Getting OpenID/OAuth in docker container
-
Hi,
I'm trying to get the docker image working using Keycloak as the authorization server as described in this article. According to the configuration article, I should be able to provide the comple JSON object to configure the authentication extension using environment variables.
I have the following configuration in my docker-compose file (I don't mind posting the client secrets as they work only on my local dev env anyway):jsreport: image: jsreport/jsreport:3.1.1-full volumes: - .dev/jsreport_data1:/app/data environment: extensions_authentication_authorizationServer_name: keycloak extensions_authentication_authorizationServer_issuer: http://localhost:8301/auth/realms/MyRealm extensions_authentication_authorizationServer_endpoints_jwks: http://localhost:8301/auth/realms/MyRealm/protocol/openid-connect/certs extensions_authentication_authorizationServer_endpoints_authorization: http://localhost:8301/auth/realms/MyRealm/protocol/openid-connect/auth extensions_authentication_authorizationServer_endpoints_token: http://localhost:8301/auth/realms/MyRealm/protocol/openid-connect/token extensions_authentication_authorizationServer_endpoints_introspection: http://localhost:8301/auth/realms/MyRealm/protocol/openid-connect/token/introspect extensions_authentication_authorizationServer_endpoints_userinfo: http://localhost:8301/auth/realms/MyRealm/protocol/openid-connect/userinfo extensions_authentication_authorizationServer_studioClient_clientId: js-report-studio extensions_authentication_authorizationServer_studioClient_clientSecret: e8721322-eea5-48ec-a5d7-53a8c80b6e4f extensions_authentication_authorizationServer_apiResource_clientId: js-report-api extensions_authentication_authorizationServer_apiResource_clientSecret: 1ede2612-3e4d-4624-a833-05002e03e199 extensions_authentication_authorizationServer_authorizationRequest_scope: "openid profile" extensions_authentication_authorizationServer_introspectionRequest_tokenValidScopes: "jsreport" ports: - "8318:5488"
This does not seem to affect JSreport at all, I can still access the studio without needing to provide any authentication.
In the logs I don't see anything related to authentication being enabled.
It's probably something obvious :) But could anyone point me in the right direction?
-
it is probably not obvious, but in docker by default the authentication extension is disabled until you configure some basic options for the authentication to work, a sample and a mention of that is available here. so you need to pass these options too:
extensions_authentication_admin_username: admin extensions_authentication_admin_password: xxxx extensions_authentication_cookieSession_secret: yyylong
after that you should see in the logs this:
Authentication against custom authorization server is enabled
i did a quick test locally with the options you are using and with the extra options i am mentioned and the server ends configured appropriately.
also worth mentioning and just FYI we have an example of this OpenID integration available here which we recently updated to the jsreport v3
-
Sorry for the late reply, but I was finally able to pick this up again yesterday, and it works perfectly with the 3 added lines you mentioned! Thanks!
-
Hi @AlexGoris-KasparSolutions can you please share the config file of jsreports that are working for you with Keycloak authorization? Also did you have to make any additions in Keycloak to make it work?
I am working on a similar thing and I am not getting any leads that work successfully. Please can you help me out?
-
@Mrinalini-Pal The config is pretty much what I pasted in my initial post in this topic, with the 3 lines @bjrmatos suggested added below it, and one more line to map keycloak usernames to js-report usernames, so in total:
jsreport: image: jsreport/jsreport:3.1.1-full volumes: - .dev/jsreport_data1:/app/data environment: extensions_authentication_authorizationServer_name: keycloak extensions_authentication_authorizationServer_issuer: http://localhost:8301/auth/realms/MyRealm extensions_authentication_authorizationServer_endpoints_jwks: http://localhost:8301/auth/realms/MyRealm/protocol/openid-connect/certs extensions_authentication_authorizationServer_endpoints_authorization: http://localhost:8301/auth/realms/MyRealm/protocol/openid-connect/auth extensions_authentication_authorizationServer_endpoints_token: http://localhost:8301/auth/realms/MyRealm/protocol/openid-connect/token extensions_authentication_authorizationServer_endpoints_introspection: http://localhost:8301/auth/realms/MyRealm/protocol/openid-connect/token/introspect extensions_authentication_authorizationServer_endpoints_userinfo: http://localhost:8301/auth/realms/MyRealm/protocol/openid-connect/userinfo extensions_authentication_authorizationServer_studioClient_clientId: js-report-studio extensions_authentication_authorizationServer_studioClient_clientSecret: e8721322-eea5-48ec-a5d7-53a8c80b6e4f extensions_authentication_authorizationServer_apiResource_clientId: js-report-api extensions_authentication_authorizationServer_apiResource_clientSecret: 1ede2612-3e4d-4624-a833-05002e03e199 extensions_authentication_authorizationServer_authorizationRequest_scope: "openid profile" extensions_authentication_authorizationServer_introspectionRequest_tokenValidScopes: "jsreport" extensions_authentication_admin_username: admin extensions_authentication_admin_password: super-secret-password extensions_authentication_cookieSession_secret: yyylong #(This needs to be some random string that you keep secret) extensions_authentication_authorizationServer_usernameField: username ports: - "8318:5488"
The above config assumes you've got Keycloak running on your localhost (in my case through a docker container) on port 8301.
First of all there's a reference to the keycloak realm in this config: 'MyRealm', either create this realm, or change the name accordingly to match your realm name in the above config. Note that using the default 'master' realm in Keycloak is not advisable, as per Keycloak docs this realm should be reserved for administrative tasks pertaining to Keycloak itself
Then you'll need some scope which JSReport will accept, I've set this scope name to 'jsreport' (
extensions_authentication_authorizationServer_introspectionRequest_tokenValidScopes
parameter) in the config above, so go to 'Client scopes' in the main Keycloak menu, and add the scope with whatever name you want, just make sure it matches the name given in that mentioned parameter.As you see this config references 2 client-id's and accompanying secrets, these you will need to configure in Keycloak, just add 2 clients with the corresponding ids and set the 'Access type' to 'Confidential', once you save this you'll notice a 'Credentials' tab popping up under the client in Keycloak, you can go to that tab to copy the client secret.
The config I pasted above uses this config line:
extensions_authentication_authorizationServer_usernameField: username
To tell js-report to map the 'username' property in the JWT claims to the js-report username, so we need to configure keycloak to pass the keycloak username in that property to the claims. To do this go to Clients in the main keycloak menu, then edit the client you're using for js-report-studio (the id whose name is in the
extensions_authentication_authorizationServer_studioClient_clientId:
parameter), go the the 'Mappers' tab, click 'Add builtin', check the 'username' mapper and click 'Add selected'This should be all, if you navigate to js-report studio, you should see a 'Login with keycloak' (the name 'keycloak' in the button is configured through the
extensions_authentication_authorizationServer_name:
parameter), clicking this should take you to keycloak, if you login with a username which also exists on js-report, you should be able to login to js-report.Hope this helps!