feat: [WIP] Implement OIDC sign-in #9251
Draft
+6,979
−2,068
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
NGINX
🐋 Docker
hangy
commented
Nov 6, 2023
teolemon
changed the title
github-actions
bot
added
the
🏭 Producers Platform
github-actions
bot
added
💥 Merge Conflicts
This commit refactors the code in the `Display.pm` and `Keycloak.pm` files to update the generation of the keycloak account link. Previously, the `get_account_link` method in the `Keycloak.pm` file did not include the canonical URL of the current site in the generated link. This update adds the `url` parameter to the `get_account_link` method and modifies the link generation logic to include the canonical URL in the generated link. The changes in the `Display.pm` file involve updating the usage of the `get_account_link` method to pass the `canon_url` parameter. These changes improve the functionality and accuracy of the keycloak account link generation. See openfoodfacts/openfoodfacts-auth#36
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What
The main aim is to use Keycloak as an IdP, and connect Product Opener as a RP. We want to move the basics of user management out of Product Opener.
In the future, this can be used as a base to enable #1204 to be implemented, even though it will probably not be part of the initial change as to not blow up the PR too much. One important requirement is to keep compatibility with the current Basic Auth mechanism.
Screenshot
TBD
Related issue(s) and discussion
Adding a task list to track progress:
maincurrently has a lot of hard coded URLs)time ./scripts/migrate_users_to_keycloak.plwith around 400.000 synthetic accounts took about 45 minutes on my desktop PC in WSL2.Save for a later phase:
Example: If the users was on
fr.openfoodfacts.orgbefore signing up, and they change their locale to Spanish during registration in Keycloak, do we want them to be redirected to a Spanish page instead?Problem: Differentiating between first login (because of registration) and subsequent login would have to be done based on whether or not
${userid}.stoexists.Advantage: The client secret does not have to be exposed to the admin. However, they'll have access to the secret anyways, unless we were to store the secret in some kind of HSM.
Disadvantage: Some client configuration can be done during self-registration, but some necessary permissions like realm-management need to be configured manually by an admin, anyways.
To consider: This file currently contains information about the users' active sessions. Do we want to replace the opaque session identifier by an encrypted cookie? Also, we need some kind of directory to identify users that have used ProductOpener know if we have to do something when a deletion event comes in through Redis. (Obviously, this could be done in MongoDB or PostgreSQL instead, but is there a huge difference?)
Figure out how/if org management should be done in Keycloak(Done in MongoDB)Moved to
openfoodfacts-auth: