Closed stuartwdouglas closed 3 years ago
/cc @MikeEdgar, @pedroigor, @phillip-kruger, @sberyozkin
@sberyozkin can you have a look at this? I had a quick play to set this up manually with the DevServices PR but I could not get CORS to work.
@sberyozkin let me know if I can help
@phillip-kruger Hi Phillip, I'd appreciate if you could investigate as you know all about Swagger UI, and may be I can help somehow as well :-).
Let me just try to understand what is the requirement, we've discussed a few related issues earlier, so as far as I recall, if a Quarkus is protected by quarkus-oidc
then if a bearer token is required by Quarkus service
application, then as you have shown in one of your demos one can enter a user name and password from Swagger UI page to authenticate to Keycloak, etc, and next one can access Quarkus from Swagger UI.
So is Stuart asking for Swagger UI to pick the current Keycloak container URL dynamically ? Makes sense, that should be easy, keycloak.url
property is registered, so once we have #17364 completed then it would be easy to do.
Even without DevServices this should not have to be configured twice, it should just re-use the config from OIDC, although when I attempted to use this it failed due to CORS (i.e. keycloak not sending the access-control-allowed-origins header, so the browser rejected the auth request).
@stuartwdouglas Hi Stuart, makes sense.
There are 2 cases here:
quarkus-oidc
service
app then as far as Swagger UI is concerned it effectively acts as a browser hosted SPA which itself acquires a token from KC using for ex a password grant (or may be a client creds grant - @phillip-kruger, please clarify), Phillip showed it in his demos, and then the token is being sent to Quarkus - in this case I'd not expect a CORS issue between Swagger UI and Keycloak to happen.quarkus-oidc
web-app
app where Quarkus is managing the authentication - it would not work if Swagger UI would try to access a protected resource exactly because of the CORS issue - because Swagger UI is using either XMLHttpRequest
or Fetch
and as it happens Keycloak does not actually support CORS for its authorization endpoint (which deals with the user authentication), we've discussed it with Pedro @pedroigor at length awhile back and come up with this workaround. I agree it would be great for Swagger UI to work in this case as well - but it would need to be modified somehow to accept such a workaroundPhillip, I reassigned it to you, thanks
OK, @stuartwdouglas @sberyozkin
I am starting work on this. I am going to approach this in multiple steps:
1) Make swagger ui configure itself from the security of the app. I am starting with the examples I used in my talk. There might be more that we can then add afterwards. For this to work, I am creating a new BuildItem that the security extensions will produce.
2) Look at if we can preauthorize a swagger ui session, and if so, allow browsing from Dev UI Keycloak screen to Swagger UI, already logged in. If not, it might still be a good idea to add the link in the Dev UI Keycloak Screen, you might just have to authenticate again, but at least because of above step 1 the setup is done.
3) Look at the web-app
scenario
On another note, something that I have been thinking about that might be useful in general for dev services. At the moment, it's very cool that a developer can use a Database or Keycloak etc. without configuration, but what might be nice is if somewhere in Dev UI I can see what is all the DevServices configuration that is been auto configured for me, so that I know what I need to configure for test and prod environments. w.d.y.t ?
Good idea, I actually just refactored dev services so now all this info is in DevServicesLauncherConfigResultBuildItem
Ok cool, let me have a look at how we can display this in Dev UI.
At the moment it is possible to configure Swagger UI + OIDC manually: https://quarkus.io/guides/openapi-swaggerui#quarkus-swaggerui_quarkus.swagger-ui.oauth-client-id
This is not compatible with DevServices, as the URL will be different each time. It also requires doubling up on configuration that is already known by the OIDC extension.
If OIDC + Swagger UI is present this should be automatically configured. This means that a user can add Keycloak + Swagger UI and immediately and simply test authenticated endpoints without needing to manually get a token and then copy it into a CURL command.
IMHO once we have this we should also update our docs to also include it as well as the curl approach.