Skip to content

OIDC/Auth2 integration#18

Closed
boehlke wants to merge 15 commits into
OpenSlides:feature/keycloak-oidcfrom
kryptance:main
Closed

OIDC/Auth2 integration#18
boehlke wants to merge 15 commits into
OpenSlides:feature/keycloak-oidcfrom
kryptance:main

Conversation

@boehlke

@boehlke boehlke commented Sep 27, 2024

Copy link
Copy Markdown
Contributor

This PR contains a POC for a OIDC/oauth2 integration into OpenSlides. The dev setup is based on keycloak.

peb-adr
peb-adr requested changes Oct 29, 2024
View reviewed changes
Comment thread entrypoint Outdated
Comment on lines +22 to +23
KEYCLOAK_HOST="${KEYCLOAK_URL:-keycloak}" \
KEYCLOAK_PORT="${KEYCLOAK_URL:-8080}" \

@peb-adr peb-adr Oct 29, 2024

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not consistent with what's being evaluated in caddy_base.json

peb-adr
peb-adr reviewed Jan 11, 2025
View reviewed changes
Comment thread entrypoint Outdated
Comment on lines +10 to +18
# remove endpoints if not set
for ENDPOINT in ACTION_HOST PRESENTER_HOST AUTOUPDATE_HOST ICC_HOST SEARCH_HOST MEDIA_HOST MANAGE_HOST CLIENT_HOST VOTE_HOST KEYCLOAK_HOST; do
if [ -z "${!ENDPOINT}" ]; then
echo "Removing endpoint $ENDPOINT"
jq ".apps.http.servers.srv0.routes |= map(select(.handle | any(.upstreams[]?.dial | contains(\"$ENDPOINT\") | not)))" "$base" > "$base.out"
mv -f "$base.out" "$base"
fi
done

@peb-adr peb-adr Jan 11, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see this construct can be helpful.

I see the following risk:
Until now this entrypoint script ensured that all endpoint env vars are set (at least to defaults). Now if an admin of OpenSlides somehow misses setting one of these, the service suddenly is no longer reachable. This can be desired, but should be documented maybe here.

Checking if the manage tool actually does set all these variables to defaults: no it does not! See default config. So this must be adjusted to include CLIENT_HOST and CLIENT_PORT or suddenly the client won't be proxied anymore.

Personally I'd also prefer a [ -z "${ENDPOINT}" ] check (without '!'). I think it is less confusing as the '!' expansion is not as widely known. Also it would enable one to override some SERVICE_HOST= without needing to actually unset it to disable the service. This would provide more flexibility IMO.

Comment thread entrypoint Outdated
Comment on lines +21 to +26
for var in $(grep -o '\$[A-Za-z_][A-Za-z0-9_]*' $config | sort | uniq | sed 's/\$//'); do
echo "Checking variable $var"
if [[ -z "${!var}" ]]; then
echo "Variable $var is not set"
fi
done

@peb-adr peb-adr Jan 11, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is just a redundant check to be sure no unset variables survived, right?
This seems fine though.

@boehlke

boehlke commented Feb 9, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #34

@boehlke boehlke closed this Feb 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peb-adr peb-adr peb-adr requested changes

Assignees

No one assigned

Labels

feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@boehlke @peb-adr @Janmtbehrens @bastianjoel