I created a dockerfile with the following content:
FROM jsreport/jsreport
COPY ./Fonts/ /usr/share/fonts/
Make sure the font you need is in the Fonts subdirectory.
Then run docker build . in the directory where your dockerfile resides, and you should have an image which contains your font.
Looks all good as far as I can see.
What are the jsreport logs saying when you try to login?
I would try intercepting the access token returned by keycloak so you can inspect it for the username claim
Sorry I can't share the headers of my project. But I can say they contain nothing special, it's a standard OAuth2 authorization code flow which requests the access token using the calls defined in the Oauth2 protocol. It is up to the keycloak to decide which claims to add to the access token so you must have missed something. Can you post your complete JSreport docker-compose config and some screenshots of your 2 keycloak clients?
Should the 'username' property be added to extensions_authentication_authorizationServer_studioClient_clientId: only and not to extensions_authentication_authorizationServer_apiResource_clientId: too because I need to use jsreports using both the studio and the API.
I don't understand this question, both the extensions_authentication_authorizationServer_studioClient_clientId and the extensions_authentication_authorizationServer_apiResource_clientId properties must be passed a valid client id, not a user name. The value you fill in here must be a valid client in your keycloak config, meaning it must be listed when you go to the Configure > Clients menu in keycloak
How to find out the username that exists in jsreports that need to be provided to keycloak during login? I have added a user with permission to read and edit all entities in jsreport that exists in keycloak, does anything more need to be done?
See the docs for details on this, specifically:
jsreport needs to know how to associate the users from your authorization server to users/groups in jsreport, this association is needed to correctly identify which jsreport entities and permissions the user of your authorization server is able to work with in the context of jsreport. to do this you will have to do any of the following:
- associate the jsreport username of an existing jsreport user with a claim (authorizationServer.usernameField) linked to the user handled by your authorization server.
- associate the jsreport group name of an existing jsreport group with a claim (authorizationServer.groupField) linked to the user handled by your authorization server. this association has the extra advantage of not requiring to duplicate the user of your authorization server in jsreport, you can handle all the permissions in jsreport in groups and let your authorization server handle the user, you just need to associate them so after login the jsreport is able to identify which entities it has access to. When doing SSO to the jsreport studio you can customize the username shown there by setting another claim (authorizationServer.usernameField) to the data linked to the user handled by your authorization server.
In the config I have provided at the beginning of this topic, the authorizationServer.usernameField has been set to username, this means that JSReport expects to find a claim with the name username in the accesstoken it gets from Keycloak, and will use whatever value is in there to try to find a matching jsreport user. So if the JSreport user you have is called johndoe, your access token should like so:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"username": "johndoe" // This will tell keycloak to authenticate you as its own 'johndoe' user
}
When I try to login using the username and password of the user mentioned in the previous point, I am getting Error: Authentication with authorization server failed. Information returned by the authorization server does not contain "username" field. Authentication cancelled message. My keycloak is running on a global IP through a docker container while the jsreport code is running on localhost. Is it not working for this reason?
This is related to the previous point, if you copied the config in my original post, and left the extensions_authentication_authorizationServer_usernameField set to the username value, you probably didn't configure the js-report-studio client mappers as mentioned in my previous post.
@Mrinalini-Pal The config is pretty much what I pasted in my initial post in this topic, with the 3 lines @bjrmatos suggested added below it, and one more line to map keycloak usernames to js-report usernames, so in total:
jsreport:
image: jsreport/jsreport:3.1.1-full
volumes:
- .dev/jsreport_data1:/app/data
environment:
extensions_authentication_authorizationServer_name: keycloak
extensions_authentication_authorizationServer_issuer: http://localhost:8301/auth/realms/MyRealm
extensions_authentication_authorizationServer_endpoints_jwks: http://localhost:8301/auth/realms/MyRealm/protocol/openid-connect/certs
extensions_authentication_authorizationServer_endpoints_authorization: http://localhost:8301/auth/realms/MyRealm/protocol/openid-connect/auth
extensions_authentication_authorizationServer_endpoints_token: http://localhost:8301/auth/realms/MyRealm/protocol/openid-connect/token
extensions_authentication_authorizationServer_endpoints_introspection: http://localhost:8301/auth/realms/MyRealm/protocol/openid-connect/token/introspect
extensions_authentication_authorizationServer_endpoints_userinfo: http://localhost:8301/auth/realms/MyRealm/protocol/openid-connect/userinfo
extensions_authentication_authorizationServer_studioClient_clientId: js-report-studio
extensions_authentication_authorizationServer_studioClient_clientSecret: e8721322-eea5-48ec-a5d7-53a8c80b6e4f
extensions_authentication_authorizationServer_apiResource_clientId: js-report-api
extensions_authentication_authorizationServer_apiResource_clientSecret: 1ede2612-3e4d-4624-a833-05002e03e199
extensions_authentication_authorizationServer_authorizationRequest_scope: "openid profile"
extensions_authentication_authorizationServer_introspectionRequest_tokenValidScopes: "jsreport"
extensions_authentication_admin_username: admin
extensions_authentication_admin_password: super-secret-password
extensions_authentication_cookieSession_secret: yyylong #(This needs to be some random string that you keep secret)
extensions_authentication_authorizationServer_usernameField: username
ports:
- "8318:5488"
The above config assumes you've got Keycloak running on your localhost (in my case through a docker container) on port 8301.
