Skip to content

Commit

Permalink
Merge branch 'develop' into mp/visyn_view_context
Browse files Browse the repository at this point in the history
  • Loading branch information
thinkh authored Sep 26, 2023
2 parents 5f39741 + 86c09c8 commit 3fb060e
Show file tree
Hide file tree
Showing 17 changed files with 1,972 additions and 71 deletions.
43 changes: 43 additions & 0 deletions deploy/oauth/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
## Oauth2-Proxy

Used to locally, manually test te behaviour of auth-reverse-proxies like ALB.

Based on the suggested docker images from the main [oauth2-proxy environment](https://github.com/oauth2-proxy/oauth2-proxy/tree/master/contrib/local-environment)

### Pre-requisites

Add this to your /etc/hosts (uncommented)

```
127.0.0.1 keycloak
127.0.0.1 oauth2-proxy
```

Credentials | admin/password
Email | [email protected]

# Configuration

Frontend env (common env in dev, different in prod) via webpack dotenv

## LOGOUT_URL

The logout url consists of multiple redirects. First we need to perform the oauth2 proxy sign out via calling `/oauth2/sign_out`.
This sign out procedure deletes the oauth2 cookie and redirects to the open id connect provider via `rd=...`. The redirect url must be an encoded url.
In our local test case, the redirect url will then point to keycloak's openid-connect logout: `auth/realms/{realm}/protocol/openid-connect/logout`. This ensures that the oidc provider also knows that the user should be logged out to prevent automatic redirects to the app with a valid cookie.

```
?rd=http://keycloak:9080/auth/realms/master/protocol/openid-connect/logout?redirect_uri=http://localhost:4180
```

- REFRESH_URL

Backend env

```env
VISYN_CORE__SECURITY__STORE__OAUTH2_SECURITY_STORE__ENABLE=true
VISYN_CORE__SECURITY__STORE__OAUTH2_SECURITY_STORE__ACCESS_TOKEN_HEADER_NAME=x-forwarded-access-token
VISYN_CORE__SECURITY__STORE__OAUTH2_SECURITY_STORE__COOKIE_NAME=_oauth2_proxy
VISYN_CORE__SECURITY__STORE__OAUTH2_SECURITY_STORE__SIGNOUT_URL=http://localhost:4180/oauth2/sign_out?rd=http%3A%2F%2Fkeycloak%3A9080%2Fauth%2Frealms%2Fmaster%2Fprotocol%2Fopenid-connect%2Flogout%3Fredirect_uri%3Dhttp%3A%2F%2Flocalhost%3A4180
```
39 changes: 39 additions & 0 deletions deploy/oauth/docker-compose.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# Simplified variant of https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/local-environment/docker-compose-keycloak.yaml
version: '3.0'
services:
oauth2-proxy:
container_name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0
command: --config /oauth2-proxy.cfg
hostname: oauth2-proxy
volumes:
- './oauth2-proxy.cfg:/oauth2-proxy.cfg'
restart: unless-stopped
depends_on:
- keycloak
network_mode: host
# required for oauth2-proxy.cfg - upstreams localhost, as the frontend isn't available inside docker

keycloak:
container_name: keycloak
image: jboss/keycloak:10.0.0
hostname: keycloak
command:
[
'-Djboss.socket.binding.port-offset=1000',
'-Dkeycloak.migration.action=import',
'-Dkeycloak.migration.provider=dir',
'-Dkeycloak.migration.dir=/realm-config',
'-Dkeycloak.migration.strategy=IGNORE_EXISTING',
]
volumes:
- ./keycloak:/realm-config
environment:
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: password
ports:
- 9080:9080/tcp
# this docker image REALLY doesn't like to run in network-mode host
# requires this in your /etc/hosts (uncommented)
# 127.0.0.1 keycloak
# 127.0.0.1 oauth2-proxy
Loading

0 comments on commit 3fb060e

Please sign in to comment.