Architecture/authentication conversation starter #504
Conversation
|
@poikilotherm , @johannes-darms {"status":"ERROR","message":"Bearer token detected, no OIDC provider configured"}I will try going through the documentation/code to see what am I missing. |
|
I guess I am missing this: https://guides.dataverse.org/en/6.0/installation/oidc.html {
"id": "oidc-keycloak",
"factoryAlias": "oidc",
"title": "OIDC-Keycloak",
"subtitle": "OIDC-Keycloak",
"factoryData": "type: oidc | issuer: http://172.17.0.1:9080/realms/oauth2-proxy | clientId: oauth2-proxy | clientSecret: 72341b6d-7065-4518-a0e4-50ee15025608",
"enabled": true
}I will look at it tomorrow. Now I have: {"status":"ERROR","message":"Unauthorized bearer token"} |
|
@ErykKul Dataverse and your client must access keycloak via the same IP or domainname. Otherwise the token cannot be validated. c.f https://github.com/IQSS/dataverse/blob/08249f598569d3c40616ac93e63d9482fbe48c67/docker-compose-dev.yml#L167 You can test you OIDC setup with the old dataverse UI. When this works, bearer token should magical work as well. |
|
I simplified the setup a lot. Now you only need to run the usual script to start the dev-env. Then you go to http://localhost:8000/spa/, as usual, and click log in (username: dataverseAdmin, password: password). Nevertheless, the bearer token is still not trusted by the backend. The current setup is very similar to the dev docker-compose from the Dataverse repo, so I am sure it must be possible to make it work. I might need the trick with the /etc/hosts file as done there, not sure yet. |
|
Removing from the board for now, as discussed in the standup. |
|
I'm on bff3a8d. I spun everything up and went to http://localhost:8000/spa and clicked "log in".
After clicking "sign in with keycloak" I got an error...
... but I fixed this by editing /etc/hosts. I entered the credentials...
... but I was redirected to http://localhost:4180 (the JSF app on a different port than I started with) where I was not logged in.
I tried going back to http://localhost:8000/spa but I wasn't logged in. At http://localhost:4180/spa I see the SPA but I was also not logged in. |
|
It is the last step you were at where I am stuck: "At http://localhost:4180/spa I see the SPA but I was also not logged in." |
|
I will try debugging it. |
|
Yeah, same. Good luck! Let me know if I can help! Bearer tokens are definitely enabled. If you haven't seen this new API: |
|
Almost there ("Bearer token detected, OIDC provider oidc-mpconfig validated Token but no linked UserAccount"). I removed the extra scripts, no additional steps are needed (no /etc/hosts edit or oidc.json config), just run the dev-env. Go to http://localhost:8000 and click sign up to create user "user" (with email user@mailinator.com):
Create API token?
Log out (open private window) and go to http://localhost:4180/api/v1/users/:me
Sign in with user "user" and password "password":
[#|2024-10-02T19:49:24.382+0000|WARNING|Payara 6.2024.6|edu.harvard.iq.dataverse.api.auth.BearerTokenAuthMechanism|_ThreadID=328;_ThreadName=http-thread-pool::http-listener-1(6);_TimeMillis=1727898564382;_LevelValue=900;| |
|
This was an interesting experiment, but it is not longer needed. Closing |
What this PR does / why we need it:
Initial setup for authentication in SPA
Which issue(s) this PR closes:
Special notes for your reviewer:
Suggestions on how to test this:
Steps needed to get it running:
Does this PR introduce a user interface change? If mockups are available, please link/include them here:
Is there a release notes update needed for this change?:
Additional documentation: