pass through keycloak config

from backend to frontend via /config service
cryptomator · Feb 23, 2022 · 9051706 · 9051706
1 parent 7c03924
commit 9051706
Show file tree

Hide file tree

Showing 8 changed files with 29 additions and 102 deletions.
diff --git a/README.md b/README.md
@@ -32,14 +32,14 @@ During development, Keycloak is started as a Quarkus Dev Service using port 8180
 
 ### Testing rest services via CLI:
 
-First, access the keycloak admin web console and activate direct access grants for the `cryptomator-hub` realm.
+First, access the keycloak admin web console and activate direct access grants for the `cryptomator` realm.
 
 Then, retrieve an `access_token` from keycloak:
 
 ```
 export access_token=$(\
     curl -X POST http://localhost:8180/auth/realms/cryptomator/protocol/openid-connect/token \
-    --user cryptomator-hub:CHANGEME \
+    --user cryptomatorhub:CHANGEME \
     -H 'content-type: application/x-www-form-urlencoded' \
     -d 'username=owner&password=owner&grant_type=password' | jq --raw-output '.access_token' \
 )

diff --git a/backend/src/main/java/org/cryptomator/hub/spi/ConfigResource.java b/backend/src/main/java/org/cryptomator/hub/spi/ConfigResource.java
@@ -9,30 +9,31 @@
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
-import java.util.StringJoiner;
-import java.util.StringTokenizer;
 
 @Path("/config")
 public class ConfigResource {
 
-	private static final String KC_REALM_DELIM = "/realms/";
+	@Inject
+	@ConfigProperty(name = "hub.keycloak.public-url", defaultValue = "")
+	String keycloakUrl;
+
+	@Inject
+	@ConfigProperty(name = "hub.keycloak.realm", defaultValue = "")
+	String keycloakRealm;
 
 	@Inject
-	@ConfigProperty(name = "quarkus.oidc.auth-server-url", defaultValue = "")
-	String oidcUrl;
+	@ConfigProperty(name = "quarkus.oidc.client-id", defaultValue = "")
+	String keycloakClientId;
 
 	@PermitAll
 	@GET
 	@Path("/")
 	@Produces(MediaType.APPLICATION_JSON)
 	public ConfigDto getConfig() {
-		int delimPos = oidcUrl.indexOf(KC_REALM_DELIM);
-		var kcBaseUrl = oidcUrl.substring(0, delimPos);
-		var kcRealmName = oidcUrl.substring(delimPos + KC_REALM_DELIM.length());
-		return new ConfigDto(kcBaseUrl, kcRealmName);
+		return new ConfigDto(keycloakUrl, keycloakRealm, keycloakClientId);
 	}
 
-	public record ConfigDto(@JsonProperty("keycloakUrl") String keycloakUrl, @JsonProperty("keycloakRealm") String keycloakRealm) {
+	public record ConfigDto(@JsonProperty("keycloakUrl") String keycloakUrl, @JsonProperty("keycloakRealm") String keycloakRealm, @JsonProperty("keycloakClientId") String keycloakClientId) {
 	}
 
 }
diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties
@@ -3,18 +3,22 @@
 # * or env vars `QUARKUS_HTTP_PORT=8080`
 # see: https://quarkus.io/guides/config-reference#configuration-sources
 
+# Connection Params for Keycloak Public Client (quarkus.oidc.auth-server-url may use network-private hostname)
+hub.keycloak.public-url=http://localhost:8180/auth
+hub.keycloak.realm=cryptomator
+
 quarkus.http.port=8080
 
 quarkus.oidc.application-type=service
-quarkus.oidc.client-id=cryptomator-hub
+quarkus.oidc.client-id=cryptomatorhub
 
 # Keycloak dev service
 %dev.quarkus.keycloak.devservices.realm-path=dev-realm.json
