MonkeyCanCode commented on code in PR #168:
URL: https://github.com/apache/polaris-tools/pull/168#discussion_r2850880130
##########
console/src/api/auth.ts:
##########
@@ -107,9 +110,110 @@ export const authApi = {
logout: (): void => {
apiClient.clearAccessToken()
- // Use a small delay to allow toast to show before redirect
+ clearPKCESession()
setTimeout(() => {
navigate("/login", true)
}, 100)
},
+
+ initiateOIDCFlow: async (): Promise<void> => {
+ const issuerUrl = config.OIDC_ISSUER_URL
+ const clientId = config.OIDC_CLIENT_ID
+ const redirectUri = config.OIDC_REDIRECT_URI
+ const scope = config.OIDC_SCOPE
+
+ if (!issuerUrl || !clientId || !redirectUri) {
+ throw new Error("OIDC configuration is incomplete. Please check
environment variables.")
+ }
+
+ clearPKCESession()
+
+ const discovery = await discoverOIDCEndpoints(issuerUrl)
+ const authorizationUrl = discovery.authorization_endpoint
+
+ const { verifier, challenge } = await generatePKCE()
+ const state = generateState()
+
+ storePKCEVerifier(verifier)
+ storeState(state)
+
+ const params = new URLSearchParams({
+ response_type: "code",
+ client_id: clientId,
+ redirect_uri: redirectUri,
+ scope: scope,
+ state: state,
+ code_challenge: challenge,
+ code_challenge_method: "S256",
+ prompt: "login",
Review Comment:
Any particular reason on using `login` for prompt? With OpenID spec, this
will force fresh authentication I think
(https://openid.net/specs/openid-connect-core-1_0.html)?
Also, not every OIDC provider support `login` I think such as google
(https://developers.google.com/identity/openid-connect/openid-connect#authenticationuriparameters)
. Maybe worth to make this configurable?
##########
console/docker/generate-config.sh:
##########
@@ -29,7 +29,11 @@ window.APP_CONFIG = {
VITE_POLARIS_REALM: '${VITE_POLARIS_REALM}',
VITE_POLARIS_PRINCIPAL_SCOPE: '${VITE_POLARIS_PRINCIPAL_SCOPE}',
VITE_OAUTH_TOKEN_URL: '${VITE_OAUTH_TOKEN_URL}',
- VITE_POLARIS_REALM_HEADER_NAME: '${VITE_POLARIS_REALM_HEADER_NAME}'
+ VITE_POLARIS_REALM_HEADER_NAME: '${VITE_POLARIS_REALM_HEADER_NAME}',
+ VITE_OIDC_ISSUER_URL: '${VITE_OIDC_ISSUER_URL}',
+ VITE_OIDC_CLIENT_ID: '${VITE_OIDC_CLIENT_ID}',
+ VITE_OIDC_REDIRECT_URI: '${VITE_OIDC_REDIRECT_URI}',
+ VITE_OIDC_SCOPE: '${VITE_OIDC_SCOPE}'
};
EOF
Review Comment:
nit: maybe worth adding a docker compose similar to
https://github.com/apache/polaris/blob/main/getting-started/keycloak/docker-compose.yml
do people can test this out a bit quicker?
##########
console/src/api/auth.ts:
##########
@@ -107,9 +110,110 @@ export const authApi = {
logout: (): void => {
apiClient.clearAccessToken()
- // Use a small delay to allow toast to show before redirect
+ clearPKCESession()
setTimeout(() => {
navigate("/login", true)
}, 100)
},
+
+ initiateOIDCFlow: async (): Promise<void> => {
+ const issuerUrl = config.OIDC_ISSUER_URL
+ const clientId = config.OIDC_CLIENT_ID
+ const redirectUri = config.OIDC_REDIRECT_URI
+ const scope = config.OIDC_SCOPE
+
+ if (!issuerUrl || !clientId || !redirectUri) {
+ throw new Error("OIDC configuration is incomplete. Please check
environment variables.")
+ }
+
+ clearPKCESession()
+
+ const discovery = await discoverOIDCEndpoints(issuerUrl)
+ const authorizationUrl = discovery.authorization_endpoint
+
+ const { verifier, challenge } = await generatePKCE()
+ const state = generateState()
+
+ storePKCEVerifier(verifier)
+ storeState(state)
+
+ const params = new URLSearchParams({
+ response_type: "code",
+ client_id: clientId,
+ redirect_uri: redirectUri,
+ scope: scope,
+ state: state,
+ code_challenge: challenge,
+ code_challenge_method: "S256",
+ prompt: "login",
+ })
+
+ window.location.href = `${authorizationUrl}?${params.toString()}`
+ },
+
+ handleOIDCCallback: async (code: string, state: string):
Promise<OAuthTokenResponse> => {
+ const storedState = getState()
+ if (!storedState || storedState !== state) {
+ clearPKCESession()
+ throw new Error("Invalid state parameter. Possible CSRF attack.")
+ }
+
+ const verifier = getPKCEVerifier()
+ if (!verifier) {
+ clearPKCESession()
+ throw new Error("Code verifier not found. Please restart the login
process.")
+ }
+
+ const redirectUri = config.OIDC_REDIRECT_URI
+ if (!redirectUri) {
+ clearPKCESession()
+ throw new Error("Redirect URI not configured.")
+ }
+
+ try {
+ const oidcTokenResponse = await authApi.exchangeAuthCode(code, verifier,
redirectUri)
+ clearPKCESession()
+ return oidcTokenResponse
+ } catch (error) {
+ clearPKCESession()
+ throw error
+ }
+ },
+
+ exchangeAuthCode: async (
+ code: string,
+ codeVerifier: string,
+ redirectUri: string
+ ): Promise<OAuthTokenResponse> => {
+ const issuerUrl = config.OIDC_ISSUER_URL
+ const clientId = config.OIDC_CLIENT_ID
+
+ if (!issuerUrl || !clientId) {
+ throw new Error("OIDC configuration is incomplete. Please check
environment variables.")
+ }
+
+ const discovery = await discoverOIDCEndpoints(issuerUrl)
+ const tokenUrl = discovery.token_endpoint
+
+ const formData = new URLSearchParams()
+ formData.append("grant_type", "authorization_code")
+ formData.append("code", code)
+ formData.append("client_id", clientId)
+ formData.append("redirect_uri", redirectUri)
+ formData.append("code_verifier", codeVerifier)
+
+ const headers: Record<string, string> = {
+ "Content-Type": "application/x-www-form-urlencoded",
+ }
+
+ const response = await axios.post<OAuthTokenResponse>(tokenUrl, formData, {
+ headers,
+ })
+
+ if (response.data.access_token) {
+ apiClient.setAccessToken(response.data.access_token)
Review Comment:
nit: should we add support for ODIC token refresh as well?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
