[DOP-21576] Update Keycloak provider for auth with Frontend

Author: TiGrib

.env.local

@@ -16,15 +16,24 @@ export DATA_RENTGEN__UI__API_BROWSER_URL=http://localhost:8000
 export DATA_RENTGEN__SERVER__SESSION__SECRET_KEY=session_secret_key
 
 # Keycloak Auth
-export DATA_RENTGEN__AUTH__KEYCLOAK__SERVER_URL=http://keycloak:8080
+export DATA_RENTGEN__AUTH__KEYCLOAK__SERVER_URL=http://localhost:8080
 export DATA_RENTGEN__AUTH__KEYCLOAK__REALM_NAME=manually_created
 export DATA_RENTGEN__AUTH__KEYCLOAK__CLIENT_ID=manually_created
-export DATA_RENTGEN__AUTH__KEYCLOAK__CLIENT_SECRET=generated_by_keycloak
-export DATA_RENTGEN__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:8000/auth/callback
+export DATA_RENTGEN__AUTH__KEYCLOAK__CLIENT_SECRET=change_me
+export DATA_RENTGEN__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:3000/callback
 export DATA_RENTGEN__AUTH__KEYCLOAK__SCOPE=email
 export DATA_RENTGEN__AUTH__KEYCLOAK__VERIFY_SSL=False
 export DATA_RENTGEN__AUTH__PROVIDER=data_rentgen.server.providers.auth.keycloak_provider.KeycloakAuthProvider
 
 # Dummy Auth
 export DATA_RENTGEN__AUTH__PROVIDER=data_rentgen.server.providers.auth.dummy_provider.DummyAuthProvider
 export DATA_RENTGEN__AUTH__ACCESS_TOKEN__SECRET_KEY=secret
+
+# Cors
+export DATA_RENTGEN__SERVER__CORS__ENABLED=True
+export DATA_RENTGEN__SERVER__CORS__ALLOW_ORIGINS=["http://localhost:3000"]
+export DATA_RENTGEN__SERVER__CORS__ALLOW_CREDENTIALS=true
+export DATA_RENTGEN__SERVER__CORS__ALLOW_METHODS=["*"]
+export DATA_RENTGEN__SERVER__CORS__ALLOW_HEADERS=["*"]
+export DATA_RENTGEN__SERVER__CORS__EXPOSE_HEADERS=["X-Request-ID", "Location", "Access-Control-Allow-Credentials"]
+

data_rentgen/server/api/handlers.py

@@ -8,7 +8,6 @@
 from asgi_correlation_id import correlation_id
 from fastapi import FastAPI, HTTPException, Request, Response
 from fastapi.exceptions import RequestValidationError
-from fastapi.responses import RedirectResponse
 from pydantic import ValidationError
 
 from data_rentgen.exceptions import ApplicationError, AuthorizationError, RedirectError
@@ -92,8 +91,20 @@ def application_exception_handler(request: Request, exc: ApplicationError) -> Re
     )
 
 
-def redirect_exception_handler(_: Request, exc: RedirectError) -> Response:
-    return RedirectResponse(url=exc.message)
+def redirect_exception_handler(request: Request, exc: RedirectError) -> Response:
+    logger.info("Redirect user to keycloak")
+    response = get_response_for_exception(RedirectError)
+    if not response:
+        return unknown_exception_handler(request, exc)
+    content = response.schema(  # type: ignore[call-arg]
+        message=exc.message,
+        details=exc.details,
+    )
+
+    return exception_json_response(
+        status=response.status,
+        content=content,
+    )
 
 
 def exception_json_response(

data_rentgen/server/api/v1/router/auth.py

@@ -1,21 +1,37 @@
 # SPDX-FileCopyrightText: 2024 MTS PJSC
 # SPDX-License-Identifier: Apache-2.0
+import base64
+from http import HTTPStatus
+from logging import getLogger
 from typing import Annotated
 
-from fastapi import APIRouter, Depends
+from fastapi import APIRouter, Depends, HTTPException, Request
 from fastapi.security import OAuth2PasswordRequestForm
 
