🔀 Merge pull request #1101 from marekful/FEATURE/pass-idp-hint-to-keycloak-auth

[FEATURE/IMPROVEMENT] Pass 'IdP Hint' to Keycloak
2023-02-12 16:23:24 +00:00 · 2023-02-12 16:23:24 +00:00 · ba6fa376a5
parent bdf274d8e1 99fa9bcc32
commit ba6fa376a5
4 changed files with 14 additions and 7 deletions
--- a/docs/authentication.md
+++ b/docs/authentication.md
@ -164,6 +164,8 @@ appConfig:

 Note that if you are using Keycloak V 17 or older, you will also need to set `legacySupport: true` (also under `appConfig.auth.keycloak`). This is because the API endpoint was updated in later versions.

+If you use Keycloak with an external Identity Provier, you can set the `idpHint: 'alias-of-kc-idp'` option to allow the IdP Hint to be passed to Keycloak. This will cause Keycloak to skip its login page and redirect the user directly to the specified IdP's login page. Set to the value of the 'Alias' field of the desired IdP as defined in Keycloak under 'Identity Providers'.
+
 ### 4. Add groups and roles (Optional)

 Keycloak allows you to assign users roles and groups. You can use these values to configure who can access various sections or items in Dashy.
--- a/package.json
+++ b/package.json
@ -27,7 +27,7 @@
    "express": "^4.17.2",
    "frappe-charts": "^1.6.2",
    "js-yaml": "^4.1.0",
-    "keycloak-js": "^16.1.1",
+    "keycloak-js": "^20.0.3",
    "register-service-worker": "^1.7.2",
    "remedial": "^1.0.8",
    "rsup-progress": "^3.0.0",
--- a/src/utils/ConfigSchema.json
+++ b/src/utils/ConfigSchema.json
@ -481,6 +481,11 @@
                  "type": "string",
                  "description": "The Client ID of the client you created for use with Dashy"
                },
+                "idpHint": {
+                  "title" : "IdP hint",
+                  "type": "string",
+                  "description": "Set to the 'Alias' of an existing Identity Provider in the specified realm to skip the Keycloak login page and redirect straight to the external IdP for authentication"
+                },
                "legacySupport": {
                  "title": "Legacy Support",
                  "type": "boolean",
--- a/src/utils/KeycloakAuth.js
+++ b/src/utils/KeycloakAuth.js
@ -13,25 +13,25 @@ class KeycloakAuth {
  constructor() {
    const { auth } = getAppConfig();
    const {
-      serverUrl, realm, clientId, legacySupport,
+      serverUrl, realm, clientId, idpHint, legacySupport,
    } = auth.keycloak;
    const url = legacySupport ? `${serverUrl}/auth` : serverUrl;
-    const initOptions = {
-      url, realm, clientId, onLoad: 'login-required',
-    };
+    const initOptions = { url, realm, clientId };
+    const loginOptions = idpHint ? { idpHint } : {};

+    this.loginOptions = loginOptions;
    this.keycloakClient = Keycloak(initOptions);
  }

  login() {
    return new Promise((resolve, reject) => {
-      this.keycloakClient.init({ onLoad: 'login-required' })
+      this.keycloakClient.init({ onLoad: 'check-sso' })
        .then((auth) => {
          if (auth) {
            this.storeKeycloakInfo();
            return resolve();
          } else {
-            return reject(new Error('Not authenticated'));
+            return this.keycloakClient.login(this.loginOptions);
          }
        })
        .catch((reason) => reject(reason));