

Providing keycloak as defaultDexConnector in runtime-app-configuration will automatically redirect the user to this connector.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've opened #3476 regarding the documentation and will address it as soon as possible

: MetadataService,
userStore: new WebStorageStateStore({ store: localStorage }),
});

Expand Down Expand Up @@ -95,28 +116,45 @@ export function useLogOut() {
let auth;
try {
auth = useOauth2Auth();
} catch(e) {
} catch (e) {
//If an exception is raised here it is likely because the app is not using OIDC auth kind, so we can ignore this
console.log('Failed to retrieve auth informations for OIDC auth kind', e)
console.log('Failed to retrieve auth informations for OIDC auth kind', e);
}

return {logOut: useCallback(() => {
if (!authConfig) {
return;
}

if (authConfig.kind === 'OAuth2Proxy') {
throw new Error('OAuth2Proxy authentication kind is not yet supported');
}
if (auth && auth.userManager) {
auth.userManager.revokeAccessToken();
if (authConfig.providerLogout) {
auth.userManager.signoutRedirect();
} else {
auth.userManager.removeUser();
location.reload();
return {
logOut: useCallback(() => {
if (!authConfig) {
return;
}
}
}, [JSON.stringify(authConfig), auth])}


if (authConfig.kind === 'OAuth2Proxy') {
throw new Error('OAuth2Proxy authentication kind is not yet supported');
}
if (auth && auth.userManager) {
auth.userManager.revokeAccessToken();
if (authConfig.providerLogout) {
auth.userManager.signoutRedirect().catch((e) => {
if (e.message === 'no end session endpoint') {
console.log(
"OIDC provider doesn't support end session endpoint, fallback to clearing document cookies",
);
document.cookie.split(';').forEach(function (c) {
document.cookie =
c.trim().split('=')[0] +
'=;' +
'expires=Thu, 01 Jan 1970 00:00:00 UTC;';
});
gdemonet marked this conversation as resolved.
Show resolved Hide resolved
} else {
console.error(e);
}
auth.userManager.removeUser();
location.reload();
});
} else {
auth.userManager.removeUser();
location.reload();
}
}
}, [JSON.stringify(authConfig), auth]),
};
}
3 changes: 2 additions & 1 deletion shell-ui/src/initFederation/ConfigurationProviders.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,8 @@ export type OIDCConfig = {
clientId: string,
responseType: string,
scopes: string,
providerLogout?: boolean
providerLogout?: boolean,
defaultDexConnector?: string,
};

type RuntimeWebFinger = {
Expand Down