First of all there's a reference to the keycloak realm in this config: 'MyRealm', either create this realm, or change the name accordingly to match your realm name in the above config. Note that using the default 'master' realm in Keycloak is not advisable, as per Keycloak docs this realm should be reserved for administrative tasks pertaining to Keycloak itself
Then you'll need some scope which JSReport will accept, I've set this scope name to 'jsreport' (extensions_authentication_authorizationServer_introspectionRequest_tokenValidScopes parameter) in the config above, so go to 'Client scopes' in the main Keycloak menu, and add the scope with whatever name you want, just make sure it matches the name given in that mentioned parameter.
As you see this config references 2 client-id's and accompanying secrets, these you will need to configure in Keycloak, just add 2 clients with the corresponding ids and set the 'Access type' to 'Confidential', once you save this you'll notice a 'Credentials' tab popping up under the client in Keycloak, you can go to that tab to copy the client secret.
The config I pasted above uses this config line:
extensions_authentication_authorizationServer_usernameField: username
To tell js-report to map the 'username' property in the JWT claims to the js-report username, so we need to configure keycloak to pass the keycloak username in that property to the claims. To do this go to Clients in the main keycloak menu, then edit the client you're using for js-report-studio (the id whose name is in the extensions_authentication_authorizationServer_studioClient_clientId: parameter), go the the 'Mappers' tab, click 'Add builtin', check the 'username' mapper and click 'Add selected'
This should be all, if you navigate to js-report studio, you should see a 'Login with keycloak' (the name 'keycloak' in the button is configured through the extensions_authentication_authorizationServer_name: parameter), clicking this should take you to keycloak, if you login with a username which also exists on js-report, you should be able to login to js-report.
Hope this helps!
Indeed since we're deploying the docker image in a Kubernetes cluster, the easiest way is to use environment variables to configure it.
But are you sure that it's broken? Because I do see (development) in the license modal when looking in studio, hence I assumed it was correctly detecting the development flag:
Just for my information, is there any restrictions in the API when this license verification fails?
I just got another popup complaining about parallel license usage. This is on a new 'live' development environment running on a different azure kubernetes cluster, it also has the development=true parameter set
Thanks for all the great feeback @bjrmatos!
I indeed overlooked the group permissions. This completely fixes that point I made.
The feature to be able to map users to groups works perfectly, and combined with the group permissions, eliminates a lot of situations where the team would previously had needed admin access (and having to resort to using the shared credentials), like adding a new request under a specific group, or granting a new user access.
Thanks again, it's so nice to use a product which ticks all the boxes :)
Sorry for the late reply, but I was finally able to pick this up again yesterday, and it works perfectly with the 3 added lines you mentioned! Thanks!
I'm looking into setting up authorization server using SSO. I've got the basics working: I have a local admin user which I used to create a user which exists with the same username on my keycloak instance, and I'm able to log in with that new user through the keycloak SSO mechanism, so far so good :). We want to setup JSReport to allow several users in our company to configure their own templates, which should be possible through the new user groups feature: Add the correct users to the correct groups, then grant permissions to the relevant templates for those user groups. There are however a few things which I can't find an answer for in the documentation:
extensions.authentication.admin) is the only user who can add and delete users. Since we work in a team it would mean having to share this admin user's credentials across the team, which is considered a bad security practice. Is there a way to define multiple admin users?I'm pretty sure this last one is not possible, but decided to write it down anyways, so it can maybe be considered as a feature request: We have the possibility of creating folders, and then creating requests, templates etc... under those folders. It would be great if we could define permissions on those folders, and have all child elements in those folders inherit the folders permission, this would save us a lot of working having to grant permissions to each individual item.