Uitid/pk 41 keycloak switch #408
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
erwin1
requested review from
corneelwille,
JurgenG and
JonasVHG
as code owners
grubolsch
requested changes
Nov 4, 2024
| @@ -81,7 +83,7 @@ Authorization: Bearer YOUR_ACCESS_TOKEN | |||
|
|
|||
| #### More info | |||
|
|
|||
| publiq currently uses [Auth0](https://auth0.com/) as the implementation of its authentication and authorization service. For more in-depth information about requesting client access tokens, see the [Auth0 documentation for the client\_credentials flow](https://auth0.com/docs/flows#client-credentials-flow). | |||
| publiq currently uses [Keycloak](https://www.keycloak.org/) as the implementation of its authentication and authorization service. For more in-depth information about requesting client access tokens, see the [OAuth 2.0 specification for the client\_credentials flow](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4). | |||
There was a problem hiding this comment.
Is there any reason why we should communicate that we are using keycloak?
All urls/flows are just oauth compatible, and we do not link to any specific keycloak docs, so I would not give this information away.
This could be valuable info for a hacker with bad intensions.
There was a problem hiding this comment.
the reason is simple: Auth0 was mentioned and I changed Auth0 to Keycloak. It's a fair point we don't have to mention it. I'll rephrase.
OTOH it's not a secret (and shouldn't be) that we are using Keycloak. It's obvious in many other ways.
There was a problem hiding this comment.
Update: we also have this line: https://github.com/cultuurnet/apidocs/pull/408/files#diff-09205b70e866174fcdc81ff1f865f6208b9149eca7d675d3b0bf4589886034b6R15
So if we don't want to talk about keycloak we have to remove that line as well.
| @@ -15,7 +28,7 @@ See [requesting client credentials](./requesting-credentials.md) how to obtain a | |||
|
|
|||
| Additionally, we will need to configure the following settings for your client on our end: | |||
|
|
|||
| * **Login URL**: In some cases the authorization server will need to redirect the user back to a login URL on your application. This URL should point to a route in your application that ends up redirecting to the `/authorize` endpoint on publiq's authorization server, e.g. `https://example.com/login`. Note that it requires `https` and it cannot point to `localhost`. It can include query parameters and a URI fragment. | |||
| * **Login URL**: In some cases the authorization server will need to redirect the user back to a login URL on your application. This URL should point to a route in your application that ends up redirecting to the `/realms/uitid/protocol/openid-connect/auth` endpoint on publiq's authorization server, e.g. `https://example.com/login`. Note that it requires `https` and it cannot point to `localhost`. It can include query parameters and a URI fragment. | |||
| * **Callback URL(s)**: The absolute URL(s) of the page(s) where your users can be redirected back to after they log in. You can specify any callback URL whenever you redirect a user to the authorization server to log in, but it needs to be registered on our end first to prevent phishing attacks. For example `https://example.com/authorize` for your production application, and/or `https://localhost:8080/authorize` for local development. | |||
| * **Logout URL(s)**: The absolute URL(s) of the page(s) where you users can be redirected back to after they log out. You can specify any logout URL whenever you redirect a user to the authorization server to log out, but it needs to be registered on our end first to prevent phishing attacks. For example `https://example.com` if you want to redirect the user back to the homepage of your application after logging out, or `https://example.com/logged-out` if you want to redirect them to a page with a confirmation message like "You're logged out!" after logging out. Like callback URL(s), logout URL(s) may use `https://localhost` for local development. | |||
There was a problem hiding this comment.
Maybe add a line that it is end-slash sensitive ?
Common error.
| Auth server-->>User: Show login page | ||
| User-->>Auth server: Login and give consent | ||
| Auth server-->>Client: Redirect back to callback URL with authorization code | ||
| Client->>Auth server: POST /oauth/token with authorization code<br /> and client credentials | ||
| Client->>Auth server: POST /token with authorization code<br /> and client credentials |
There was a problem hiding this comment.
