enable redirect to oidc provider to empower sso solutions even further

2025-04-20 12:07:11 -04:00 · 2022-06-10 17:52:52 +02:00 · 2022-06-10 17:52:52 +02:00 · 84d51393e4
commit 84d51393e4
parent 2e354f9b1e
6 changed files with 72 additions and 57 deletions
--- a/client/components/main/layouts.js
+++ b/client/components/main/layouts.js
@ -54,46 +54,37 @@ Template.userFormsLayout.onCreated(function() {
    }
  });

-  Meteor.call('isOidcRedirectionEnabled', (_, result) => {
-    serviceName = 'oidc';
-    if (result) {
-      if(Session.get("tmp") && ((Math.floor(Date.now() / 1000) - Session.get("tmp") < 5) ))
+  if(!Meteor.user()?.profile)
+  {
+
+    Meteor.call('isOidcRedirectionEnabled', (_, result) => {
+      serviceName = 'oidc';
+      if (result)
      {
-        window.location.reload(true);
-        console.log(Meteor.user().profile);
-      }
-      else
-      {
-        Session.set("tmp", Math.floor(Date.now() / 1000));
-        console.log("Säschön", Session.get("tmp"));
        methodName = "loginWithOidc";
        var loginWithService = Meteor[methodName];
        AccountsTemplates.options.socialLoginStyle = 'redirect';
        options = {
-            loginStyle: AccountsTemplates.options.socialLoginStyle,
+          loginStyle: AccountsTemplates.options.socialLoginStyle,
        };
-        console.log("keys", options);
        loginWithService(options, function(err) {
          AccountsTemplates.setDisabled(false);
          if (err && err instanceof Accounts.LoginCancelledError)
          {
-            console.log("login cancelled");
          }
          else if (err && err instanceof ServiceConfiguration.ConfigError)
          {
-            console.log("service config");
            if (Accounts._loginButtonsSession) return Accounts._loginButtonsSession.configureService('oidc');
          }
          else
          {
-            console.log("else_block");
            AccountsTemplates.submitCallback(err, state);
          }
-      });
+        });
      }
-    }
-    else console.log("kein result");
-  });
+      else console.log("oidc redirect not set");
+    });
+  }
  Meteor.call('isDisableRegistration', (_, result) => {
    if (result) {
      $('.at-signup-link').hide();
@ -326,7 +317,6 @@ Template.userFormsLayout.events({
    event.preventDefault();
  },
  'click #at-btn'(event, templateInstance) {
-    console.log("hello");
    if (FlowRouter.getRouteName() === 'atSignIn') {
      templateInstance.isLoading.set(true);
      authentication(event, templateInstance).then(() => {
--- a/config/accounts.js
+++ b/config/accounts.js
@ -3,7 +3,16 @@ const emailField = AccountsTemplates.removeField('email');
 let disableRegistration = false;
 let disableForgotPassword = false;
 let passwordLoginDisabled = false;
-let oidcEnabled = false;
+let oidcRedirectionEnabled = false;
+let oauthServerUrl = "home";
+let oauthDashboardUrl = "";
+
+Meteor.call('isOidcRedirectionEnabled', (_, result) => {
+  if(result)
+  {
+    oidcRedirectionEnabled = true;
+  }
+});

 Meteor.call('isPasswordLoginDisabled', (_, result) => {
  if (result) {
@ -12,15 +21,17 @@ Meteor.call('isPasswordLoginDisabled', (_, result) => {
    //console.log(result);
  }
 });
+
 Meteor.call('getOauthServerUrl', (_, result) => {
  if (result) {
    oauthServerUrl = result;
-    const a = document.createElement("a");
-    a.href = oauthServerUrl;
-    const baseUrl = `${a.protocol}//${a.hostname}`;
-    console.log(baseUrl);
  }
-  else oauthServerUrl = "home";
+});
+
+Meteor.call('getOauthDashboardUrl', (_, result) => {
+  if (result) {
+    oauthDashboardUrl = result;
+  }
 });

