Skip to content

WIP: Keycloak Authentication

Lukas Möller requested to merge keycloak-auth into staging

Implements #33 (closed)

Implements keycloak authentication using keycloak-js. On the backend the custom authentication backend was removed in favor of a custom middleware that sets request.user. I also removed the session and messages middleware as they are no longer required. When the user first logs in a new user object is created - Maybe we should implement signup and login separately and show which data we use etc.

The backend now requires pyjwt and I removed grpcio which leads to faster install times.

I also changed the way the simulate_nonadmin mode works. Instead of mutating server-side session it sets a header. I have not yet implemented this in the frontend.

Currently the frontend redirects to vseth auth on every fresh page load. I am not sure if there is a secure way to prevent this because saving it in session-storage or localStorage could potentially be dangerous if there was an XSS vulnerability.

In theory I think we should also be able to remove the CSRF middleware and headers as we know have the auth header instead. Can someone confirm this / explain why that is not the case?

TODO:

  • Implement logout
  • Implement runtime config
  • Add env variables

→ Search TODO: in the changes tab

Edited by Lukas Möller

Merge request reports

Loading