Merge pull request #17 from nordeck/keycloak-origin-internal

Alternative Keycloak address for internal access
nordeck · Feb 26, 2024 · dc321c5 · dc321c5
2 parents ab28a29 + 3b97684
commit dc321c5
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 FROM denoland/deno
-LABEL version="v20231029"
+LABEL version="v20240226"
 
 WORKDIR /app
 
@@ -8,6 +8,7 @@ RUN deno cache /app/adapter.ts
 RUN chown deno:deno /app/config.ts
 
 ENV KEYCLOAK_ORIGIN "https://ucs-sso-ng.mydomain.corp"
+ENV KEYCLOAK_ORIGIN_INTERNAL ""
 ENV KEYCLOAK_REALM "ucs"
 ENV KEYCLOAK_CLIENT_ID "jitsi"
 ENV JWT_ALG "HS256"

diff --git a/adapter.ts b/adapter.ts
@@ -13,6 +13,7 @@ import {
   KEYCLOAK_CLIENT_ID,
   KEYCLOAK_MODE,
   KEYCLOAK_ORIGIN,
+  KEYCLOAK_ORIGIN_INTERNAL,
   KEYCLOAK_REALM,
   PORT,
 } from "./config.ts";
@@ -107,7 +108,7 @@ async function getToken(
   search: string,
   hash: string,
 ): Promise<string | undefined> {
-  const url = `${KEYCLOAK_ORIGIN}/realms/${KEYCLOAK_REALM}` +
+  const url = `${KEYCLOAK_ORIGIN_INTERNAL}/realms/${KEYCLOAK_REALM}` +
     `/protocol/openid-connect/token`;
   const bundle = `path=${encodeURIComponent(path)}` +
     `&search=${encodeURIComponent(search)}` +
@@ -120,6 +121,8 @@ async function getToken(
   data.append("redirect_uri", redirectURI);
   data.append("code", code);
 
+  if (DEBUG) console.log(`getToken url: ${url}`);
+  if (DEBUG) console.log(`getToken redirectURI: ${redirectURI}`);
   if (DEBUG) console.log(`getToken data:`);
   if (DEBUG) console.log(data);
 
@@ -152,7 +155,7 @@ async function getUserInfo(
   token: string,
 ): Promise<Record<string, unknown> | undefined> {
   try {
-    const url = `${KEYCLOAK_ORIGIN}/realms/${KEYCLOAK_REALM}` +
+    const url = `${KEYCLOAK_ORIGIN_INTERNAL}/realms/${KEYCLOAK_REALM}` +
       `/protocol/openid-connect/userinfo`;
     const res = await fetch(url, {
       headers: {
@@ -197,7 +200,10 @@ async function tokenize(req: Request): Promise<Response> {
 
   // get the access token from Keycloak if the short-term auth code is valid
   const token = await getToken(host, code, path, search, hash);
-  if (!token) return unauthorized();
+  if (!token) {
+    if (DEBUG) console.log(`Could not get Keycloak's access token`);
+    return unauthorized();
+  }
 
   // get the user info from Keycloak by using the access token
   const userInfo = await getUserInfo(token);
@@ -295,6 +301,7 @@ async function handler(req: Request): Promise<Response> {
 // -----------------------------------------------------------------------------
 function main() {
   console.log(`KEYCLOAK_ORIGIN: ${KEYCLOAK_ORIGIN}`);
+  console.log(`KEYCLOAK_ORIGIN_INTERNAL: ${KEYCLOAK_ORIGIN_INTERNAL}`);
   console.log(`KEYCLOAK_REALM: ${KEYCLOAK_REALM}`);
   console.log(`KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID}`);
   console.log(`KEYCLOAK_MODE: ${KEYCLOAK_MODE}`);

diff --git a/charts/jitsi-keycloak-adapter/templates/deployment.yaml b/charts/jitsi-keycloak-adapter/templates/deployment.yaml
@@ -64,6 +64,8 @@ spec:
               {{- else }}
               value: "https://{{- .Values.global.hosts.keycloak}}.{{ .Values.global.domain }}"
               {{- end }}
+            - name: KEYCLOAK_ORIGIN_INTERNAL
+              value: {{ .Values.settings.keycloakOriginInternal | quote }}
             - name: KEYCLOAK_REALM
               value: {{ .Values.settings.keycloakRealm | quote }}
             - name: KEYCLOAK_CLIENT_ID

diff --git a/config.ts b/config.ts
@@ -1,6 +1,8 @@
 // keycloak
 export const KEYCLOAK_ORIGIN = Deno.env.get("KEYCLOAK_ORIGIN") ||
   "https://ucs-sso-ng.mydomain.corp";
+export const KEYCLOAK_ORIGIN_INTERNAL =
+  Deno.env.get("KEYCLOAK_ORIGIN_INTERNAL") || KEYCLOAK_ORIGIN;
 export const KEYCLOAK_REALM = Deno.env.get("KEYCLOAK_REALM") || "ucs";
 export const KEYCLOAK_CLIENT_ID = Deno.env.get("KEYCLOAK_CLIENT_ID") || "jitsi";
 export const KEYCLOAK_MODE = Deno.env.get("KEYCLOAK_MODE") || "query";

diff --git a/docs/setup-docker.md b/docs/setup-docker.md
@@ -25,6 +25,7 @@ Tested with Jitsi `stable-8960` images.
 docker run -d \
   -p "9000:9000/TCP" \
   -e KEYCLOAK_ORIGIN=https://ucs-sso-ng.mykeycloak.tld \
+  -e KEYCLOAK_ORIGIN_INTERNAL= \
   -e KEYCLOAK_REALM=myrealm \
   -e KEYCLOAK_CLIENT_ID=myclientid \
   -e JWT_APP_ID=myappid \
@@ -33,7 +34,11 @@ docker run -d \
   ghcr.io/nordeck/jitsi-keycloak-adapter
 ```
 
-`KEYCLOAK_ORIGIN` must be resolvable and accessible for the container.
+`KEYCLOAK_ORIGIN` must be resolvable and accessible for users and the container.
+
+Set `KEYCLOAK_ORIGIN_INTERNAL` if `KEYCLOAK_ORIGIN` is not accessible for the
+container and the container should access `Keycloak` by using an internal
+address.
 
 `JWT_APP_ID` and `JWT_APP_SECRET` must be the same for both `keycloak-adapter`
 and `jitsi`.

diff --git a/docs/setup-minikube.md b/docs/setup-minikube.md
@@ -30,6 +30,7 @@ helm upgrade --install \
   --set jitsi.jvb.nodePort=30011 \
   --set jitsi.jvb.service.type="NodePort" \
   --set settings.keycloakOrigin="https://ucs-sso-ng.mydomain.corp" \
+  --set settings.keycloakOriginInternal="" \
   --set settings.keycloakRealm="ucs" \
   --set settings.keycloakClientId="jitsi" \
   --set settings.jwtAppId="myappid" \

diff --git a/docs/setup-standalone.md b/docs/setup-standalone.md
@@ -128,6 +128,11 @@ You may also use environment variables instead of updating this config file.
 
   Keycloak address
 
+- `KEYCLOAK_ORIGIN_INTERNAL`
+
+  Internal Keycloak address if `KEYCLOAK_ORIGIN` is not accessible for the
+  adapter service.
+
 - `KEYCLOAK_REALM`
 
   Keycloak realm