create a hawtio-oauth plugin from the various keycloak / oauth / authentication code in various projects

[jstrachan]

I'd be great to make the authentication code from #16, from hawtkular, hawtio 1.x and OpenShfit origin into a separate reusable hawtio 2.x plugin so any hawtio plugin can just reuse it

[jstrachan]

hawkular has some existing code: https://github.com/hawkular/hawkular-ui-components/tree/master/plugins/accounts/plugins/accounts/ts

it depends on keycloak in bower: https://github.com/hawkular/hawkular-ui-components/blob/master/bower.json#L40

it uses this keycloak initialisation code: https://github.com/hawkular/hawkular-ui-components/blob/master/plugins/accounts/index.html#L43

the KeyCloak.json (which could be turned into KeyCloak.ts) and the authInterceptor: https://github.com/hawkular/hawkular-ui-components/blob/master/plugins/accounts/plugins/accounts/ts/authInterceptor.ts#L23

[jstrachan]

Here's the hawtio 1.x changes https://github.com/mposolda/hawtio/commit/1f25c04b151a9e6ba0e16bf1b3dbf4aedd060c77

things have changed a bit on hawtio 2.x where there's not necessarily a java back end; however the login UI should be reusable

[jstrachan]

Here's the auth code from OpenShift origin's console: https://github.com/openshift/origin/blob/master/assets/app/scripts/services/auth.js#L1 https://github.com/openshift/origin/blob/master/assets/app/scripts/services/login.js https://github.com/openshift/origin/blob/master/assets/app/scripts/services/logout.js

[gashcrumb]

Created hawtio-keycloak -> https://github.com/hawtio/hawtio-keycloak

Have it handling auth during bootstrap, just working out a little CORS issue I'm hitting though once authentication is successful. Once that's working I'll add a UserProfile service/api that can store user details from the server and auth token that can be used (or not) in plugins.

[gashcrumb]

I've gotten it working using the demo config that @mposolda had for 1.x. I did also have to add an extra web origin to the 'hawtio-client' application for http://localhost:2772 since 2.x stuff tends to listen on 2772 at least in dev. In any case you can bring in hawtio-keycloak as a bower dependency, then you just have to configure keycloak using either a string which would be the URL to a keycloak JSON file or just the URL, realm and clientId like this example. There still some work I'd like to do for refreshing the token and providing some nice wrappers so it's not a lot of work to pass along the token, also an error page is needed for issues like if keycloak is misconfigured etc. But assuming a successful login hawtio-keycloak will update the userDetails service (like in 1.x) with the token, username, etc.

[gashcrumb]

Oh, also note that I enhanced hawtioPluginLoader.registerPreBootstrapTask for this so you can stick stuff at the start of the list too, hence the second argument being passed in the example code :-)

[gashcrumb]

With this commit I've added a plugin to integrate with openshift's oauth backend. It's a similar approach to the keycloak plugin, you just configure it at app bootstrap. Outstanding stuff still is handling logouts, token refreshing, but with this you can connect hawtio-kubernetes to a newer instance of openshift. One thing to note you've got to run hawtio-kubernetes at localhost:9000 currently, seems openshift out of the box is set up only to allow localhost:9000 as a valid redirect location, must be configurable somewhere though...

[gashcrumb]

K, added hawtio-oauth to hawtio-kubernetes. You just need to set OPENSHIFT_CONSOLE in your environment (defaults to https://localhost:8444) and the gulp task will set up a proxy to that guy. The frontend will then download the config.js script that the openshift console uses to figure out oauth and use that config. So basically as hawtio-kubernetes boots up you should get re-directed to the openshift login screen, then re-directed back to hawtio-kubernetes. If you have a look in the debug logging you'll see we'll have grabbed the auth token from the redirect.

Still need to get that logout button, in place, also still need to deal with token refreshing as well.

[gashcrumb]

Think this is set.