+from data_rentgen.db.models.user import User
 from data_rentgen.dependencies import Stub
 from data_rentgen.server.errors.registration import get_error_responses
 from data_rentgen.server.errors.schemas.invalid_request import InvalidRequestSchema
-from data_rentgen.server.errors.schemas.not_authorized import NotAuthorizedSchema
-from data_rentgen.server.providers.auth import AuthProvider, DummyAuthProvider
+from data_rentgen.server.errors.schemas.not_authorized import (
+    NotAuthorizedRedirectSchema,
+    NotAuthorizedSchema,
+)
+from data_rentgen.server.providers.auth import (
+    AuthProvider,
+    DummyAuthProvider,
+    KeycloakAuthProvider,
+)
 from data_rentgen.server.schemas.v1.auth import AuthTokenSchema
+from data_rentgen.server.schemas.v1.user import UserResponseV1
+from data_rentgen.server.services import get_user
+
+logger = getLogger(__name__)
+
 
 router = APIRouter(
     prefix="/auth",
     tags=["Auth"],
-    responses=get_error_responses(include={NotAuthorizedSchema, InvalidRequestSchema}),
+    responses=get_error_responses(include={NotAuthorizedSchema, InvalidRequestSchema, NotAuthorizedRedirectSchema}),
 )
 
 
@@ -28,3 +44,33 @@ async def token(
         login=form_data.username,
     )
     return AuthTokenSchema.model_validate(user_token)
+
+
+@router.get("/callback")
+async def auth_callback(
+    request: Request,
+    state: str,
+    code: str,
+    auth_provider: Annotated[KeycloakAuthProvider, Depends(Stub(AuthProvider))],
+):
+    state = base64.b64decode(state.encode("utf-8"))  # type: ignore[assignment]
+    original_url = state.decode("utf-8")  # type: ignore[attr-defined]
+
+    if not original_url:
+        raise HTTPException(status_code=HTTPStatus.BAD_REQUEST, detail="Invalid original_url")
+    code_grant = await auth_provider.get_token_authorization_code_grant(
+        code=code,
+        redirect_uri=auth_provider.settings.keycloak.redirect_uri,
+    )
+    request.session["access_token"] = code_grant["access_token"]
+    request.session["refresh_token"] = code_grant["refresh_token"]
+
+    return HTTPStatus.OK
+
+
+@router.get("/me")
+async def check_auth(
+    current_user: User = Depends(get_user()),
+):
+    logger.info("User check: %s", current_user.name)
+    return UserResponseV1.model_validate(current_user)

data_rentgen/server/errors/schemas/__init__.py

@@ -1,11 +1,15 @@
 # SPDX-FileCopyrightText: 2024 MTS PJSC
 # SPDX-License-Identifier: Apache-2.0
 from data_rentgen.server.errors.schemas.invalid_request import InvalidRequestSchema
-from data_rentgen.server.errors.schemas.not_authorized import NotAuthorizedSchema
+from data_rentgen.server.errors.schemas.not_authorized import (
+    NotAuthorizedRedirectSchema,
+    NotAuthorizedSchema,
+)
 from data_rentgen.server.errors.schemas.not_found import NotFoundSchema
 
 __all__ = [
     "InvalidRequestSchema",
     "NotFoundSchema",
     "NotAuthorizedSchema",
+    "NotAuthorizedRedirectSchema",
 ]

data_rentgen/server/errors/schemas/not_authorized.py

@@ -4,6 +4,7 @@
 from typing import Any, Literal
 
 from data_rentgen.exceptions.auth import AuthorizationError
+from data_rentgen.exceptions.redirect import RedirectError
 from data_rentgen.server.errors.base import BaseErrorSchema
 from data_rentgen.server.errors.registration import register_error_response
 
@@ -15,3 +16,17 @@
 class NotAuthorizedSchema(BaseErrorSchema):
     code: Literal["unauthorized"] = "unauthorized"
     details: Any = None
+
+
+@register_error_response(
+    exception=RedirectError,
+    status=http.HTTPStatus.UNAUTHORIZED,
+)
+class NotAuthorizedRedirectSchema(BaseErrorSchema):
+    """
+    The reason of using UNAUTHORIZED instead of strict redirect is:
+    Fronted is using `fetch()` function which can't handle redirect responses
+    https://github.com/whatwg/fetch/issues/601
+    """
+
+    code: Literal["auth_redirect"] = "auth_redirect"

data_rentgen/server/providers/auth/keycloak_provider.py

@@ -1,10 +1,13 @@
 # SPDX-FileCopyrightText: 2024 MTS PJSC
 # SPDX-License-Identifier: Apache-2.0
+import base64
 import logging
+from http import HTTPStatus
 from typing import Annotated, Any
 
