#654 added basic support for keycloak OpenID auth

Author: bugy

src/auth/auth_abstract_oauth.py

@@ -6,19 +6,20 @@
 import threading
 import time
 import urllib.parse as urllib_parse
-from collections import namedtuple, defaultdict
+from collections import defaultdict
 from typing import Dict
 
 import tornado
 import tornado.ioloop
 from tornado import httpclient, escape
 
 from auth import auth_base
-from auth.auth_base import AuthFailureError, AuthBadRequestException
+from auth.auth_base import AuthFailureError, AuthBadRequestException, AuthRejectedError
 from model import model_helper
 from model.model_helper import read_bool_from_config, read_int_from_config
 from model.server_conf import InvalidServerConfigException
 from utils import file_utils
+from utils.tornado_utils import get_secure_cookie
 
 LOGGER = logging.getLogger('script_server.AbstractOauthAuthenticator')
 
@@ -31,7 +32,21 @@ def __init__(self, username) -> None:
         self.last_visit = None
 
 
-_OauthUserInfo = namedtuple('_OauthUserInfo', ['email', 'enabled', 'oauth_response'])
+class _OauthUserInfo:
+    def __init__(self, username, enabled, oauth_response, eager_groups=None):
+        self.username = username
+        self.enabled = enabled
+        self.oauth_response = oauth_response
+        self.eager_groups = eager_groups
+
+    def __eq__(self, o: object) -> bool:
+        return isinstance(o, _OauthUserInfo) and (self.username == o.username)
+
+    def __str__(self) -> str:
+        return f'_OauthUserInfo({self.username})'
+
+    def __repr__(self) -> str:
+        return f'_OauthUserInfo({self.__dict__})'
 
 
 def _start_timer(callback):
@@ -67,6 +82,8 @@ def __init__(self, oauth_authorize_url, oauth_token_url, oauth_scope, params_dic
         self._users = {}  # type: Dict[str, _UserState]
         self._user_locks = defaultdict(lambda: asyncio.locks.Lock())
 
+        self.http_client = httpclient.AsyncHTTPClient()
+
         self.timer = None
         if self.dump_file:
             self._restore_state()
@@ -88,28 +105,26 @@ async def authenticate(self, request_handler):
             LOGGER.error('Code is not specified')
             raise AuthBadRequestException('Missing authorization information. Please contact your administrator')
 
-        access_token = await self.fetch_access_token(code, request_handler)
+        (access_token, refresh_token) = await self.fetch_access_token(code, request_handler)
         user_info = await self.fetch_user_info(access_token)
 
-        user_email = user_info.email
-        if not user_email:
+        username = user_info.username
+        if not username:
             error_message = 'No email field in user response. The response: ' + str(user_info.oauth_response)
             LOGGER.error(error_message)
             raise AuthFailureError(error_message)
 
         if not user_info.enabled:
             error_message = 'User %s is not enabled in OAuth provider. The response: %s' \
-                            % (user_email, str(user_info.oauth_response))
+                            % (username, str(user_info.oauth_response))
             LOGGER.error(error_message)
             raise AuthFailureError(error_message)
 
-        user_state = _UserState(user_email)
-        self._users[user_email] = user_state
+        user_state = _UserState(username)
+        self._users[username] = user_state
 
         if self.group_support:
-            user_groups = await self.fetch_user_groups(access_token)
-            LOGGER.info('Loaded groups for ' + user_email + ': ' + str(user_groups))
-            user_state.groups = user_groups
+            await self.load_groups(access_token, username, user_info, user_state)
 
         now = time.time()
 
@@ -119,7 +134,15 @@ async def authenticate(self, request_handler):
 
         user_state.last_visit = now
 
-        return user_email
+        return username
+
+    async def load_groups(self, access_token, username, user_info, user_state):
+        if user_info.eager_groups is not None:
+            user_state.groups = user_info.eager_groups
+        else:
+            user_groups = await self.fetch_user_groups(access_token)
+            user_state.groups = user_groups
+        LOGGER.info('Loaded groups for ' + username + ': ' + str(user_state.groups))
 
     def validate_user(self, user, request_handler):
         if not user:
@@ -146,7 +169,7 @@ def validate_user(self, user, request_handler):
         user_state.last_visit = now
 
