Saml or Oauth2 - Best bet for SSO and Plone 6 in 2022

erral · May 24, 2023, 6:17am

Hi ramiroluz:

We use nginx to expose Volto and Plone to the public, and we use a configuration like this to do so: bobtemplates.cs/volto.tpl at master · codesyntax/bobtemplates.cs · GitHub

With this configuration we have both www.domain.com and www.domain.com/api pointing the first to Volto and the second to Plone, and we get to expose /api and make the OIDC login process work.

BR,

ramiroluz · May 24, 2023, 1:40pm

Thank you @erral

We intend to adapt this conf to test local.

What is plone at the end? (Our site is Plone). We use backend and frontend as server names.

github.com

codesyntax/bobtemplates.cs/blob/master/bobtemplates/cs/cs_plone_volto_buildout/templates/volto.tpl#L75-L111


      
          location ~ /api($|/.*) {
              rewrite ^/api($|/.*) /VirtualHostBase/https/${configuration:server-name}:443/Plone/VirtualHostRoot/_vh_api$1 break;
              proxy_pass http://${buildout:projectname}plone;
              # Varnish
              # proxy_pass http://${buildout:projectname}varnish;
              # HAProxy
              # proxy_pass http://${buildout:projectname}haproxy;
          }
          
          
location ~ /\+\+api\+\+($|/.*) {
              rewrite ^/\+\+api\+\+($|/.*) /VirtualHostBase/https/${configuration:server-name}:443/Plone/++api++/VirtualHostRoot/$1 break;
              proxy_pass http://${buildout:projectname}plone;
              # Varnish
              # proxy_pass http://${buildout:projectname}varnish;
              # HAProxy
              # proxy_pass http://${buildout:projectname}haproxy;
          }
          
          
location ~ / {
              location ~* \.(js|jsx|css|less|swf|eot|ttf|otf|woff|woff2)$ {

This file has been truncated. show original

proxy_pass http://${buildout:projectname}plone;

Our default.conf:

upstream backend {
  server backend:8080;
}
upstream frontend {
  server frontend:3000;
}

server {
  listen 80  default_server;
  server_name  plone.localhost;

  location ~ /\+\+api\+\+($|/.*) {
      rewrite ^/(\+\+api\+\+\/?)+($|/.*) /VirtualHostBase/http/$server_name/Plone/++api++/VirtualHostRoot/$2 break;
      proxy_pass http://backend;
  }

  location ~ / {
      location ~* \.(js|jsx|css|less|swf|eot|ttf|otf|woff|woff2)$ {
          add_header Cache-Control "public";
          expires +1y;
          proxy_pass http://frontend;
      }
      location ~* static.*\.(ico|jpg|jpeg|png|gif|svg)$ {
          add_header Cache-Control "public";
          expires +1y;
          proxy_pass http://frontend;
      }

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
      proxy_redirect http:// https://;
      proxy_pass http://frontend;
  }
}

erral · May 24, 2023, 3:56pm

We use this template to autogenerate the nginx configuration ${buildout:projectname}plone is generated from buildout, and its definition is on the first lines of the file: bobtemplates.cs/volto.tpl at master · codesyntax/bobtemplates.cs · GitHub

In your case you would need to point to http://backend, because that's the name of the Plone backend service.

ramiroluz · May 24, 2023, 5:14pm

Thanks, I was wondering how the template was being rendered and the value. It unblocked me big. You have a beer if you like.

ramiroluz · June 6, 2023, 8:20pm

We have an issue with logout. When we go to localhost/api/acl_users/oidc/logout it fails complaining about the parameters. Maybe it relates to the keycloak version, 20.0.3.

The keycloak expects the folowing parameters:
* @param encodedIdToken Parameter "id_token_hint" as described in the specification.
* @param clientId Parameter "client_id" as described in the specification.
* @param postLogoutRedirectUri Parameter "post_logout_redirect_uri" as described in the specification with the URL to redirect after logout.

github.com

keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java#LL151C1-L153C146


      
          * @param encodedIdToken Parameter "id_token_hint" as described in the specification.
          * @param clientId Parameter "client_id" as described in the specification.
          * @param postLogoutRedirectUri Parameter "post_logout_redirect_uri" as described in the specification with the URL to redirect after logout.

The plugin sends only redirect_uri as a parameter for the logout api endpoint.

github.com

collective/pas.plugins.oidc/blob/45ed2565993c540d05ead285185e0223c7057593/src/pas/plugins/oidc/browser/view.py#L194


      
          redirect_uri = api.portal.get().absolute_url()
          
          
# Volto frontend mapping exception
          if redirect_uri.endswith('/api'):
              redirect_uri = redirect_uri[:-4]
          
          
args = {
              # 'state': session.get('end_session_state'),
              # TODO: ....
              # 'post_logout_redirect_uri': api.portal.get().absolute_url(),
              "redirect_uri": redirect_uri,
          }
          
          
pas = getToolByName(self.context, "acl_users")
          auth_cookie_name = pas.credentials_cookie_auth.cookie_name
          
          
# end_req = client.construct_EndSessionRequest(request_args=args)
          end_req = EndSessionRequest(**args)
          logout_url = end_req.request(client.end_session_endpoint)
          self.request.response.setHeader("Cache-Control", "no-cache, must-revalidate")
          # TODO: change path with portal_path

I may be able to create a pull request if I learn how to get the encoded id token for the id_token_hint parameter.