search

alfio-event / alf.io

alf.io - The open source ticket reservation system for conferences, trade shows, workshops, meetups
https://alf.io
GNU General Public License v3.0
1.38k stars 344 forks source link

OpenID Configuration #1074

Open devium opened 2 years ago

devium commented 2 years ago

Describe the bug There are several issues with the current OpenID Implementation. I'm using Keycloak v17.0.2 as OIDC provider:

  1. The values read from application.properties do not match the values described in the documentation. These are the actual values read from application.properties: https://github.com/alfio-event/alf.io/blob/2.0-M4-2204/src/main/java/alfio/manager/openid/OpenIdConfiguration.java#L81-L93 And these are the values described in the documentation: https://github.com/alfio-event/alf.io/blob/2.0-M4-2204/website/content/en/docs/Configuration/OpenID/_index.md

  2. The docs don't mention that you need to enable the openid Spring profile.

  3. The docs mention that organization fields should be specified as organization1/SPONSOR, however the parsing code actually expects 3 parts, separated by /: https://github.com/alfio-event/alf.io/blob/2.0-M4-2204/src/main/java/alfio/manager/openid/AdminOpenIdAuthenticationManager.java#L147-L148 A workaround is to instead specify the organization as /organization1/SPONSOR but I don't think this is intended.

  4. Alf.io expects a client scope per claim specified in the .properties file. This is usually not how scopes and claims are used. Relevant code: https://github.com/alfio-event/alf.io/blob/2.0-M4-2204/src/main/java/alfio/manager/openid/AdminOpenIdAuthenticationManager.java#L122-L128 Instead, users should be able to specify requested scopes in the application.properties file like openid.scopes=openid,email,myprofile. For example, check out how Grafana implements Generic OAuth: https://grafana.com/docs/grafana/latest/auth/generic-oauth/ The workaround is to create a dummy client scope per used claim in Keycloak.

  5. I would love to be able to configure the used claim for the resulting username in the database. By default, this is the email claim. On my setup, emails and usernames are modifiable by users. That's why I use the sub claim as the username in other apps. For example, Grafana offers the name_attribute_path config value for their OAuth configuration. In alf.io I'd love a corresponding openid.usernameClaim config value.

To Reproduce Steps to reproduce the behavior:

  1. Follow the OpenID instructions using Keycloak: https://github.com/alfio-event/alf.io/blob/2.0-M4-2204/website/content/en/docs/Configuration/OpenID/_index.md
  2. Enable the openid Spring profile
  3. Run alf.io
  4. Navigate to example.com/admin
  5. 500 error without any logs (OpenID values are not properly set)
  6. If above error is fixed, the OIDC provider (Keycloak) will most likely return an error since the requested scopes are actual claims that don't exist as scopes.

Expected behavior Be redirected to Keycloak, being able to login, and be returned to the admin page.

Desktop (please complete the following information):

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.