OAuth consumer: tests fix, comments, Keycloak config notes.

2019-06-05 13:02:13 +03:00 · 2019-06-05 13:02:13 +03:00 · 3eefb274f4
parent e4babb1c9f
commit 3eefb274f4
4 changed files with 36 additions and 3 deletions
--- a/config/test.exs
+++ b/config/test.exs
@ -17,6 +17,8 @@ config :pleroma, Pleroma.Captcha,
 # Print only warnings and errors during test
 config :logger, level: :warn

+config :pleroma, :auth, oauth_consumer_strategies: []
+
 config :pleroma, Pleroma.Upload, filters: [], link_name: false

 config :pleroma, Pleroma.Uploaders.Local, uploads: "test/uploads"
--- a/docs/config.md
+++ b/docs/config.md
@ -514,7 +514,7 @@ Authentication / authorization settings.

 * `auth_template`: authentication form template. By default it's `show.html` which corresponds to `lib/pleroma/web/templates/o_auth/o_auth/show.html.eex`.
 * `oauth_consumer_template`: OAuth consumer mode authentication form template. By default it's `consumer.html` which corresponds to `lib/pleroma/web/templates/o_auth/o_auth/consumer.html.eex`.
-* `oauth_consumer_strategies`: the list of enabled OAuth consumer strategies; by default it's set by OAUTH_CONSUMER_STRATEGIES environment variable. Each entry in this space-delimited string should be of format `<strategy>` or `<strategy>:<dependency>` (e.g. `twitter` or `keycloak:ueberauth_keycloak_strategy` in case dependency is named differently than `ueberauth_<strategy>`).
+* `oauth_consumer_strategies`: the list of enabled OAuth consumer strategies; by default it's set by `OAUTH_CONSUMER_STRATEGIES` environment variable. Each entry in this space-delimited string should be of format `<strategy>` or `<strategy>:<dependency>` (e.g. `twitter` or `keycloak:ueberauth_keycloak_strategy` in case dependency is named differently than `ueberauth_<strategy>`).

 ## OAuth consumer mode

@ -567,6 +567,24 @@ config :ueberauth, Ueberauth,
  providers: [
    microsoft: {Ueberauth.Strategy.Microsoft, [callback_params: []]}
  ]
+  
+# Keycloak
+# Note: make sure to add `keycloak:ueberauth_keycloak_strategy` entry to `OAUTH_CONSUMER_STRATEGIES` environment variable
+keycloak_url = "https://publicly-reachable-keycloak-instance.org:8080"
+
+config :ueberauth, Ueberauth.Strategy.Keycloak.OAuth,
+  client_id: System.get_env("KEYCLOAK_CLIENT_ID"),
+  client_secret: System.get_env("KEYCLOAK_CLIENT_SECRET"),
+  site: keycloak_url,
+  authorize_url: "#{keycloak_url}/auth/realms/master/protocol/openid-connect/auth",
+  token_url: "#{keycloak_url}/auth/realms/master/protocol/openid-connect/token",
+  userinfo_url: "#{keycloak_url}/auth/realms/master/protocol/openid-connect/userinfo",
+  token_method: :post
+
+config :ueberauth, Ueberauth,
+  providers: [
+    keycloak: {Ueberauth.Strategy.Keycloak, [uid_field: :email]}
+  ]
 ```

 ## OAuth 2.0 provider - :oauth2
--- a/lib/pleroma/web/auth/pleroma_authenticator.ex
+++ b/lib/pleroma/web/auth/pleroma_authenticator.ex
@ -24,6 +24,14 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticator do
    end
  end

+  @doc """
+  Gets or creates Pleroma.Registration record from Ueberauth assigns.
+  Note: some strategies (like `keycloak`) might need extra configuration to fill `uid` from callback response —
+    see [`docs/config.md`](docs/config.md).
+  """
+  def get_registration(%Plug.Conn{assigns: %{ueberauth_auth: %{uid: nil}}}),
+    do: {:error, :missing_uid}
+
  def get_registration(%Plug.Conn{
        assigns: %{ueberauth_auth: %{provider: provider, uid: uid} = auth}
      }) do
@ -51,9 +59,10 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticator do

  def get_registration(%Plug.Conn{} = _conn), do: {:error, :missing_credentials}

+  @doc "Creates Pleroma.User record basing on params and Pleroma.Registration record."
  def create_from_registration(
        %Plug.Conn{params: %{"authorization" => registration_attrs}},
-        registration
+        %Registration{} = registration
      ) do
    nickname = value([registration_attrs["nickname"], Registration.nickname(registration)])
    email = value([registration_attrs["email"], Registration.email(registration)])
--- a/lib/pleroma/web/oauth/oauth_controller.ex
+++ b/lib/pleroma/web/oauth/oauth_controller.ex
@ -17,6 +17,8 @@ defmodule Pleroma.Web.OAuth.OAuthController do
  alias Pleroma.Web.OAuth.Token.Strategy.Revoke, as: RevokeToken
  alias Pleroma.Web.OAuth.Scopes

+  require Logger
+
  if Pleroma.Config.oauth_consumer_enabled?(), do: plug(Ueberauth)

  plug(:fetch_session)
@ -318,7 +320,9 @@ defmodule Pleroma.Web.OAuth.OAuthController do
          |> registration_details(%{"authorization" => registration_params})
      end
    else
-      _ ->
+      error ->
+        Logger.debug(inspect(["OAUTH_ERROR", error, conn.assigns]))
+
        conn
        |> put_flash(:error, "Failed to set up user account.")
        |> redirect(external: redirect_uri(conn, params["redirect_uri"]))