 Meteor.call('isDisableRegistration', (_, result) => {
@ -30,9 +41,7 @@ Meteor.call('isDisableRegistration', (_, result) => {
    //console.log(result);
  }
 });
-Meteor.call('isOidcRedirectionEnabled', (_, result) => {
-  oidcEnabled = result ? true : false;
-});
+
 Meteor.call('isDisableForgotPassword', (_, result) => {
  if (result) {
    disableForgotPassword = true;
@ -70,17 +79,19 @@ AccountsTemplates.configure({
  showForgotPasswordLink: !disableForgotPassword,
  forbidClientAccountCreation: disableRegistration,
  onLogoutHook() {
-    if(oidcEnabled && oauthServerUrl!=="home")
+    // here comeslogic for redirect
+    if(oidcRedirectionEnabled)
    {
-
-      oidcEnabled = !oidcEnabled;
-      window.location.href = oauthServerUrl + "/if/user/#/library";
+      window.location = oauthServerUrl + oauthDashboardUrl;
    }
-    const homePage = 'home';
-    if (FlowRouter.getRouteName() === homePage) {
-      FlowRouter.reload();
-    } else {
-      FlowRouter.go(homePage);
+    else
+    {
+      const homePage = 'home';
+      if (FlowRouter.getRouteName() === homePage) {
+        FlowRouter.reload();
+      } else {
+        FlowRouter.go(homePage);
+      }
    }
  },
 });
--- a/models/settings.js
+++ b/models/settings.js
@ -508,8 +508,7 @@ if (Meteor.isServer) {
      return process.env.PASSWORD_LOGIN_ENABLED === 'false';
    },
    isOidcRedirectionEnabled(){
-      console.log(process.env.REDIRECT_LOGIN_LOGOUT_TO_OIDC === 'true');
-      return process.env.REDIRECT_LOGIN_LOGOUT_TO_OIDC === 'true';
+      return process.env.OIDC_REDIRECTION_ENABLED === 'true';
    },
  });
 }
--- a/packages/wekan-oidc/README.md
+++ b/packages/wekan-oidc/README.md
@ -47,6 +47,26 @@ See example below:

  NOTE: orgs & teams won't be updated if they already exist.

-  5. Manages admin rights as well. If user is in Group which has isAdmin: set to true, user will get admin 
-     privileges in Wekan as well. 
+  5. Manages admin rights as well. If user is in Group which has isAdmin: set to true, user will get admin
+     privileges in Wekan as well.
     If no adjustments (e.g. 1-3) are made on oidc provider's side, user will receive his/her admin rights from before.
+
+## For further empowerment of oidc as sso solution
+
+If you want to be redirected to your oidc provider on LOGIN without going the extra loop of signing in.
+On LOGOUT you will be redirected to the oidc provider as well.
+
+Add to your .env file:
+
+OIDC_REDIRECTION_ENABLED=true
+OAUTH2_SERVER_URL=http://localhost:9000
+DASHBOARD_URL=/if/session-end/wekan/
+
+Example for authentik.
+The latter specifies the OIDC Dashboard you'll get redirected on logout
+
+Flow:
+You need to have an oidc provider configured to get this feature
+Make sure to have
+Authorize Application (default-provider-authorization-implicit-consent)
+enabled
--- a/packages/wekan-oidc/oidc_client.js
+++ b/packages/wekan-oidc/oidc_client.js
@ -7,8 +7,6 @@ Oidc = {};
 //   error.
 Oidc.requestCredential = function (options, credentialRequestCompleteCallback) {
  // support both (options, callback) and (callback).
-  console.log("from client");
-  console.log(options);
  if (!credentialRequestCompleteCallback && typeof options === 'function') {
    credentialRequestCompleteCallback = options;
    options = {};
@ -57,14 +55,13 @@ Oidc.requestCredential = function (options, credentialRequestCompleteCallback) {
    width:  options.popupOptions.width || 320,
    height: options.popupOptions.height || 450
  };
-  OAuth.saveDataForRedirect(options.loginService, options.credentialToken);
-  Accounts.oauth.tryLoginAfterPopupClosed(credentialToken, credentialRequestCompleteCallback);
-  // OAuth.launchLogin({
-  //   loginService: 'oidc',
-  //   loginStyle: loginStyle,
-  //   loginUrl: loginUrl,
-  //   credentialRequestCompleteCallback: credentialRequestCompleteCallback,
-  //   credentialToken: credentialToken,
-  //   popupOptions: popupOptions,
-  // });
+
+  OAuth.launchLogin({
+    loginService: 'oidc',
+    loginStyle: loginStyle,
+    loginUrl: loginUrl,
+    credentialRequestCompleteCallback: credentialRequestCompleteCallback,
+    credentialToken: credentialToken,
+    popupOptions: popupOptions,
+  });
 };
--- a/packages/wekan-oidc/oidc_server.js
+++ b/packages/wekan-oidc/oidc_server.js
@ -19,8 +19,6 @@ var serviceData = {};
 var userinfo = {};

 OAuth.registerService('oidc', 2, null, function (query) {
-  console.log(Date.now());
-  console.log("query: ", query);
  var debug = process.env.DEBUG || false;

  var token = getToken(query);