Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

feat: support keycloak based login #309

Closed
wants to merge 1 commit into from
Closed

feat: support keycloak based login #309

wants to merge 1 commit into from

Conversation

shreddedbacon
Copy link
Member

@shreddedbacon shreddedbacon commented Dec 27, 2023
edited
Loading

Checklist

  • Affected Issues have been mentioned in the Closing issues section
  • Documentation has been written/updated.
  • Changelog entry has been written

Description

This implements an auth handler that if your lagoon-cli configuration has a keycloak url defined, will hand off the authentication to keycloak and redirect the user back to the cli once a token has been retrieved. To use this feature, you just need to use the --keycloak-url when adding a cluster configuration (or edit your cli configuration file manually) and point it to your lagoon provided keycloak bare url (eg. https://keycloak.example.com).

This also uses the oauth token refresh mechanism to automatically refresh the token if it expires. There are some conditions on this though, if the targeted keycloak has low SSO session values, then a user may be prompted to login more frequently as there are limits to the length of time an inactive session can use a refresh token. Lagoon administrators should configure sensible SSO session values in their keycloak configuration to prevent users from being frustrated from having to log in continuously.

It also changes the standard ssh token generation to use the grant option instead of the older token option, the grant option returns a standard oauth token instead of just the raw access token.

SSH token generation is still the default option for the cli for the time being so that tools in CI etc can still generate tokens as requried. Eventually SSH token generation will be disabled by default, and users will need to update their configuration files to change the sshtoken value from false to true if they wish to use ssh tokens (see the config add documentation for the --ssh-token flag when adding a cluster configuration, or edit the configuration file manually)

Deprecation notice: The token field remains in the configuration file only for backwards compatibility, and to allow a transition for users from older versions of the CLI to any versions that this feature is released in. Eventually, the token field will be removed entirely in a future release and only the grant section will remain.

Usage example

# create config for local usage, disabling ssh-token authentication to force keycloak usage
$ lagoon --create-config --config-file=example-config.yml --lagoon local config add \
	--graphql "http://localhost:3000/graphql" \
	--hostname "localhost" \
	--port 2020 \
	--keycloak-url "http://localhost:8088" \
	--ssh-token=false

# attempt to list projects against local context (-l local), get prompt to login to keycloak
$ lagoon --config-file example-config.yml --lagoon local list projects 

Login to Keycloak at http://localhost:8088/auth/realms/lagoon/protocol/openid-connect/auth?kc_idp_hint=&access_type=online&client_id=lagoon-ui&code_challenge=d7jdYn1GNjr3V7lYrCU_M_JnOxrPdJlmME6-I55X4WU&code_challenge_method=S256&redirect_uri=http%3A%2F%2F127.0.0.1%3A32917&response_type=code&scope=openid+profile+email&state=state

You will then be prompted to log in normally via a browser
image
Once logged in, it will redirect you to let you know you've successfully logged in
image
When you return to the cli, you should see that it has logged in and returned your requested data

Successfully logged in.
ID	PROJECTNAME	GITURL                               	PRODUCTIONENVIRONMENT	DEVENVIRONMENTS 
18	lagoon-demo	ssh://git@example.com/lagoon-demo.git	main                 	3/5

The login message and success are printed to stderr, so tools like jq can still process the stdout as required.

$ lagoon --config-file example-config.yml --lagoon local list projects --output-json | jq -r '.data'

Login to Keycloak at http://localhost:8088/auth/realms/lagoon/protocol/openid-connect/auth?kc_idp_hint=&access_type=online&client_id=lagoon-ui&code_challenge=bKlopqcmdX6VtauwHKNDATv_y45_vG0XNfA5tR7G1qs&code_challenge_method=S256&redirect_uri=http%3A%2F%2F127.0.0.1%3A42453&response_type=code&scope=openid+profile+email&state=state
Successfully logged in.
[
  {
    "devenvironments": "3/5",
    "giturl": "ssh://git@example.com/lagoon-demo.git",
    "id": "18",
    "productionenvironment": "main",
    "projectname": "lagoon-demo"
  }
]

@shreddedbacon shreddedbacon force-pushed the keycloak-auth branch 3 times, most recently from 4e0da55 to c082057 Compare December 28, 2023 00:11
@shreddedbacon shreddedbacon marked this pull request as ready for review January 1, 2024 23:05
@shreddedbacon shreddedbacon force-pushed the keycloak-auth branch 4 times, most recently from 62ab3f0 to 156cffb Compare January 4, 2024 22:04
@shreddedbacon shreddedbacon mentioned this pull request Jan 30, 2024
Closed
@shreddedbacon shreddedbacon mentioned this pull request Feb 15, 2024
Merged
@shreddedbacon
Copy link
Member Author

Now part of #319

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@shreddedbacon