[DOP-29772] Fix KeycloakAuthProvider docs

Author: dolfinus

.env.docker

@@ -26,7 +26,7 @@ SYNCMASTER__AUTH__KEYCLOAK__SERVER_URL=http://keycloak:8080
 SYNCMASTER__AUTH__KEYCLOAK__REALM_NAME=manually_created
 SYNCMASTER__AUTH__KEYCLOAK__CLIENT_ID=manually_created
 SYNCMASTER__AUTH__KEYCLOAK__CLIENT_SECRET=generated_by_keycloak
-SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:8000/auth/callback
+SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:3000/auth/callback
 SYNCMASTER__AUTH__KEYCLOAK__SCOPE=email
 SYNCMASTER__AUTH__KEYCLOAK__VERIFY_SSL=False
 

.env.local

@@ -26,7 +26,7 @@ export SYNCMASTER__AUTH__KEYCLOAK__SERVER_URL=http://localhost:8080
 export SYNCMASTER__AUTH__KEYCLOAK__REALM_NAME=manually_created
 export SYNCMASTER__AUTH__KEYCLOAK__CLIENT_ID=manually_created
 export SYNCMASTER__AUTH__KEYCLOAK__CLIENT_SECRET=generated_by_keycloak
-export SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:8000/auth/callback
+export SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:3000/auth/callback
 export SYNCMASTER__AUTH__KEYCLOAK__SCOPE=email
 export SYNCMASTER__AUTH__KEYCLOAK__VERIFY_SSL=False
 

docs/changelog/next_release/274.improvement.rst

@@ -0,0 +1 @@
+Replace 307 redirect to Keycloak auth page with 401 response, due to browser restrictions for redirect + CORS + localhost.