-from fastapi import Depends, FastAPI, Request
+from fastapi import Depends, FastAPI, HTTPException, Request
 from keycloak import KeycloakOpenID
+from keycloak.exceptions import KeycloakConnectionError
 
 from data_rentgen.db.models import User
 from data_rentgen.dependencies import Stub
@@ -69,6 +72,7 @@ async def get_token_authorization_code_grant(
                 redirect_uri=redirect_uri,
             )
         except Exception as e:
+            logger.error("Error when trying to get token: %s", e)
             raise AuthorizationError("Failed to get token") from e
 
     async def get_current_user(self, access_token: str, *args, **kwargs) -> User:
@@ -77,23 +81,22 @@ async def get_current_user(self, access_token: str, *args, **kwargs) -> User:
 
         if not access_token:
             logger.debug("No access token found in session.")
-            self.redirect_to_auth()
+            self.redirect_to_auth(str(request.url))
 
         # if user is disabled or blocked in Keycloak after the token is issued, he will
         # remain authorized until the token expires (not more than 15 minutes in MTS SSO)
         token_info = self.decode_token(access_token)
-
         if token_info is None and refresh_token:
             logger.debug("Access token invalid. Attempting to refresh.")
-            access_token, refresh_token = self.refresh_access_token(refresh_token)
+            access_token, refresh_token = self.refresh_access_token(refresh_token, str(request.url))
             request.session["access_token"] = access_token
             request.session["refresh_token"] = refresh_token
 
             token_info = self.decode_token(access_token)
 
             if token_info is None:
                 # If there is no token_info after refresh user get redirect
-                self.redirect_to_auth()
+                self.redirect_to_auth(str(request.url))
 
         # these names are hardcoded in keycloak:
         # https://github.com/keycloak/keycloak/blob/3ca3a4ad349b4d457f6829eaf2ae05f1e01408be/core/src/main/java/org/keycloak/representations/IDToken.java
@@ -103,25 +106,42 @@ async def get_current_user(self, access_token: str, *args, **kwargs) -> User:
             raise AuthorizationError("Invalid token payload")
         return await self._uow.user.get_or_create(UserDTO(name=login))  # type: ignore[arg-type]
 
+    async def logout(self, refresh_token: str):
+        try:
+            return self.keycloak_openid.logout(refresh_token)
+        except KeycloakConnectionError as err:
+            logger.error("Error when trying to get token: %s", err)
+            return None
+
     def decode_token(self, access_token: str) -> dict[str, Any] | None:
         try:
             return self.keycloak_openid.decode_token(token=access_token)
         except Exception as err:
             logger.info("Access token is invalid or expired: %s", err)
             return None
 
-    def refresh_access_token(self, refresh_token: str) -> tuple[str, str]:  # type: ignore[return]
+    def refresh_access_token(self, refresh_token: str, origin_url: str) -> tuple[str, str]:  # type: ignore[return]
         try:
             new_tokens = self.keycloak_openid.refresh_token(refresh_token)
             logger.debug("Access token refreshed")
             return new_tokens.get("access_token"), new_tokens.get("refresh_token")
         except Exception as err:
             logger.debug("Failed to refresh access token: %s", err)
-            self.redirect_to_auth()
+            self.redirect_to_auth(origin_url)
 
-    def redirect_to_auth(self) -> None:
-        auth_url = self.keycloak_openid.auth_url(
-            redirect_uri=self.settings.keycloak.redirect_uri,
-            scope=self.settings.keycloak.scope,
-        )
-        raise RedirectError(message=auth_url, details="Authorize on provided url")
+    def redirect_to_auth(self, state: str = ""):
+        try:
+            state = base64.b64encode(state.encode("utf-8"))  # type: ignore[assignment]
+
+            auth_url = self.keycloak_openid.auth_url(
+                redirect_uri=self.settings.keycloak.redirect_uri,
+                scope=self.settings.keycloak.scope,
+                state=state.decode("utf-8"),  # type: ignore[attr-defined]
+            )
+
+        except KeycloakConnectionError as err:
+            logger.error("Failed connect to Keycloak: %s", err)
+            # TODO: What exception should we raise here?
+            raise HTTPException(status_code=HTTPStatus.BAD_REQUEST, detail=err)
+        logger.info("Raising redirect error with url: %s", auth_url)
+        raise RedirectError(message="Authorize on provided url", details=auth_url)