         if self.auth_info_ttl:
-            access_token = request_handler.get_secure_cookie('token')
+            access_token = get_secure_cookie(request_handler, 'token')
             if access_token is None:
                 LOGGER.info('User %s token is not available', user)
                 return False
@@ -180,8 +203,8 @@ async def fetch_access_token(self, code, request_handler):
             'client_secret': self.secret,
             'grant_type': 'authorization_code',
         })
-        http_client = httpclient.AsyncHTTPClient()
-        response = await http_client.fetch(
+
+        response = await self.http_client.fetch(
             self.oauth_token_url,
             method='POST',
             headers={'Content-Type': 'application/x-www-form-urlencoded'},
@@ -206,13 +229,14 @@ async def fetch_access_token(self, code, request_handler):
 
         response_values = escape.json_decode(response.body)
         access_token = response_values.get('access_token')
+        refresh_token = response_values.get('refresh_token')
 
         if not access_token:
             message = 'No access token in response: ' + str(response.body)
             LOGGER.error(message)
             raise AuthFailureError(message)
 
-        return access_token
+        return access_token, refresh_token
 
     def update_user_auth(self, username, user_state, access_token):
         now = time.time()
@@ -242,8 +266,14 @@ async def _do_update_user_auth_async(self, username, user_state, access_token):
 
             LOGGER.info('User %s state expired, refreshing', username)
 
-            user_info = await self.fetch_user_info(access_token)  # type: _OauthUserInfo
-            if (not user_info) or (not user_info.email):
+            try:
+                user_info = await self.fetch_user_info(access_token)  # type: _OauthUserInfo
+            except AuthRejectedError:
+                LOGGER.info(f'User {username} is not authenticated anymore. Logging out')
+                self._remove_user(username)
+                return
+
+            if (not user_info) or (not user_info.username):
                 LOGGER.error('Failed to fetch user info: %s', str(user_info))
                 self._remove_user(username)
                 return
@@ -256,9 +286,7 @@ async def _do_update_user_auth_async(self, username, user_state, access_token):
 
             if self.group_support:
                 try:
-                    user_groups = await self.fetch_user_groups(access_token)
-                    LOGGER.info('Updated groups for ' + username + ': ' + str(user_groups))
-                    user_state.groups = user_groups
+                    await self.load_groups(access_token, username, user_info, user_state)
                 except AuthFailureError:
                     LOGGER.error('Failed to fetch user %s groups', username)
                     self._remove_user(username)

src/auth/auth_keycloak_openid.py

@@ -0,0 +1,62 @@
+import logging
+
+from tornado import escape
+from tornado.httpclient import HTTPClientError
+
+from auth.auth_abstract_oauth import AbstractOauthAuthenticator, _OauthUserInfo
+from auth.auth_base import AuthRejectedError
+from model import model_helper
+
+LOGGER = logging.getLogger('script_server.GoogleOauthAuthorizer')
+
+
+# noinspection PyProtectedMember
+class KeycloakOpenidAuthenticator(AbstractOauthAuthenticator):
+    def __init__(self, params_dict):
+        realm_url = model_helper.read_obligatory(
+            params_dict,
+            'realm_url',
+            ': should contain openid realm url, e.g. http://localhost:8080/realms/master')
+        if not realm_url.endswith('/'):
+            realm_url = realm_url + '/'
+        self._realm_url = realm_url
+
+        super().__init__(realm_url + 'protocol/openid-connect/auth',
+                         realm_url + 'protocol/openid-connect/token',
+                         # "openid" scope is needed since version 20:
+                         # https://keycloak.discourse.group/t/issue-on-userinfo-endpoint-at-keycloak-20/18461/2
+                         'email openid',
+                         params_dict)
+
+    async def fetch_user_info(self, access_token) -> _OauthUserInfo:
+        user_future = self.http_client.fetch(
+            self._realm_url + 'protocol/openid-connect/userinfo',
+            headers={'Authorization': 'Bearer ' + access_token})
+
+        try:
+            user_response = await user_future
+        except HTTPClientError as e:
+            if e.code == 401:
+                raise AuthRejectedError('Failed to fetch user info')
+            else:
+                raise e
+
+        if not user_response:
+            raise Exception('No response during loading userinfo')
+
+        response_values = {}
+        if user_response.body:
+            response_values = escape.json_decode(user_response.body)
+
+        eager_groups = None
+        if self.group_support:
+            eager_groups = response_values.get('groups')
+            if eager_groups is None:
+                eager_groups = []
+                LOGGER.warning('Failed to load user groups. Most probably groups mapping is not enabled. '
+                               'Check the corresponding wiki section')
+
+        return _OauthUserInfo(response_values.get('preferred_username'), True, response_values, eager_groups)
+
+    async def fetch_user_groups(self, access_token):
+        raise Exception('This shouldn\'t be used, all the groups should be fetched with user info.')

