Admin authentication problems

[fzaninotto]

Description

When visiting the demo for the first time, if I click on the "Admin" button, I see a login page. It presents 2 possible test accounts: John Doe and Chuck Norris.

Logging in with the first one leads to an admin with an error message.

Furthermore, it is impossible to log out to try the other user. Clicking on the "Logout" button in the user menu doesn't redirect to the login page.

How to reproduce

1. Go to https://demo.api-platform.com
2. Click on the "Admin" button

Possible Solution

• Do not propose the user John Doe in this screen
• Fix the logout

[vincentchalamon]

I think it's more complex than it appears...

The whole project uses Keycloak for authentication and authorization, so it shares the same login page. AFAIK it's not easily possible to have a different login page between the admin and the front without changing the architecture of the project with a definitively more complex one... (this project aims to be simple)

The logout bug has a fix in progress (https://github.com/api-platform/demo/pull/428).

IMHO the problem here is that this admin doesn't show a clean "Forbidden" page here. Do you know how to handle that properly?

[fzaninotto]

React-admin has the notion of "authentication" (anonymous vs identified users) and of "authorization" (the levels of credentials an authenticated user has). Displaying a custom "forbidden" page to an identified users without enough permissions requires reading the permissions with usePermissions and rendering an unauthorized page if there is not enough permissions:

https://marmelab.com/react-admin/usePermissions.html

You'll need to implement the authProvider.getPermissions based on the Keycloak response.

[vincentchalamon]

I tried to implement something, but I'm definitely not a JS expert... I'm stuck on the following error, if you have any idea how to fix it:

Reproducer available here: https://github.com/api-platform/demo/pull/429