docs/reference/server/auth/keycloak/local_installation.rst

@@ -73,11 +73,11 @@ Set ``client_authentication`` **ON** to receive client_secret
 Configure Redirect URI
 ~~~~~~~~~~~~~~~~~~~~~~
 
-To configure the redirect URI where the browser will redirect to exchange the code provided from Keycloak for an access token, set the `SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI` environment variable. The default value for local development is `http://localhost:8000/auth/callback`.
+To configure the redirect URI where the browser will redirect to exchange the code provided from Keycloak for an access token, set the `SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI` environment variable. The default value for local development is `http://localhost:3000/auth/callback`.
 
 .. code-block:: console
 
-    $ export SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:8000/auth/callback
+    $ export SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:3000/auth/callback
 
 Configure the client redirect URI
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -112,7 +112,7 @@ After this you can user `KeycloakAuthProvider` in your application with provided
 .. code-block:: console
 
     $ export SYNCMASTER__AUTH__KEYCLOAK__SERVER_URL=http://keycloak:8080
-    $ export SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:8000/auth/callback
+    $ export SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:3000/auth/callback
     $ export SYNCMASTER__AUTH__KEYCLOAK__REALM_NAME=fastapi_realm
     $ export SYNCMASTER__AUTH__KEYCLOAK__CLIENT_ID=fastapi_client
     $ export SYNCMASTER__AUTH__KEYCLOAK__CLIENT_SECRET=6x6gn8uJdWSBmP8FqbNRSoGdvaoaFeez

syncmaster/server/api/v1/auth.py

@@ -1,10 +1,9 @@
 # SPDX-FileCopyrightText: 2023-2024 MTS PJSC
 # SPDX-License-Identifier: Apache-2.0
-from http.client import NOT_FOUND
+from http.client import NO_CONTENT
 from typing import Annotated
 
-from fastapi import APIRouter, Depends, HTTPException, Request
-from fastapi.responses import RedirectResponse
+from fastapi import APIRouter, Depends, Request, Response
 from fastapi.security import OAuth2PasswordRequestForm
 
 from syncmaster.errors.registration import get_error_responses
@@ -17,7 +16,6 @@
     DummyAuthProvider,
     KeycloakAuthProvider,
 )
-from syncmaster.server.utils.state import validate_state
 
 router = APIRouter(
     prefix="/auth",
@@ -42,21 +40,17 @@ async def token(
     return AuthTokenSchema.model_validate(token)
 
 
-@router.get("/callback")
+@router.get("/callback", status_code=NO_CONTENT)
 async def auth_callback(
     request: Request,
     code: str,
-    state: str,
     auth_provider: Annotated[KeycloakAuthProvider, Depends(Stub(AuthProvider))],
 ):
-    original_redirect_url = validate_state(state)
-    if not original_redirect_url:
-        raise HTTPException(status_code=NOT_FOUND, detail="Invalid state parameter")
     token = await auth_provider.get_token_authorization_code_grant(
         code=code,
         redirect_uri=auth_provider.settings.keycloak.redirect_uri,
     )
     request.session["access_token"] = token["access_token"]
     request.session["refresh_token"] = token["refresh_token"]
 
-    return RedirectResponse(url=original_redirect_url)
+    return Response(status_code=NO_CONTENT)

syncmaster/server/providers/auth/keycloak_provider.py

@@ -13,7 +13,6 @@
 from syncmaster.server.providers.auth.base_provider import AuthProvider
 from syncmaster.server.services.unit_of_work import UnitOfWork
 from syncmaster.server.settings.auth.keycloak import KeycloakAuthProviderSettings
-from syncmaster.server.utils.state import generate_state
 
 log = logging.getLogger(__name__)
 
@@ -137,10 +136,8 @@ async def refresh_access_token(self, refresh_token: str) -> dict[str, Any]:
         return new_tokens
 
     def redirect_to_auth(self, path: str) -> None:
-        state = generate_state(path)
         auth_url = self.keycloak_openid.auth_url(
             redirect_uri=self.settings.keycloak.redirect_uri,
             scope=self.settings.keycloak.scope,
-            state=state,
         )
         raise RedirectException(redirect_url=auth_url)

syncmaster/server/utils/state.py

@@ -24,21 +24,18 @@
     ],
     indirect=True,
 )
-async def test_get_keycloak_user_unauthorized(client: AsyncClient, mock_keycloak_well_known):
+async def test_keycloak_get_user_unauthorized(client: AsyncClient, mock_keycloak_well_known):
     response = await client.get("/v1/users/some_user_id")
 
     # redirect unauthorized user to Keycloak
     assert response.status_code == 401, response.text
-
-    details = IsStr()
     assert response.json() == {
         "error": {
             "code": "unauthorized",
             "message": "Please authorize using provided URL",
-            "details": details,
+            "details": IsStr(regex=r".*protocol/openid-connect/auth\?.*"),
         },
     }
-    assert "protocol/openid-connect/auth?" in details
 
 
 @responses.activate
@@ -54,7 +51,7 @@ async def test_get_keycloak_user_unauthorized(client: AsyncClient, mock_keycloak
     ],
     indirect=True,
 )
-async def test_get_keycloak_user_authorized(
+async def test_keycloak_get_user_authorized(
     client: AsyncClient,
     simple_user: MockUser,
     settings: Settings,
@@ -92,7 +89,7 @@ async def test_get_keycloak_user_authorized(
     ],
     indirect=True,
 )
-async def test_get_keycloak_user_expired_access_token(
+async def test_keycloak_get_user_expired_access_token(
     caplog,
     client: AsyncClient,
     simple_user: MockUser,
@@ -137,7 +134,7 @@ async def test_get_keycloak_user_expired_access_token(
     ],
     indirect=True,
 )
-async def test_get_keycloak_user_inactive(
+async def test_keycloak_get_user_inactive(
     client: AsyncClient,
     simple_user: MockUser,
     inactive_user: MockUser,
@@ -163,3 +160,33 @@ async def test_get_keycloak_user_inactive(
             "details": None,
         },
     }
+
+
+@responses.activate
+@pytest.mark.parametrize(
+    "settings",
+    [
+        {
+            "auth": {
+                "provider": KEYCLOAK_PROVIDER,
+            },
+        },
+    ],
+    indirect=True,
+)
+async def test_keycloak_auth_callback(
+    client: AsyncClient,
+    settings: Settings,
+    mock_keycloak_well_known,
+    mock_keycloak_realm,
+    mock_keycloak_token_refresh,
+    caplog,
+):
+    with caplog.at_level(logging.DEBUG):
+        response = await client.get(
+            "/v1/auth/callback",
+            params={"code": "testcode"},
+        )
+
+    assert response.cookies.get("session"), caplog.text  # cookie is set
+    assert response.status_code == 204, response.json()