OAuth consumer: tests fix, comments, Keycloak config notes See merge request pleroma/pleroma!1248tags/v1.1.4
@@ -17,6 +17,8 @@ config :pleroma, Pleroma.Captcha, | |||||
# Print only warnings and errors during test | # Print only warnings and errors during test | ||||
config :logger, level: :warn | config :logger, level: :warn | ||||
config :pleroma, :auth, oauth_consumer_strategies: [] | |||||
config :pleroma, Pleroma.Upload, filters: [], link_name: false | config :pleroma, Pleroma.Upload, filters: [], link_name: false | ||||
config :pleroma, Pleroma.Uploaders.Local, uploads: "test/uploads" | config :pleroma, Pleroma.Uploaders.Local, uploads: "test/uploads" | ||||
@@ -514,7 +514,7 @@ Authentication / authorization settings. | |||||
* `auth_template`: authentication form template. By default it's `show.html` which corresponds to `lib/pleroma/web/templates/o_auth/o_auth/show.html.eex`. | * `auth_template`: authentication form template. By default it's `show.html` which corresponds to `lib/pleroma/web/templates/o_auth/o_auth/show.html.eex`. | ||||
* `oauth_consumer_template`: OAuth consumer mode authentication form template. By default it's `consumer.html` which corresponds to `lib/pleroma/web/templates/o_auth/o_auth/consumer.html.eex`. | * `oauth_consumer_template`: OAuth consumer mode authentication form template. By default it's `consumer.html` which corresponds to `lib/pleroma/web/templates/o_auth/o_auth/consumer.html.eex`. | ||||
* `oauth_consumer_strategies`: the list of enabled OAuth consumer strategies; by default it's set by OAUTH_CONSUMER_STRATEGIES environment variable. Each entry in this space-delimited string should be of format `<strategy>` or `<strategy>:<dependency>` (e.g. `twitter` or `keycloak:ueberauth_keycloak_strategy` in case dependency is named differently than `ueberauth_<strategy>`). | |||||
* `oauth_consumer_strategies`: the list of enabled OAuth consumer strategies; by default it's set by `OAUTH_CONSUMER_STRATEGIES` environment variable. Each entry in this space-delimited string should be of format `<strategy>` or `<strategy>:<dependency>` (e.g. `twitter` or `keycloak:ueberauth_keycloak_strategy` in case dependency is named differently than `ueberauth_<strategy>`). | |||||
## OAuth consumer mode | ## OAuth consumer mode | ||||
@@ -567,6 +567,24 @@ config :ueberauth, Ueberauth, | |||||
providers: [ | providers: [ | ||||
microsoft: {Ueberauth.Strategy.Microsoft, [callback_params: []]} | microsoft: {Ueberauth.Strategy.Microsoft, [callback_params: []]} | ||||
] | ] | ||||
# Keycloak | |||||
# Note: make sure to add `keycloak:ueberauth_keycloak_strategy` entry to `OAUTH_CONSUMER_STRATEGIES` environment variable | |||||
keycloak_url = "https://publicly-reachable-keycloak-instance.org:8080" | |||||
config :ueberauth, Ueberauth.Strategy.Keycloak.OAuth, | |||||
client_id: System.get_env("KEYCLOAK_CLIENT_ID"), | |||||
client_secret: System.get_env("KEYCLOAK_CLIENT_SECRET"), | |||||
site: keycloak_url, | |||||
authorize_url: "#{keycloak_url}/auth/realms/master/protocol/openid-connect/auth", | |||||
token_url: "#{keycloak_url}/auth/realms/master/protocol/openid-connect/token", | |||||
userinfo_url: "#{keycloak_url}/auth/realms/master/protocol/openid-connect/userinfo", | |||||
token_method: :post | |||||
config :ueberauth, Ueberauth, | |||||
providers: [ | |||||
keycloak: {Ueberauth.Strategy.Keycloak, [uid_field: :email]} | |||||
] | |||||
``` | ``` | ||||
## OAuth 2.0 provider - :oauth2 | ## OAuth 2.0 provider - :oauth2 | ||||
@@ -24,6 +24,14 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticator do | |||||
end | end | ||||
end | end | ||||
@doc """ | |||||
Gets or creates Pleroma.Registration record from Ueberauth assigns. | |||||
Note: some strategies (like `keycloak`) might need extra configuration to fill `uid` from callback response — | |||||
see [`docs/config.md`](docs/config.md). | |||||
""" | |||||
def get_registration(%Plug.Conn{assigns: %{ueberauth_auth: %{uid: nil}}}), | |||||
do: {:error, :missing_uid} | |||||
def get_registration(%Plug.Conn{ | def get_registration(%Plug.Conn{ | ||||
assigns: %{ueberauth_auth: %{provider: provider, uid: uid} = auth} | assigns: %{ueberauth_auth: %{provider: provider, uid: uid} = auth} | ||||
}) do | }) do | ||||
@@ -51,9 +59,10 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticator do | |||||
def get_registration(%Plug.Conn{} = _conn), do: {:error, :missing_credentials} | def get_registration(%Plug.Conn{} = _conn), do: {:error, :missing_credentials} | ||||
@doc "Creates Pleroma.User record basing on params and Pleroma.Registration record." | |||||
def create_from_registration( | def create_from_registration( | ||||
%Plug.Conn{params: %{"authorization" => registration_attrs}}, | %Plug.Conn{params: %{"authorization" => registration_attrs}}, | ||||
registration | |||||
%Registration{} = registration | |||||
) do | ) do | ||||
nickname = value([registration_attrs["nickname"], Registration.nickname(registration)]) | nickname = value([registration_attrs["nickname"], Registration.nickname(registration)]) | ||||
email = value([registration_attrs["email"], Registration.email(registration)]) | email = value([registration_attrs["email"], Registration.email(registration)]) | ||||
@@ -17,6 +17,8 @@ defmodule Pleroma.Web.OAuth.OAuthController do | |||||
alias Pleroma.Web.OAuth.Token.Strategy.Revoke, as: RevokeToken | alias Pleroma.Web.OAuth.Token.Strategy.Revoke, as: RevokeToken | ||||
alias Pleroma.Web.OAuth.Scopes | alias Pleroma.Web.OAuth.Scopes | ||||
require Logger | |||||
if Pleroma.Config.oauth_consumer_enabled?(), do: plug(Ueberauth) | if Pleroma.Config.oauth_consumer_enabled?(), do: plug(Ueberauth) | ||||
plug(:fetch_session) | plug(:fetch_session) | ||||
@@ -318,7 +320,9 @@ defmodule Pleroma.Web.OAuth.OAuthController do | |||||
|> registration_details(%{"authorization" => registration_params}) | |> registration_details(%{"authorization" => registration_params}) | ||||
end | end | ||||
else | else | ||||
_ -> | |||||
error -> | |||||
Logger.debug(inspect(["OAUTH_ERROR", error, conn.assigns])) | |||||
conn | conn | ||||
|> put_flash(:error, "Failed to set up user account.") | |> put_flash(:error, "Failed to set up user account.") | ||||
|> redirect(external: redirect_uri(conn, params["redirect_uri"])) | |> redirect(external: redirect_uri(conn, params["redirect_uri"])) | ||||