diff --git a/Dockerfile b/Dockerfile index 5d42020..1e592be 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ FROM denoland/deno -LABEL version="v20231029" +LABEL version="v20240226" WORKDIR /app @@ -8,6 +8,7 @@ RUN deno cache /app/adapter.ts RUN chown deno:deno /app/config.ts ENV KEYCLOAK_ORIGIN "https://ucs-sso-ng.mydomain.corp" +ENV KEYCLOAK_ORIGIN_INTERNAL "" ENV KEYCLOAK_REALM "ucs" ENV KEYCLOAK_CLIENT_ID "jitsi" ENV JWT_ALG "HS256" diff --git a/adapter.ts b/adapter.ts index cb4d58f..80fd2e9 100644 --- a/adapter.ts +++ b/adapter.ts @@ -13,6 +13,7 @@ import { KEYCLOAK_CLIENT_ID, KEYCLOAK_MODE, KEYCLOAK_ORIGIN, + KEYCLOAK_ORIGIN_INTERNAL, KEYCLOAK_REALM, PORT, } from "./config.ts"; @@ -107,7 +108,7 @@ async function getToken( search: string, hash: string, ): Promise { - const url = `${KEYCLOAK_ORIGIN}/realms/${KEYCLOAK_REALM}` + + const url = `${KEYCLOAK_ORIGIN_INTERNAL}/realms/${KEYCLOAK_REALM}` + `/protocol/openid-connect/token`; const bundle = `path=${encodeURIComponent(path)}` + `&search=${encodeURIComponent(search)}` + @@ -120,6 +121,8 @@ async function getToken( data.append("redirect_uri", redirectURI); data.append("code", code); + if (DEBUG) console.log(`getToken url: ${url}`); + if (DEBUG) console.log(`getToken redirectURI: ${redirectURI}`); if (DEBUG) console.log(`getToken data:`); if (DEBUG) console.log(data); @@ -152,7 +155,7 @@ async function getUserInfo( token: string, ): Promise | undefined> { try { - const url = `${KEYCLOAK_ORIGIN}/realms/${KEYCLOAK_REALM}` + + const url = `${KEYCLOAK_ORIGIN_INTERNAL}/realms/${KEYCLOAK_REALM}` + `/protocol/openid-connect/userinfo`; const res = await fetch(url, { headers: { @@ -197,7 +200,10 @@ async function tokenize(req: Request): Promise { // get the access token from Keycloak if the short-term auth code is valid const token = await getToken(host, code, path, search, hash); - if (!token) return unauthorized(); + if (!token) { + if (DEBUG) console.log(`Could not get Keycloak's access token`); + return unauthorized(); + } // get the user info from Keycloak by using the access token const userInfo = await getUserInfo(token); @@ -295,6 +301,7 @@ async function handler(req: Request): Promise { // ----------------------------------------------------------------------------- function main() { console.log(`KEYCLOAK_ORIGIN: ${KEYCLOAK_ORIGIN}`); + console.log(`KEYCLOAK_ORIGIN_INTERNAL: ${KEYCLOAK_ORIGIN_INTERNAL}`); console.log(`KEYCLOAK_REALM: ${KEYCLOAK_REALM}`); console.log(`KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID}`); console.log(`KEYCLOAK_MODE: ${KEYCLOAK_MODE}`); diff --git a/charts/jitsi-keycloak-adapter/templates/deployment.yaml b/charts/jitsi-keycloak-adapter/templates/deployment.yaml index f7cd4b5..e3235c0 100644 --- a/charts/jitsi-keycloak-adapter/templates/deployment.yaml +++ b/charts/jitsi-keycloak-adapter/templates/deployment.yaml @@ -64,6 +64,8 @@ spec: {{- else }} value: "https://{{- .Values.global.hosts.keycloak}}.{{ .Values.global.domain }}" {{- end }} + - name: KEYCLOAK_ORIGIN_INTERNAL + value: {{ .Values.settings.keycloakOriginInternal | quote }} - name: KEYCLOAK_REALM value: {{ .Values.settings.keycloakRealm | quote }} - name: KEYCLOAK_CLIENT_ID diff --git a/config.ts b/config.ts index 926adc2..1fc7fc8 100644 --- a/config.ts +++ b/config.ts @@ -1,6 +1,8 @@ // keycloak export const KEYCLOAK_ORIGIN = Deno.env.get("KEYCLOAK_ORIGIN") || "https://ucs-sso-ng.mydomain.corp"; +export const KEYCLOAK_ORIGIN_INTERNAL = + Deno.env.get("KEYCLOAK_ORIGIN_INTERNAL") || KEYCLOAK_ORIGIN; export const KEYCLOAK_REALM = Deno.env.get("KEYCLOAK_REALM") || "ucs"; export const KEYCLOAK_CLIENT_ID = Deno.env.get("KEYCLOAK_CLIENT_ID") || "jitsi"; export const KEYCLOAK_MODE = Deno.env.get("KEYCLOAK_MODE") || "query"; diff --git a/docs/setup-docker.md b/docs/setup-docker.md index fe432b5..c777a20 100644 --- a/docs/setup-docker.md +++ b/docs/setup-docker.md @@ -25,6 +25,7 @@ Tested with Jitsi `stable-8960` images. docker run -d \ -p "9000:9000/TCP" \ -e KEYCLOAK_ORIGIN=https://ucs-sso-ng.mykeycloak.tld \ + -e KEYCLOAK_ORIGIN_INTERNAL= \ -e KEYCLOAK_REALM=myrealm \ -e KEYCLOAK_CLIENT_ID=myclientid \ -e JWT_APP_ID=myappid \ @@ -33,7 +34,11 @@ docker run -d \ ghcr.io/nordeck/jitsi-keycloak-adapter ``` -`KEYCLOAK_ORIGIN` must be resolvable and accessible for the container. +`KEYCLOAK_ORIGIN` must be resolvable and accessible for users and the container. + +Set `KEYCLOAK_ORIGIN_INTERNAL` if `KEYCLOAK_ORIGIN` is not accessible for the +container and the container should access `Keycloak` by using an internal +address. `JWT_APP_ID` and `JWT_APP_SECRET` must be the same for both `keycloak-adapter` and `jitsi`. diff --git a/docs/setup-minikube.md b/docs/setup-minikube.md index 978d87c..ec643ee 100644 --- a/docs/setup-minikube.md +++ b/docs/setup-minikube.md @@ -30,6 +30,7 @@ helm upgrade --install \ --set jitsi.jvb.nodePort=30011 \ --set jitsi.jvb.service.type="NodePort" \ --set settings.keycloakOrigin="https://ucs-sso-ng.mydomain.corp" \ + --set settings.keycloakOriginInternal="" \ --set settings.keycloakRealm="ucs" \ --set settings.keycloakClientId="jitsi" \ --set settings.jwtAppId="myappid" \ diff --git a/docs/setup-standalone.md b/docs/setup-standalone.md index 4347034..b12d079 100644 --- a/docs/setup-standalone.md +++ b/docs/setup-standalone.md @@ -128,6 +128,11 @@ You may also use environment variables instead of updating this config file. Keycloak address +- `KEYCLOAK_ORIGIN_INTERNAL` + + Internal Keycloak address if `KEYCLOAK_ORIGIN` is not accessible for the + adapter service. + - `KEYCLOAK_REALM` Keycloak realm