From 3e7b51da3313bcf441a224140247e90e66d62d27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcell=20F=C3=BCl=C3=B6p?= Date: Thu, 9 Feb 2023 12:38:57 +0000 Subject: [PATCH 1/3] :arrow_up: Upgrade Keycloak-js dependency --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 13456c03..d0264ee6 100644 --- a/package.json +++ b/package.json @@ -27,7 +27,7 @@ "express": "^4.17.2", "frappe-charts": "^1.6.2", "js-yaml": "^4.1.0", - "keycloak-js": "^16.1.1", + "keycloak-js": "^20.0.3", "register-service-worker": "^1.7.2", "remedial": "^1.0.8", "rsup-progress": "^3.0.0", From d9740427eb4bfa3fa04f35ea33f9a078ec6f88ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcell=20F=C3=BCl=C3=B6p?= Date: Thu, 9 Feb 2023 12:47:10 +0000 Subject: [PATCH 2/3] :adhesive_bandage: Allow Keycloak authentication to pass 'IdP Hint' * add App Config option for 'IdP Hint' under Keycloak Authentication * refactor the authentication trigger mechanism to allow direct call to keyjclaok-js adapter login() function * remove `onLoad` from construction options (as it belongs to init()) --- src/utils/ConfigSchema.json | 5 +++++ src/utils/KeycloakAuth.js | 12 ++++++------ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/utils/ConfigSchema.json b/src/utils/ConfigSchema.json index bce7ddfe..a0994ae2 100644 --- a/src/utils/ConfigSchema.json +++ b/src/utils/ConfigSchema.json @@ -481,6 +481,11 @@ "type": "string", "description": "The Client ID of the client you created for use with Dashy" }, + "idpHint": { + "title" : "IdP hint", + "type": "string", + "description": "Set to the 'Alias' of an existing Identity Provider in the specified realm to skip the Keycloak login page and redirect straight to the external IdP for authentication" + }, "legacySupport": { "title": "Legacy Support", "type": "boolean", diff --git a/src/utils/KeycloakAuth.js b/src/utils/KeycloakAuth.js index 3903c780..05b6f7a6 100644 --- a/src/utils/KeycloakAuth.js +++ b/src/utils/KeycloakAuth.js @@ -13,25 +13,25 @@ class KeycloakAuth { constructor() { const { auth } = getAppConfig(); const { - serverUrl, realm, clientId, legacySupport, + serverUrl, realm, clientId, idpHint, legacySupport, } = auth.keycloak; const url = legacySupport ? `${serverUrl}/auth` : serverUrl; - const initOptions = { - url, realm, clientId, onLoad: 'login-required', - }; + const initOptions = { url, realm, clientId }; + const loginOptions = idpHint ? { idpHint } : {}; + this.loginOptions = loginOptions; this.keycloakClient = Keycloak(initOptions); } login() { return new Promise((resolve, reject) => { - this.keycloakClient.init({ onLoad: 'login-required' }) + this.keycloakClient.init({ onLoad: 'check-sso' }) .then((auth) => { if (auth) { this.storeKeycloakInfo(); return resolve(); } else { - return reject(new Error('Not authenticated')); + return this.keycloakClient.login(this.loginOptions); } }) .catch((reason) => reject(reason)); From 99fa9bcc3276bd24fe0f6c806410066374d362a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcell=20F=C3=BCl=C3=B6p?= Date: Thu, 9 Feb 2023 13:40:31 +0000 Subject: [PATCH 3/3] :memo: Add documentation for 'appConfig.auth.keycloak.idpHint' option. --- docs/authentication.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/authentication.md b/docs/authentication.md index 46d5d395..535cc4ba 100644 --- a/docs/authentication.md +++ b/docs/authentication.md @@ -164,6 +164,8 @@ appConfig: Note that if you are using Keycloak V 17 or older, you will also need to set `legacySupport: true` (also under `appConfig.auth.keycloak`). This is because the API endpoint was updated in later versions. +If you use Keycloak with an external Identity Provier, you can set the `idpHint: 'alias-of-kc-idp'` option to allow the IdP Hint to be passed to Keycloak. This will cause Keycloak to skip its login page and redirect the user directly to the specified IdP's login page. Set to the value of the 'Alias' field of the desired IdP as defined in Keycloak under 'Identity Providers'. + ### 4. Add groups and roles (Optional) Keycloak allows you to assign users roles and groups. You can use these values to configure who can access various sections or items in Dashy.