src/model/server_conf.py

@@ -215,6 +215,9 @@ def create_authenticator(auth_object, temp_folder, process_invoker: ProcessInvok
     elif auth_type == 'gitlab':
         from auth.auth_gitlab import GitlabOAuthAuthenticator
         authenticator = GitlabOAuthAuthenticator(auth_object)
+    elif auth_type == 'keycloak_openid':
+        from auth.auth_keycloak_openid import KeycloakOpenidAuthenticator
+        authenticator = KeycloakOpenidAuthenticator(auth_object)
     elif auth_type == 'htpasswd':
         from auth.auth_htpasswd import HtpasswdAuthenticator
         authenticator = HtpasswdAuthenticator(auth_object, process_invoker)

src/tests/auth/test_auth_abstract_oauth.py

@@ -16,6 +16,7 @@
 from tests import test_utils
 from tests.test_utils import mock_object
 from utils import file_utils
+from utils.tornado_utils import get_secure_cookie
 
 mock_time = Mock()
 mock_time.return_value = 10000.01
@@ -156,7 +157,7 @@ def mock_request_handler(code):
     handler_mock.get_secure_cookie = lambda cookie: secure_cookies.get(cookie)
 
     def set_secure_cookie(cookie, value):
-        secure_cookies[cookie] = value
+        secure_cookies[cookie] = value.encode('utf-8')
 
     def clear_secure_cookie(cookie):
         if cookie in secure_cookies:
@@ -240,7 +241,7 @@ def test_authenticate_and_save_user_token(self):
         request_handler = mock_request_handler(code='Y')
         yield authenticator.authenticate(request_handler)
 
-        saved_token = request_handler.get_secure_cookie('token')
+        saved_token = get_secure_cookie(request_handler, 'token')
         self.assertEqual('22222', saved_token)
 
     @gen_test
@@ -622,7 +623,7 @@ def __init__(self, params_dict):
     async def fetch_access_token(self, code, request_handler):
         for key, value in self.user_tokens.items():
             if value.endswith(code):
-                return key
+                return key, None
 
         raise Exception('Could not generate token for code ' + code + '. Make sure core is equal to user suffix')
 

web-src/public/login.html

@@ -52,4 +52,11 @@
     </div>
 </script>
 
+<script id="login-keycloak-template" type="text/template">
+    <div>
+        <input type="submit" id="login-keycloak-button" class="login-button oauth-button" value="Sign in with Keycloak">
+        <div class="login-info-label"></div>
+    </div>
+</script>
+
 </html>

web-src/src/assets/css/index.css

@@ -100,7 +100,9 @@ h6.header {
     color: #F44336;
 }
 
-#login-panel .login-google_oauth .login-info-label {
+#login-panel .login-google_oauth .login-info-label,
+#login-panel .login-gitlab .login-info-label,
+#login-panel .login-keycloak .login-info-label {
     margin-top: 16px;
 }
 
@@ -154,3 +156,8 @@ h6.header {
     background-image: url('../gitlab-icon-rgb.png');
     background-position-x: 6px;
 }
+
+#login-keycloak-button {
+    padding-left: 42px;
+    background-image: url('../keycloak_icon.png');
+}

web-src/src/assets/keycloak_icon.png

@@ -40,6 +40,8 @@ function onLoad() {
 
         if (config['type'] === 'google_oauth') {
             setupGoogleOAuth(loginContainer, config);
+        } else if (config['type'] === 'keycloak_openid') {
+            setupKeycloakOpenid(loginContainer, config);
         } else if (config['type'] === 'gitlab') {
             setupGitlabOAuth(loginContainer, config);
         } else {
@@ -79,6 +81,14 @@ function setupGoogleOAuth(loginContainer, authConfig) {
         'login-google_oauth-button')
 }
 
+function setupKeycloakOpenid(loginContainer, authConfig) {
+    setupOAuth(
+        loginContainer,
+        authConfig,
+        'login-keycloak-template',
+        'login-keycloak-button')
+}
+
 function setupGitlabOAuth(loginContainer, authConfig) {
     setupOAuth(
         loginContainer,