 # TODO: realm-path needs to be in class path, i.e. under src/main/resources -> we might not want to include it in production jar though, so make use of maven profiles and specify optional resources https://github.com/quarkusio/quarkus-quickstarts/blob/f3f4939df30bcff062be126faaaeb58cb7c79fb6/security-keycloak-authorization-quickstart/pom.xml#L68-L75
 %dev.quarkus.keycloak.devservices.realm-name=cryptomator
 %dev.quarkus.keycloak.devservices.port=8180
 %dev.quarkus.keycloak.devservices.service-name=quarkus-cryptomator-hub
-%dev.quarkus.keycloak.devservices.image-name=quay.io/keycloak/keycloak:15.0.2
+%dev.quarkus.keycloak.devservices.image-name=quay.io/keycloak/keycloak:15.1.1
 %dev.quarkus.oidc.devui.grant.type=code
 # OIDC will be mocked during unit tests. Use fake auth url to prevent dev services to start:
 %test.quarkus.oidc.auth-server-url=http://localhost:43210/dev/null

diff --git a/backend/src/main/resources/dev-realm.json b/backend/src/main/resources/dev-realm.json
@@ -25,15 +25,15 @@
             "user"
           ],
           "client": {
-            "cryptomator-hub": [
+            "cryptomatorhub": [
               "vault-owner"
             ]
           }
         }
       }
     ],
     "client": {
-      "cryptomator-hub": [
+      "cryptomatorhub": [
         {
           "name": "vault-owner",
           "description": "Vault Owner"
@@ -62,7 +62,7 @@
   ],
   "scopeMappings": [
     {
-      "client": "cryptomator-hub",
+      "client": "cryptomatorhub",
       "roles": [
         "user",
         "admin"
@@ -72,7 +72,7 @@
   "clientScopeMappings": {
     "account": [
       {
-        "client": "cryptomator-hub",
+        "client": "cryptomatorhub",
         "roles": [
           "vault-owner"
         ]
@@ -81,7 +81,7 @@
   },
   "clients": [
     {
-      "clientId": "cryptomator-hub",
+      "clientId": "cryptomatorhub",
       "serviceAccountsEnabled": false,
       "publicClient": true,
       "name": "Cryptomator Hub",

diff --git a/frontend/src/common/auth.ts b/frontend/src/common/auth.ts
@@ -6,10 +6,9 @@ class Auth {
 
   static async build(cfg: ConfigDto): Promise<Auth> {
     const keycloak = newKeycloak({
-
-      url: `${cfg.keycloakUrl}`,
-      realm: `${cfg.keycloakRealm}`,
-      clientId: 'cryptomator-hub', // TODO: read from config
+      url: cfg.keycloakUrl,
+      realm: cfg.keycloakRealm,
+      clientId: cfg.keycloakClientId
     });
     await keycloak.init({
       onLoad: 'check-sso',

diff --git a/frontend/src/common/config.ts b/frontend/src/common/config.ts
@@ -8,7 +8,7 @@ const axios = AxiosStatic.create({
 });
 
 export class ConfigDto {
-  constructor(public keycloakRealm: string, public keycloakUrl: string) { }
+  constructor(public keycloakRealm: string, public keycloakUrl: string, public keycloakClientId: string) { }
 }
 
 class ConfigWrapper {

diff --git a/frontend/src/common/vaultconfig.ts b/frontend/src/common/vaultconfig.ts
@@ -18,7 +18,7 @@ export class VaultConfig {
     const kid = `hub+http://localhost:8080/vaults/${vaultId}`; // TODO: read from config
 
     const hubConfig: VaultConfigHeaderHub = {
-      clientId: 'cryptomator-hub', // TODO: read from config
+      clientId: cfg.keycloakClientId,
       authEndpoint: `${cfg.keycloakUrl}/realms/${cfg.keycloakRealm}/protocol/openid-connect/auth`, // TODO: read from config
       tokenEndpoint: `${cfg.keycloakUrl}/realms/${cfg.keycloakRealm}/protocol/openid-connect/token`, // TODO: read from config
       devicesResourceUrl: 'http://localhost:8080/devices/', // TODO: read from config

diff --git a/installation/k8s-hub.yml b/installation/k8s-hub.yml