Suggested change
| Client->>Auth server: POST /token with authorization code<br /> and client credentials | |
| Client->>Auth server: POST /realms/uitid/protocol/openid-connect/token with authorization code<br /> and client credentials |
There was a problem hiding this comment.
This is the mermaid diagram and I explicitly chose to leave out the full path. Maybe I can reduce confusion further by getting rid of the /
This is how it looks like with the full path:
|
|
||
| <!-- theme: success --> | ||
|
|
||
| > ##### SDK | ||
| > | ||
| > If you want, you can use the [Regular Web Application SDK Libraries](https://auth0.com/docs/libraries#webapp) provided by Auth0 to implement this flow. | ||
| > It is a good practice to use an OpenID Connect compliant client SDK. SDKs exist in different languages and flavors, so the best choice greatly depends on your specific application. The OpenID.net website contains a list of [certicied](https://openid.net/developers/certified-openid-connect-implementations/) and [uncertified](https://openid.net/developers/uncertified-openid-connect-implementations/) SDKs. To configure your SDK you might need this configuration: `https://account-test.uitid.be/.well-known/openid-configuration`. |
There was a problem hiding this comment.
Same remark regarding mentioning Keycloak.
| @@ -159,11 +162,11 @@ sequenceDiagram | |||
| actor User | |||
| User-->>Client: Click login link | |||
| Client->>Client: Generate code_verifier and code_challenge | |||
| Client->>Auth server: Redirect to GET /authorize with code_challenge | |||
| Client->>Auth server: Redirect to GET /auth with code_challenge | |||
There was a problem hiding this comment.
Suggested change
| Client->>Auth server: Redirect to GET /auth with code_challenge | |
| Client->>Auth server: Redirect to GET /realms/uitid/protocol/openid-connect/auth with code_challenge |
| Auth server-->>User: Show login page | ||
| User-->>Auth server: Login and give consent | ||
| Auth server-->>Client: Redirect back to callback URL with authorization code | ||
| Client->>Auth server: POST /oauth/token with authorization code,<br /> client id and code_verifier | ||
| Client->>Auth server: POST /token with authorization code,<br /> client id and code_verifier |
There was a problem hiding this comment.
Suggested change
| Client->>Auth server: POST /token with authorization code,<br /> client id and code_verifier | |
| Client->>Auth server: POST /realms/uitid/protocol/openid-connect/token with authorization code,<br /> client id and code_verifier |
| @@ -430,9 +419,9 @@ The best way to check if a refresh token is expired is to exchange it for an acc | |||
|
|
|||
| When the user of your application wants to log out, clear any session data in your application including the user's access token and refresh token. If you have cached the [user's info](#user-info), make sure to also clear that. | |||
|
|
|||
| Afterward, you should **redirect** the user to the `/logout` URL on the authorization server so the user's session is also cleared there. This redirect will be invisible to the end user, as the authorization server will simply clear the user's session and then redirect back to your application based on a `?returnTo=...` URL parameter that you can specify. Note that you can only use an allowed "logout URL" as value for the `returnTo` URL parameter. (See [Requirements](#requirements)) | |||
| Afterward, you should **redirect** the user to the `/realms/uitid/protocol/openid-connect/logout` URL on the authorization server so the user's session is also cleared there. This redirect will be invisible to the end user, as the authorization server will simply clear the user's session and then redirect back to your application based on a `?post_logout_redirect_uris=...` URL parameter that you can specify. Note that you can only use an allowed "logout URL" as value for the `post_logout_redirect_uris` URL parameter. (See [Requirements](#requirements)) | |||
|
|
|||
There was a problem hiding this comment.
Maybe also add a paragraph about id_token_hint ?
There was a problem hiding this comment.
Fair point. It's mentioned in the link behind the link behind OpenID Connect RP-Initiated Logout in the following paragraph, but I can make it more explicit.
Co-authored-by: Koen Eelen <[email protected]>
…pidocs into uitid/PK-41-keycloak-switch
grubolsch
approved these changes
Nov 7, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changed
Ticket: https://jira.uitdatabank.be/browse/PK-41