WIP: Keycloak Authentication (!120) · Merge requests · vseth / sip-com-apps / community-solutions

Lukas Möller requested to merge keycloak-auth into staging Aug 22, 2020

Implements keycloak authentication using keycloak-js. On the backend the custom authentication backend was removed in favor of a custom middleware that sets request.user. I also removed the session and messages middleware as they are no longer required. When the user first logs in a new user object is created - Maybe we should implement signup and login separately and show which data we use etc.

The backend now requires pyjwt and I removed grpcio which leads to faster install times.

I also changed the way the simulate_nonadmin mode works. Instead of mutating server-side session it sets a header. I have not yet implemented this in the frontend.

Currently the frontend redirects to vseth auth on every fresh page load. I am not sure if there is a secure way to prevent this because saving it in session-storage or localStorage could potentially be dangerous if there was an XSS vulnerability.

In theory I think we should also be able to remove the CSRF middleware and headers as we know have the auth header instead. Can someone confirm this / explain why that is not the case?

TODO:

Implement logout
Implement runtime config
Add env variables

→ Search TODO: in the changes tab

Edited Nov 17, 2020 by Lukas Möller

Admin message

WIP: Keycloak Authentication

Merge request reports