Implement keycloak auth system

[chrismclarke]

More to server as a reminder, demo given on slack of how to implement a login system using keycloak to also allow users to sign in via their credentials on the DH wordpress site. It should be implemented into the platform for testing. This includes:

• [ ] Setup standalone keycloak server
• [ ] Add integrations for wordpress login
• [ ] Rewrite/redirect firebase auth to use the keycloak server instead of own

[wallies]

@chrismclarke what would you see the benefits of using keycloak, yes its a good server, but do you want to burn time setting up and maintaining this. Interesting to hear reasons to move away from firebase? Maybe a move to something like Auth0 or were you trying to optimise costs to use an opensource solution? More than happy like I said in another issue to help out with the backend role you have on the next.preciousplastic website, just cant travel at the moment

[chrismclarke]

So the main thing reasons I guess are:

1. Allowing auth via DaveHakkens.nl - as this community will be the first to test the platform we wanted to provide a seemless way that users could log in using existing credentials and migrate their account details across. I tested a workaround with firebase (storing hashed passwords on the db, allowing users to login with their emails and check pw against hash, and use to create new account whilst giving appearance of logging in with old), but it felt hacky at best and bad security practice at worst. With keycloak we can setup a direct link to the wordpress site, and I see this being of use/interest to others doing the same in the future.

2. Integrating more 3rd party services - this is one we had planned to do initially, specifically hosting a database powered by discourse. Plans changed, but having the ability to integrate a different 3rd party with the existing platform and login system could still be interesting/useful to people in the future.

3. Slow migration away from firebase - As much as I really love and am an advocate for their tools, I know there's lots of people who (rightly) question the motives and nature of the big companies in tech. So again, this is mostly to provide an option for people, in the same way we are currently working to make it easier to swap in and out database providers and hosting also.

The good news is I already made a test server with keycloak running and communicating with a testing wordpress site, but it still will be a reasonable amount of effort to integrate fully (hoping to get it done in the first half of Sep).

[wallies]

Cool let me know if I can help. Have done alot of work with key cloak, oauth, identity management, saml etc

[chrismclarke]

Awesome! yeah I definitely will. I'll let you know once the server is spun up and configured with wordpress. The missing piece of the puzzle currently is the mechanisms for communicating with it from the platform (request/handle tokens and ideally provide some form of automated/invisible login for returning users like what currently happens with firebase). I'm guessing something like passport.js will cover all that's needed but if you have any other suggestions/ideas feel free to share

[chrismclarke]

Alternate workarounds found to avoid need for keycloak. closing