Saml or Oauth2 - Best bet for SSO and Plone 6 in 2022

erral · May 24, 2023, 6:17am

Hi ramiroluz:

We use nginx to expose Volto and Plone to the public, and we use a configuration like this to do so: bobtemplates.cs/volto.tpl at master · codesyntax/bobtemplates.cs · GitHub

With this configuration we have both www.domain.com and www.domain.com/api pointing the first to Volto and the second to Plone, and we get to expose /api and make the OIDC login process work.

BR,

ramiroluz · May 24, 2023, 1:40pm

Thank you @erral

We intend to adapt this conf to test local.

What is plone at the end? (Our site is Plone). We use backend and frontend as server names.

github.com

codesyntax/bobtemplates.cs/blob/master/bobtemplates/cs/cs_plone_volto_buildout/templates/volto.tpl#L75-L111


      
          location ~ /api($|/.*) {
              rewrite ^/api($|/.*) /VirtualHostBase/https/${configuration:server-name}:443/Plone/VirtualHostRoot/_vh_api$1 break;
              proxy_pass http://${buildout:projectname}plone;
              # Varnish
              # proxy_pass http://${buildout:projectname}varnish;
              # HAProxy
              # proxy_pass http://${buildout:projectname}haproxy;
          }
          
          
location ~ /\+\+api\+\+($|/.*) {
              rewrite ^/\+\+api\+\+($|/.*) /VirtualHostBase/https/${configuration:server-name}:443/Plone/++api++/VirtualHostRoot/$1 break;
              proxy_pass http://${buildout:projectname}plone;
              # Varnish
              # proxy_pass http://${buildout:projectname}varnish;
              # HAProxy
              # proxy_pass http://${buildout:projectname}haproxy;
          }
          
          
location ~ / {
              location ~* \.(js|jsx|css|less|swf|eot|ttf|otf|woff|woff2)$ {

This file has been truncated. show original

proxy_pass http://${buildout:projectname}plone;

Our default.conf:

upstream backend {
  server backend:8080;
}
upstream frontend {
  server frontend:3000;
}

server {
  listen 80  default_server;
  server_name  plone.localhost;

  location ~ /\+\+api\+\+($|/.*) {
      rewrite ^/(\+\+api\+\+\/?)+($|/.*) /VirtualHostBase/http/$server_name/Plone/++api++/VirtualHostRoot/$2 break;
      proxy_pass http://backend;
  }

  location ~ / {
      location ~* \.(js|jsx|css|less|swf|eot|ttf|otf|woff|woff2)$ {
          add_header Cache-Control "public";
          expires +1y;
          proxy_pass http://frontend;
      }
      location ~* static.*\.(ico|jpg|jpeg|png|gif|svg)$ {
          add_header Cache-Control "public";
          expires +1y;
          proxy_pass http://frontend;
      }

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
      proxy_redirect http:// https://;
      proxy_pass http://frontend;
  }
}

erral · May 24, 2023, 3:56pm

We use this template to autogenerate the nginx configuration ${buildout:projectname}plone is generated from buildout, and its definition is on the first lines of the file: bobtemplates.cs/volto.tpl at master · codesyntax/bobtemplates.cs · GitHub

In your case you would need to point to http://backend, because that's the name of the Plone backend service.

ramiroluz · May 24, 2023, 5:14pm

Thanks, I was wondering how the template was being rendered and the value. It unblocked me big. You have a beer if you like.

ramiroluz · June 6, 2023, 8:20pm

We have an issue with logout. When we go to localhost/api/acl_users/oidc/logout it fails complaining about the parameters. Maybe it relates to the keycloak version, 20.0.3.

The keycloak expects the folowing parameters:
* @param encodedIdToken Parameter "id_token_hint" as described in the specification.
* @param clientId Parameter "client_id" as described in the specification.
* @param postLogoutRedirectUri Parameter "post_logout_redirect_uri" as described in the specification with the URL to redirect after logout.

github.com

keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java#LL151C1-L153C146


      
          * @param encodedIdToken Parameter "id_token_hint" as described in the specification.
          * @param clientId Parameter "client_id" as described in the specification.
          * @param postLogoutRedirectUri Parameter "post_logout_redirect_uri" as described in the specification with the URL to redirect after logout.

The plugin sends only redirect_uri as a parameter for the logout api endpoint.

github.com

collective/pas.plugins.oidc/blob/45ed2565993c540d05ead285185e0223c7057593/src/pas/plugins/oidc/browser/view.py#L194


      
          redirect_uri = api.portal.get().absolute_url()
          
          
# Volto frontend mapping exception
          if redirect_uri.endswith('/api'):
              redirect_uri = redirect_uri[:-4]
          
          
args = {
              # 'state': session.get('end_session_state'),
              # TODO: ....
              # 'post_logout_redirect_uri': api.portal.get().absolute_url(),
              "redirect_uri": redirect_uri,
          }
          
          
pas = getToolByName(self.context, "acl_users")
          auth_cookie_name = pas.credentials_cookie_auth.cookie_name
          
          
# end_req = client.construct_EndSessionRequest(request_args=args)
          end_req = EndSessionRequest(**args)
          logout_url = end_req.request(client.end_session_endpoint)
          self.request.response.setHeader("Cache-Control", "no-cache, must-revalidate")
          # TODO: change path with portal_path

I may be able to create a pull request if I learn how to get the encoded id token for the id_token_hint parameter.

ramiroluz · June 15, 2023, 12:20pm

My efforts were frustrated. I could not find the correct value to fill the missing parameter correctly.

@macagua we may need an issue in pas.plugin.oidc can you help me check if there is an alternative to work with the KeyCloak 20.0.3. Maybe some option in KeyCloak to use the 19.0.3 api? Or, can we confirm we need to fix the lib?

It looks like the logout is not working also with the 19.0.3 version.

It maybe a configuration problem?

@erral do you know if the logout works for you?

mamico · June 23, 2023, 3:53pm

Hi @ramiroluz, please open an issue or rather a PR at GitHub - collective/pas.plugins.oidc: PAS plugin for OpenID Connect authentication, explaining your use case as well as possible.

We are using the product in many situations, but some parts of the product are still under development.

Sorry for my late reply, I have not followed the forum lately.

thanks

ramiroluz · July 6, 2023, 12:41pm

Will do. Thanks @mamico

ramiroluz · July 14, 2023, 1:41pm

I did created a PR, but a friend asked me about this other plugin: pas.plugins.authomatic · PyPI could you tell me the difference of the plugins please?

mamico · July 20, 2023, 4:32pm

As far as I know. pas.plugins.authomatic is based on the Authomatic framework and implements many specific providers such as Github, Twitter, ... using OAuth1, OAuth2, Openid2.0 (different from OpenIdConnect).

pas.plugins.oidc uses the oic library, an implementation of the OpenID Connect framework (How OpenID Connect Works - OpenID Foundation). The OpenIdConnect framework is based on OAuth2.0 and was probably defined after the implementation of Authomatic.

Eventually they are similar in many ways, you can probably also use pas.plugins.authomatic with your own keycloak server, implementing a specific local provider, or you can use pas.plugins.oidc to authenticate some of the public OAuth2 providers (like Google or Github, for instance).

At the time, I started implementing and using pas.plugins.oidc because I preferred a well-defined generic framework over many implementations of specific providers. But it depends...

ramiroluz · July 20, 2023, 5:27pm

Nice thank you.

erral · July 20, 2023, 7:26pm

for the record, we are successfully using pas.plugins.oidc to authenticate with 3 different providers: EU Login (an European Commision's service), Keycloak and Google.