diff --git a/docs/authentication.md b/docs/authentication.md index 46d5d395..535cc4ba 100644 --- a/docs/authentication.md +++ b/docs/authentication.md @@ -164,6 +164,8 @@ appConfig: Note that if you are using Keycloak V 17 or older, you will also need to set `legacySupport: true` (also under `appConfig.auth.keycloak`). This is because the API endpoint was updated in later versions. +If you use Keycloak with an external Identity Provier, you can set the `idpHint: 'alias-of-kc-idp'` option to allow the IdP Hint to be passed to Keycloak. This will cause Keycloak to skip its login page and redirect the user directly to the specified IdP's login page. Set to the value of the 'Alias' field of the desired IdP as defined in Keycloak under 'Identity Providers'. + ### 4. Add groups and roles (Optional) Keycloak allows you to assign users roles and groups. You can use these values to configure who can access various sections or items in Dashy. diff --git a/package.json b/package.json index 13456c03..d0264ee6 100644 --- a/package.json +++ b/package.json @@ -27,7 +27,7 @@ "express": "^4.17.2", "frappe-charts": "^1.6.2", "js-yaml": "^4.1.0", - "keycloak-js": "^16.1.1", + "keycloak-js": "^20.0.3", "register-service-worker": "^1.7.2", "remedial": "^1.0.8", "rsup-progress": "^3.0.0", diff --git a/src/utils/ConfigSchema.json b/src/utils/ConfigSchema.json index bce7ddfe..a0994ae2 100644 --- a/src/utils/ConfigSchema.json +++ b/src/utils/ConfigSchema.json @@ -481,6 +481,11 @@ "type": "string", "description": "The Client ID of the client you created for use with Dashy" }, + "idpHint": { + "title" : "IdP hint", + "type": "string", + "description": "Set to the 'Alias' of an existing Identity Provider in the specified realm to skip the Keycloak login page and redirect straight to the external IdP for authentication" + }, "legacySupport": { "title": "Legacy Support", "type": "boolean", diff --git a/src/utils/KeycloakAuth.js b/src/utils/KeycloakAuth.js index 3903c780..05b6f7a6 100644 --- a/src/utils/KeycloakAuth.js +++ b/src/utils/KeycloakAuth.js @@ -13,25 +13,25 @@ class KeycloakAuth { constructor() { const { auth } = getAppConfig(); const { - serverUrl, realm, clientId, legacySupport, + serverUrl, realm, clientId, idpHint, legacySupport, } = auth.keycloak; const url = legacySupport ? `${serverUrl}/auth` : serverUrl; - const initOptions = { - url, realm, clientId, onLoad: 'login-required', - }; + const initOptions = { url, realm, clientId }; + const loginOptions = idpHint ? { idpHint } : {}; + this.loginOptions = loginOptions; this.keycloakClient = Keycloak(initOptions); } login() { return new Promise((resolve, reject) => { - this.keycloakClient.init({ onLoad: 'login-required' }) + this.keycloakClient.init({ onLoad: 'check-sso' }) .then((auth) => { if (auth) { this.storeKeycloakInfo(); return resolve(); } else { - return reject(new Error('Not authenticated')); + return this.keycloakClient.login(this.loginOptions); } }) .catch((reason) => reject(reason));