Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Addition of keycloak for auth #514

Closed
wants to merge 1 commit into from
Closed

WIP: Addition of keycloak for auth #514

wants to merge 1 commit into from

Conversation

isedwards
Copy link
Member

@isedwards isedwards commented Sep 11, 2023
edited
Loading

  • Adds keycloak and postgres containers
  • Adds additional nginx config

The proposed changes work with wis2box's existing architecture without altering any of the existing functionality.

Three additions are required before a first version can be merged:

  • Minor update is required to nginx/oauth2-conf.inc to ensure that the X-Groups header added by oauth2-proxy is forwarded to wis2box-auth
  • Updates to wis2box-auth's app.py are required to:
    1. Add add_group and remove_group (equivalent to existing add_token and remove_token)
    2. In addition to authorizing requests that are public, or where a simple token is included in the request, authorize will also authorize requests where the user's group (defined in keycloak and available to wis2box-auth in the X-Groups header) has permission to access the topic
  • Docs and tests

@isedwards
Copy link
Member Author

I have an improved version of keycloak integration which now:
a) uses the standard keycloak docker image (without modifications)
b) replaces oauth2-proxy with Flask-OIDC which, since verion 2.0, is now being maintained by the Fedora Infrastructure team

I have two questions for @tomkralidis before submitting an updated PR:

  1. Does keycloak integration have to work with localhost, or is it acceptable to just work with IP addresses (including internal addresses) and domain names? If we do need localhost support then I need to subclass Flask-OIDC
  2. I would benefit from more advanced templating in order to modify some of the configuration files before they are deployed. I'd argue for:
    • Not using pip install to install the wis2box packages system-wide and instead using a virtualenv - given that we can detect whether a virtualenv (in WIS2BOX_HOST_DATADIR) is activated and automatically activate it for the user as necessary
    • Including Jinja2 given we're not as restricted if we're not installing system-wide packages

I'd also like to suggest replacing the lengthy docker setup instructions in the Getting Started section with a single sentence along the lines of:

"Install docker engine, either by following the official instructions or by running the ./install-docker.sh script in the wis2box directory"

@isedwards isedwards closed this Oct 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@isedwards