Conversation
| * Get user. | ||
| */ | ||
| getUser = async (username: string, password: string): Promise<User | Falsey> => { | ||
| if (password === SSO_PASSWORD) { |
There was a problem hiding this comment.
I haven't found a clean solution while sticking to the oauth2-server module, hence I used this approach which I don't think is perfect at all.
| } | ||
|
|
||
| /** Keycloak ioBroker realm */ | ||
| const KEYCLOAK_ISSUER = 'https://keycloak.heusinger-it.duckdns.org/realms/iobroker-local'; |
There was a problem hiding this comment.
Of course after the PoC this should be a production instance hosted on public iobroker.net domain. And then other services could use the Keycloak instance too, like Cloud or Forum users. Inside of the Keycloak also other sign-ins could be configured (rn it's just GH or use normal email & pass), like Google, Apple to name the most important ones.
There was a problem hiding this comment.
Pull Request Overview
This PR implements a proof-of-concept for SSO integration with Keycloak.
- Adds utility functions and a constant for SSO authentication.
- Introduces new endpoints (/sso and /sso-callback) to integrate with Keycloak's OAuth2 flow.
- Updates the OAuth2 model and package.json to include new JWT and JWKS dependencies.
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/lib/utils.ts | Introduces SSO_PASSWORD constant and oauthTokenToResponse helper. |
| src/lib/oauth2.ts | Adds new SSO endpoints, JWT verification, and token exchange logic. |
| src/lib/oauth2-model.ts | Updates getUser logic to support SSO login and logs SSO attempts. |
| package.json | Adds jsonwebtoken and jwks-rsa dependencies for JWT token verification. |
| options.app.post('/oauth/token', (req: Request, res: Response) => { | ||
| const request = new OAuthRequest(req); | ||
|
|
||
| if (request.body.password === SSO_PASSWORD) { |
There was a problem hiding this comment.
Consider returning a 400 status code for client-side errors instead of a 500 error when the SSO password is used on a standard login request. A 400 level code will better communicate that the issue originates from an incorrect client request.
this needs ioBroker/webserver#7 --------- Co-authored-by: GermanBluefox <dogafox@gmail.com>
together with ioBroker/ioBroker.admin#3105