docs/reference/server/auth/keycloak.rst

@@ -24,9 +24,39 @@ Interaction schema
             title DummyAuthProvider
             participant "Client"
             participant "Backend"
+            participant "Keycloak"
+
+            == Client Authentication at Keycloak ==
+
+            Client -> Backend : Request endpoint with authentication (/locations)
+
+            Backend x-[#red]> Client: 401 with redirect url in 'details' response field
+
+            Client -> Keycloak : Redirect user to Keycloak login page
+
+            alt Successful login
+                Client --> Keycloak : Log in with login and password
+            else Login failed
+                Keycloak x-[#red]> Client -- : Display error (401 Unauthorized)
+            end
+
+            Keycloak -> Client : Callback to Client /callback which is proxy between Keycloak and Backend
+
+            Client -> Backend : Send request to Backend '/v1/auth/callback'
+
+            Backend -> Keycloak : Check original 'state' and exchange code for token's
+            Keycloak --> Backend : Return token's
+            Backend --> Client : Set token's in user's browser in cookies and redirect /locations
+
+            Client --> Backend : Redirect to /locations
+            Backend -> Backend : Get user info from token and check user in internal backend database
+            Backend -> Backend : Create user in internal backend database if not exist
+            Backend -[#green]> Client -- : Return requested data
+
 
             == GET v1/datasets ==
 
+
             alt Successful case
                 "Client" -> "Backend" ++ : access_token
                 "Backend" --> "Backend" : Validate token
@@ -38,7 +68,7 @@ Interaction schema
                 "Client" -> "Backend" ++ : access_token, refresh_token
                 "Backend" --> "Backend" : Validate token
                 "Backend" -[#yellow]> "Backend" : Token is expired
-                "Backend" --> "Backend" : Try to refresh token
+                "Backend" --> "Keycloak" : Try to refresh token
                 "Backend" --> "Backend" : Validate new token
                 "Backend" --> "Backend" : Check user in internal backend database
                 "Backend" -> "Backend" : Get data
@@ -56,7 +86,7 @@ Interaction schema
                 "Client" -> "Backend" ++ : access_token, refresh_token
                 "Backend" --> "Backend" : Validate token
                 "Backend" -[#yellow]> "Backend" : Token is expired
-                "Backend" --> "Backend" : Try to refresh token
+                "Backend" --> "Keycloak" : Try to refresh token
                 "Backend" x-[#red]> "Client" -- : RedirectResponse can't refresh
 
             else Bad Token payload

tests/test_server/test_auth/test_keycloak_auth.py

@@ -1,3 +1,4 @@
+import base64
 import logging
 
 import pytest
@@ -7,6 +8,7 @@
 
 from data_rentgen.db.models import Dataset, User
 from data_rentgen.server.settings import ServerApplicationSettings as Settings
+from data_rentgen.server.settings.auth.keycloak import KeycloakSettings
 from tests.test_server.utils.enrich import enrich_datasets
 
 KEYCLOAK_PROVIDER = "data_rentgen.server.providers.auth.keycloak_provider.KeycloakAuthProvider"
@@ -25,14 +27,32 @@
     ],
     indirect=True,
 )
-async def test_get_keycloak_user_unauthorized(test_client: AsyncClient, mock_keycloak_well_known, caplog):
+async def test_get_keycloak_user_unauthorized(
+    test_client: AsyncClient,
+    mock_keycloak_well_known,
+    caplog,
+    server_app_settings: Settings,
+):
+    k_settings = KeycloakSettings.model_validate(server_app_settings.auth.keycloak)
+
     response = await test_client.get("/v1/datasets")
 
     # redirect unauthorized user to Keycloak
-    assert response.status_code == 307
-    assert "protocol/openid-connect/auth?" in str(
-        response.next_request.url,
+    state = str(response.url).encode("utf-8")
+    state = base64.b64encode(state)
+    redirect_url = (
+        f"{k_settings.server_url}/realms/{k_settings.realm_name}/protocol/openid-connect/auth?client_id="
+        f"{k_settings.client_id}&response_type=code&redirect_uri={k_settings.redirect_uri}"
+        f"&scope={k_settings.scope}&state={state.decode('utf-8')}&nonce="
     )
+    assert response.status_code == 401
+    assert response.json() == {
+        "error": {
+            "code": "auth_redirect",
+            "message": "Authorize on provided url",
+            "details": redirect_url,
+        },
+    }
 
 
 @responses.activate