Saml or Oauth2 - Best bet for SSO and Plone 6 in 2022

Hi ramiroluz:

We use nginx to expose Volto and Plone to the public, and we use a configuration like this to do so: bobtemplates.cs/volto.tpl at master · codesyntax/bobtemplates.cs · GitHub

With this configuration we have both www.domain.com and www.domain.com/api pointing the first to Volto and the second to Plone, and we get to expose /api and make the OIDC login process work.

BR,

2 Likes

Thank you @erral

We intend to adapt this conf to test local.

What is plone at the end? (Our site is Plone). We use backend and frontend as server names.

proxy_pass http://${buildout:projectname}plone;

Our default.conf:

upstream backend {
  server backend:8080;
}
upstream frontend {
  server frontend:3000;
}

server {
  listen 80  default_server;
  server_name  plone.localhost;

  location ~ /\+\+api\+\+($|/.*) {
      rewrite ^/(\+\+api\+\+\/?)+($|/.*) /VirtualHostBase/http/$server_name/Plone/++api++/VirtualHostRoot/$2 break;
      proxy_pass http://backend;
  }

  location ~ / {
      location ~* \.(js|jsx|css|less|swf|eot|ttf|otf|woff|woff2)$ {
          add_header Cache-Control "public";
          expires +1y;
          proxy_pass http://frontend;
      }
      location ~* static.*\.(ico|jpg|jpeg|png|gif|svg)$ {
          add_header Cache-Control "public";
          expires +1y;
          proxy_pass http://frontend;
      }

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
      proxy_redirect http:// https://;
      proxy_pass http://frontend;
  }
}

We use this template to autogenerate the nginx configuration ${buildout:projectname}plone is generated from buildout, and its definition is on the first lines of the file: bobtemplates.cs/volto.tpl at master · codesyntax/bobtemplates.cs · GitHub

In your case you would need to point to http://backend, because that's the name of the Plone backend service.

1 Like

Thanks, I was wondering how the template was being rendered and the value. It unblocked me big. You have a beer if you like.

1 Like

We have an issue with logout. When we go to localhost/api/acl_users/oidc/logout it fails complaining about the parameters. Maybe it relates to the keycloak version, 20.0.3.

The keycloak expects the folowing parameters:
* @param encodedIdToken Parameter "id_token_hint" as described in the specification.
* @param clientId Parameter "client_id" as described in the specification.
* @param postLogoutRedirectUri Parameter "post_logout_redirect_uri" as described in the specification with the URL to redirect after logout.

The plugin sends only redirect_uri as a parameter for the logout api endpoint.

I may be able to create a pull request if I learn how to get the encoded id token for the id_token_hint parameter.

1 Like