Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: Add oauth2/keycloak test environment #86

Merged
merged 2 commits into from
Sep 26, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions deploy/oauth/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
## Oauth2-Proxy

Used to locally, manually test te behaviour of auth-reverse-proxies like ALB.

Based on the suggested docker images from the main [oauth2-proxy environment](https://github.com/oauth2-proxy/oauth2-proxy/tree/master/contrib/local-environment)

### Pre-requisites

Add this to your /etc/hosts (uncommented)

```
127.0.0.1 keycloak
127.0.0.1 oauth2-proxy
```

Credentials | admin/password
Email | [email protected]

# Configuration

Frontend env (common env in dev, different in prod) via webpack dotenv

## LOGOUT_URL

The logout url consists of multiple redirects. First we need to perform the oauth2 proxy sign out via calling `/oauth2/sign_out`.
This sign out procedure deletes the oauth2 cookie and redirects to the open id connect provider via `rd=...`. The redirect url must be an encoded url.
In our local test case, the redirect url will then point to keycloak's openid-connect logout: `auth/realms/{realm}/protocol/openid-connect/logout`. This ensures that the oidc provider also knows that the user should be logged out to prevent automatic redirects to the app with a valid cookie.

```
?rd=http://keycloak:9080/auth/realms/master/protocol/openid-connect/logout?redirect_uri=http://localhost:4180
```

- REFRESH_URL

Backend env

```env
VISYN_CORE__SECURITY__STORE__OAUTH2_SECURITY_STORE__ENABLE=true
VISYN_CORE__SECURITY__STORE__OAUTH2_SECURITY_STORE__ACCESS_TOKEN_HEADER_NAME=x-forwarded-access-token
VISYN_CORE__SECURITY__STORE__OAUTH2_SECURITY_STORE__COOKIE_NAME=_oauth2_proxy
VISYN_CORE__SECURITY__STORE__OAUTH2_SECURITY_STORE__SIGNOUT_URL=http://localhost:4180/oauth2/sign_out?rd=http%3A%2F%2Fkeycloak%3A9080%2Fauth%2Frealms%2Fmaster%2Fprotocol%2Fopenid-connect%2Flogout%3Fredirect_uri%3Dhttp%3A%2F%2Flocalhost%3A4180

```
39 changes: 39 additions & 0 deletions deploy/oauth/docker-compose.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# Simplified variant of https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/local-environment/docker-compose-keycloak.yaml
version: '3.0'
services:
oauth2-proxy:
container_name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0
command: --config /oauth2-proxy.cfg
hostname: oauth2-proxy
volumes:
- './oauth2-proxy.cfg:/oauth2-proxy.cfg'
restart: unless-stopped
depends_on:
- keycloak
network_mode: host
# required for oauth2-proxy.cfg - upstreams localhost, as the frontend isn't available inside docker

keycloak:
container_name: keycloak
image: jboss/keycloak:10.0.0
hostname: keycloak
command:
[
'-Djboss.socket.binding.port-offset=1000',
'-Dkeycloak.migration.action=import',
'-Dkeycloak.migration.provider=dir',
'-Dkeycloak.migration.dir=/realm-config',
'-Dkeycloak.migration.strategy=IGNORE_EXISTING',
]
volumes:
- ./keycloak:/realm-config
environment:
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: password
ports:
- 9080:9080/tcp
# this docker image REALLY doesn't like to run in network-mode host
# requires this in your /etc/hosts (uncommented)
# 127.0.0.1 keycloak
# 127.0.0.1 oauth2-proxy
Loading
Loading