From 5ee24b38a2c8eb652d98369a402a2cdf682e569c Mon Sep 17 00:00:00 2001 From: Jan Malte Behrens Date: Tue, 21 Apr 2026 10:03:02 +0200 Subject: [PATCH 1/3] feat: Adding oidc middleware and keycloak server services --- entrypoint.sh | 62 ++++++++++++++++++++++++++++++++++++++ services/action.router | 2 ++ services/autoupdate.router | 2 ++ services/client.router | 2 ++ services/icc.router | 2 ++ services/keycloak.router | 5 +++ services/keycloak.service | 6 ++++ services/media.router | 2 ++ services/presenter.router | 2 ++ services/projector.router | 2 ++ services/search.router | 2 ++ services/vote.router | 2 ++ 12 files changed, 91 insertions(+) create mode 100644 services/keycloak.router create mode 100644 services/keycloak.service diff --git a/entrypoint.sh b/entrypoint.sh index 1083260..5aba728 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -41,6 +41,12 @@ VOTE_HOST="${VOTE_HOST:-vote}" VOTE_PORT="${VOTE_PORT:-9013}" CLIENT_HOST="${CLIENT_HOST:-client}" CLIENT_PORT="${CLIENT_PORT:-9001}" +KEYCLOAK_HOST="${KEYCLOAK_HOST:-keycloak-server}" +KEYCLOAK_HOST_PORT="${KEYCLOAK_HOST_PORT:-8080}" +OIDC_KEYCLOAK_URL="${OIDC_KEYCLOAK_URL:-http://localhost:8080/realms/openslides}" +OIDC_CLIENT_ID="${OIDC_CLIENT_ID:-proxy-client}" +OIDC_CLIENT_SECRET="${OIDC_CLIENT_SECRET:-proxy-secret}" +OIDC_SECRET="${OIDC_SECRET:-qvAcTGWBIGg7aWKCKRyUsTf33jK3lsmK}" # ================================= @@ -50,6 +56,18 @@ CLIENT_PORT="${CLIENT_PORT:-9001}" # Generate base config from template envsubst < /templates/traefik.yml > "$TRAEFIK_CONFIG" +# Add OIDC plugin +echo "Adding OIDC Plugin" +cat >> "$TRAEFIK_CONFIG" << 'EOF' + +experimental: + plugins: + traefik-oidc-auth: + moduleName: github.com/sevensolutions/traefik-oidc-auth + version: v0.19.0 +EOF + + # Add dashboard if enabled if [ -n "$ENABLE_DASHBOARD" ]; then echo "Enabling dashboard. 'debug: true' for now. NOT FOR PRODUCTION" @@ -174,6 +192,50 @@ for service in $SERVICES; do envsubst < "$SERVICES_DIR/${service}.service" >> "$DYNAMIC_CONFIG" done +# OIDC Middleware +cat >> "$DYNAMIC_CONFIG" << EOF + keycloak-server: + loadBalancer: + servers: + - url: "http://localhost:8080" + passHostHeader: true +EOF + +echo "Enabling OIDC authentication middleware" + cat >> "$DYNAMIC_CONFIG" << EOF + + middlewares: + oidc-auth: + plugin: + traefik-oidc-auth: + LogLevel: debug + Secret: "${OIDC_SECRET}" + Provider: + Url: "${OIDC_KEYCLOAK_URL}" + ClientId: "${OIDC_CLIENT_ID}" + ClientSecret: "${OIDC_CLIENT_SECRET}" + UsePkce: true + ValidateIssuer: true + ValidIssuer: "${OIDC_KEYCLOAK_URL}" + Scopes: + - openid + - profile + - email + LoginUri: /login + CallbackUri: /callback + LogoutUri: /logout + UnauthorizedBehavior: Challenge + SessionCookie: + SameSite: lax + HttpOnly: false + Headers: + - Name: Authentication + Value: 'bearer {{ "{{ .accessToken }}" }}' + - Name: X-Forwarded-User + Value: '{{ "{{ .claims.preferred_username }}" }}' + - Name: X-Auth-Request-Email + Value: '{{ "{{ .claims.email }}" }}' +EOF # Finally start CMD exec "$@" diff --git a/services/action.router b/services/action.router index 8cdc6b6..5f7db26 100644 --- a/services/action.router +++ b/services/action.router @@ -3,3 +3,5 @@ service: action entryPoints: - main + middlewares: + - oidc-auth diff --git a/services/autoupdate.router b/services/autoupdate.router index 19a3806..9aeda44 100644 --- a/services/autoupdate.router +++ b/services/autoupdate.router @@ -3,3 +3,5 @@ service: autoupdate entryPoints: - main + middlewares: + - oidc-auth diff --git a/services/client.router b/services/client.router index 5064e01..a962d0e 100644 --- a/services/client.router +++ b/services/client.router @@ -5,3 +5,5 @@ - main # Priority ensures this catch-all route is evaluated last priority: 1 + middlewares: + - oidc-auth diff --git a/services/icc.router b/services/icc.router index eb7ac0f..9ec790a 100644 --- a/services/icc.router +++ b/services/icc.router @@ -3,3 +3,5 @@ service: icc entryPoints: - main + middlewares: + - oidc-auth diff --git a/services/keycloak.router b/services/keycloak.router new file mode 100644 index 0000000..b5983d6 --- /dev/null +++ b/services/keycloak.router @@ -0,0 +1,5 @@ + keycloak: + rule: "PathPrefix(`/system/keycloak`) + service: keycloak + entryPoints: + - main diff --git a/services/keycloak.service b/services/keycloak.service new file mode 100644 index 0000000..6c8fc17 --- /dev/null +++ b/services/keycloak.service @@ -0,0 +1,6 @@ + keycloak: + loadBalancer: + servers: + - url: "http://${KEYCLOAK_HOST}:${KEYCLOAK_PORT}" + # Forward the original Host header to the backend service + passHostHeader: true diff --git a/services/media.router b/services/media.router index c428375..f44a71b 100644 --- a/services/media.router +++ b/services/media.router @@ -3,3 +3,5 @@ service: media entryPoints: - main + middlewares: + - oidc-auth diff --git a/services/presenter.router b/services/presenter.router index 62fd449..b9a9b64 100644 --- a/services/presenter.router +++ b/services/presenter.router @@ -3,3 +3,5 @@ service: presenter entryPoints: - main + middlewares: + - oidc-auth diff --git a/services/projector.router b/services/projector.router index 5e43d5c..7e94244 100644 --- a/services/projector.router +++ b/services/projector.router @@ -3,3 +3,5 @@ service: projector entryPoints: - main + middlewares: + - oidc-auth diff --git a/services/search.router b/services/search.router index d6af74c..bb0e24f 100644 --- a/services/search.router +++ b/services/search.router @@ -3,3 +3,5 @@ service: search entryPoints: - main + middlewares: + - oidc-auth diff --git a/services/vote.router b/services/vote.router index a357117..5c654eb 100644 --- a/services/vote.router +++ b/services/vote.router @@ -3,3 +3,5 @@ service: vote entryPoints: - main + middlewares: + - oidc-auth From c75883a4baa51d57b5d2d9381870361c0ff39938 Mon Sep 17 00:00:00 2001 From: Jan Malte Behrens Date: Tue, 21 Apr 2026 13:43:58 +0200 Subject: [PATCH 2/3] feat: Redirect to keycloak login --- entrypoint.sh | 34 ++++------------------------------ services/keycloak.router | 5 ----- services/keycloak.service | 6 ------ 3 files changed, 4 insertions(+), 41 deletions(-) delete mode 100644 services/keycloak.router delete mode 100644 services/keycloak.service diff --git a/entrypoint.sh b/entrypoint.sh index 5aba728..ef51aba 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -43,7 +43,8 @@ CLIENT_HOST="${CLIENT_HOST:-client}" CLIENT_PORT="${CLIENT_PORT:-9001}" KEYCLOAK_HOST="${KEYCLOAK_HOST:-keycloak-server}" KEYCLOAK_HOST_PORT="${KEYCLOAK_HOST_PORT:-8080}" -OIDC_KEYCLOAK_URL="${OIDC_KEYCLOAK_URL:-http://localhost:8080/realms/openslides}" +OIDC_KEYCLOAK_URL="${OIDC_KEYCLOAK_URL:-http://localhost:8000/auth/realms/openslides}" +OIDC_KEYCLOAK_URL_DOCKER="${OIDC_KEYCLOAK_URL_DOCKER:-http://keycloak-server:8080/realms/openslides}" OIDC_CLIENT_ID="${OIDC_CLIENT_ID:-proxy-client}" OIDC_CLIENT_SECRET="${OIDC_CLIENT_SECRET:-proxy-secret}" OIDC_SECRET="${OIDC_SECRET:-qvAcTGWBIGg7aWKCKRyUsTf33jK3lsmK}" @@ -193,14 +194,6 @@ for service in $SERVICES; do done # OIDC Middleware -cat >> "$DYNAMIC_CONFIG" << EOF - keycloak-server: - loadBalancer: - servers: - - url: "http://localhost:8080" - passHostHeader: true -EOF - echo "Enabling OIDC authentication middleware" cat >> "$DYNAMIC_CONFIG" << EOF @@ -208,33 +201,14 @@ echo "Enabling OIDC authentication middleware" oidc-auth: plugin: traefik-oidc-auth: - LogLevel: debug Secret: "${OIDC_SECRET}" Provider: - Url: "${OIDC_KEYCLOAK_URL}" + Url: "${OIDC_KEYCLOAK_URL_DOCKER}" ClientId: "${OIDC_CLIENT_ID}" ClientSecret: "${OIDC_CLIENT_SECRET}" - UsePkce: true ValidateIssuer: true ValidIssuer: "${OIDC_KEYCLOAK_URL}" - Scopes: - - openid - - profile - - email - LoginUri: /login - CallbackUri: /callback - LogoutUri: /logout - UnauthorizedBehavior: Challenge - SessionCookie: - SameSite: lax - HttpOnly: false - Headers: - - Name: Authentication - Value: 'bearer {{ "{{ .accessToken }}" }}' - - Name: X-Forwarded-User - Value: '{{ "{{ .claims.preferred_username }}" }}' - - Name: X-Auth-Request-Email - Value: '{{ "{{ .claims.email }}" }}' + Scopes: ["openid", "profile", "email"] EOF # Finally start CMD diff --git a/services/keycloak.router b/services/keycloak.router deleted file mode 100644 index b5983d6..0000000 --- a/services/keycloak.router +++ /dev/null @@ -1,5 +0,0 @@ - keycloak: - rule: "PathPrefix(`/system/keycloak`) - service: keycloak - entryPoints: - - main diff --git a/services/keycloak.service b/services/keycloak.service deleted file mode 100644 index 6c8fc17..0000000 --- a/services/keycloak.service +++ /dev/null @@ -1,6 +0,0 @@ - keycloak: - loadBalancer: - servers: - - url: "http://${KEYCLOAK_HOST}:${KEYCLOAK_PORT}" - # Forward the original Host header to the backend service - passHostHeader: true From 7dc1cb42078577341ce00d529688ba8bcb0cefff Mon Sep 17 00:00:00 2001 From: Jan Malte Behrens Date: Tue, 21 Apr 2026 16:28:03 +0200 Subject: [PATCH 3/3] fix: Public issuer url is now equal to keycloaks known issuer url --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index ef51aba..84e8981 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -43,7 +43,7 @@ CLIENT_HOST="${CLIENT_HOST:-client}" CLIENT_PORT="${CLIENT_PORT:-9001}" KEYCLOAK_HOST="${KEYCLOAK_HOST:-keycloak-server}" KEYCLOAK_HOST_PORT="${KEYCLOAK_HOST_PORT:-8080}" -OIDC_KEYCLOAK_URL="${OIDC_KEYCLOAK_URL:-http://localhost:8000/auth/realms/openslides}" +OIDC_KEYCLOAK_URL="${OIDC_KEYCLOAK_URL:-http://localhost:8080/realms/openslides}" OIDC_KEYCLOAK_URL_DOCKER="${OIDC_KEYCLOAK_URL_DOCKER:-http://keycloak-server:8080/realms/openslides}" OIDC_CLIENT_ID="${OIDC_CLIENT_ID:-proxy-client}" OIDC_CLIENT_SECRET="${OIDC_CLIENT_SECRET:-proxy-secret}"