PHRAS-4007: Auth provider - add keycloak provider - openid (#4462)

* keycloak provider * add readme * comment regenarete password * add exclusive option to provider an column can_renew_passwor to user * default exclusive false * always compatible with psauth * bump image tag .env * bump Version to 4.1.8-rc9 * bump version to rc12 * add autoconnect
alchemy-fr · Apr 30, 2024 · d6849fd · d6849fd
1 parent b0eba52
commit d6849fd
Show file tree

Hide file tree

Showing 32 changed files with 1,421 additions and 369 deletions.
diff --git a/.env b/.env
@@ -32,7 +32,7 @@
 #
 # - "docker-compose.limits.yml"     : defines containers cpu and memory limits for all Phraseanet and gateway containers only.
 #
-# - "docker-compose.altenatives.yml": all alternative services, used only on evoluation or transition periods 
+# - "docker-compose.altenatives.yml": all alternative services, used only on evoluation or transition periods
 #
 # 2/ "COMPOSE_PROFILES" value define which profiles you want to use
 # in docker-compose.
@@ -49,7 +49,7 @@
 #                       choose to launch only some workers, see worker profile list below.
 # - "worker"          : launch one container worker with all jobs run on it.
 # - "cmd"             : launch a container based on worker image, useful for run cmd manualy. 
-# - "db"              : db profile will launch a mariadb container, 
+# - "db"              : db profile will launch a mariadb container,
 #                       because this is the primary datastore, you should use you own SGDD service for production needs.
 # - "elastisearch"    : launch a elasticsearch container.
 # - "rabbitmq"        : launch a rabbitmq container.
@@ -143,7 +143,7 @@ PHRASEANET_DOCKER_REGISTRY=local
 
 # Docker images tag.
 # @run
-PHRASEANET_DOCKER_TAG=4.1.8-rc11
+PHRASEANET_DOCKER_TAG=4.1.8-rc12
 
 # Stack Name
 # An optionnal Name for the stack

diff --git a/config/configuration.sample.yml b/config/configuration.sample.yml
@@ -211,24 +211,24 @@ authentication:
             options:
                 client-id: ''
                 client-secret: ''
-        ps_auth_1:
+        openid-1:
             enabled: false
             display: false
-            title: 'PS Auth 1'
-            type: 'ps-auth'
+            title: 'openid 1'
+            type: openid
             options:
                 client-id: ''
                 client-secret: ''
-                base-url: 'https://api-auth.phrasea.local'
-                provider-type: 'oauth'
-                provider-name: 'v2'
+                base-url: 'https://keycloak.phrasea.local'
+                realm-name: phrasea
+                exclusive: false
                 icon-uri: null
+                birth-group: _firstlog
+                everyone-group: _everyone
+                metamodel: _metamodel
+                model-gpfx: _M_
+                model-upfx: _U_
                 debug: false
-                birth-group: '_firstlog'
-                everyone-group: '_everyone'
-                metamodel: '_metamodel'
-                model-gpfx: '_M_'
-                model-upfx: '_U_'
                 auto-logout: false
                 auto-connect-idp-name: null
 registration-fields:

diff --git a/doc/feedback_report.md → doc/others/feedback_report.md b/doc/feedback_report.md → doc/others/feedback_report.md
diff --git a/doc/others/openid-sso.md b/doc/others/openid-sso.md
@@ -0,0 +1,58 @@
+# openid configuration
+
+#### phraseanet configuration
+To connect with an openid with phraseanet, add the following config in the configuration.yml file
+
+
+```yaml
+authentication:
+    providers:
+        openid-1:
+            enabled: true
+            display: true
+            title: ' openid 1'
+            type: openid
+            options:
+                client-id: 'client-id'
+                client-secret: 'client-secret'
+                base-url: 'https://keycloak.phrasea.local'
+                realm-name: phrasea
+                # if true, can only connect with this provider
+                # the user cannot connect with the default phraseanet login form
+                exclusive: false
+                icon-uri: null
+                birth-group: _firstlog
+                everyone-group: _everyone
+                metamodel: _metamodel
+                # group model prefix
+                model-gpfx: _M_  
+                # user model prefix
+                model-upfx: _U_
+                debug: false
+                # logout with phraseanet and also logout with keycloak
+                auto-logout: true  
+                auto-connect-idp-name: null
+
+```
+
+
+#### keycloak configuration
+
+- create a new client
+- get clien-id and client-secret
+- in the client setting:
+   
+   set the 'Valid redirect URIs' field with `https://{phraseanet-host}/login/provider/{provider-name}/callback/`
+   eg: https://phraseanet.phrasea.local/login/provider/openid-1/callback/
+
+   set the 'Valid post logout redirect URIs' field with `https://{phraseanet-host}/login/logout/` eg: https://phraseanet.phrasea.local/login/logout/
+
+- Choose a client > client scopes >  '.... dedicated'
+
+  add a 'groups' mapper if not exist,  > Add mapper > by configuration  
+
+  `Mapper type` => Group Membership  
+  `Name` => groups  
+  `Token Claim Name` => groups  
+  `Full group path`  => off   
+  `Add to userinfo`  => on
diff --git a/doc/stamper.md → doc/others/stamper.md b/doc/stamper.md → doc/others/stamper.md