Merge pull request #235 from jembi/PLAT-704-singlesignout-grafana

PLAT-704 Add singlesignout

dashboard-visualiser-superset/config/client_secret_env.json

@@ -4,7 +4,7 @@
     "auth_uri": "${KC_FRONTEND_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/auth",
     "client_id": "${KC_SUPERSET_CLIENT_ID}",
     "client_secret": "${KC_SUPERSET_CLIENT_SECRET}",
-    "redirect_uris": ["${SUPERSET_SERVER_ROOT_URL}/*"],
+    "redirect_uris": ["${KC_SUPERSET_ROOT_URL}/oidc_callback"],
     "userinfo_uri": "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/userinfo",
     "token_uri": "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/token",
     "token_introspection_uri": "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/token/introspect"

dashboard-visualiser-superset/config/keycloack_security_manager.py

@@ -6,6 +6,7 @@
 from flask_login import login_user
 from urllib.parse import quote
 from flask_appbuilder.views import ModelView, SimpleFormView, expose
+import logging
 import urllib.parse
 
 class OIDCSecurityManager(SupersetSecurityManager):
@@ -57,3 +58,14 @@ def logout(self):
 
         return redirect(
             oidc.client_secrets.get('issuer') + '/protocol/openid-connect/logout?client_id=' + oidc.client_secrets.get('client_id') + '&post_logout_redirect_uri=' + quote(redirect_url))
+
+
+    @expose('/backchannel-logout/', methods=['GET', 'POST'])
+    def backchannel_logout(self):
+        oidc = self.appbuilder.sm.oid
+
+        oidc.logout()
+        super(AuthOIDCView, self).logout()        
+        redirect_url = request.url_root.strip('/') + self.appbuilder.get_url_for_login
+
+        return redirect(oidc.client_secrets.get('issuer') + '/protocol/openid-connect/logout')

dashboard-visualiser-superset/config/superset_config.py

@@ -58,4 +58,5 @@
     AUTH_USER_REGISTRATION = True
     AUTH_USER_REGISTRATION_ROLE = AUTH_USER_REGISTRATION_ROLE
     OIDC_VALID_ISSUERS = [KC_FRONTEND_URL + '/realms/' + KC_REALM_NAME]
+    ENABLE_PROXY_FIX = True
 

identity-access-manager-keycloak/config/grafana.json

@@ -24,11 +24,13 @@
   "protocol": "openid-connect",
   "attributes": {
     "oidc.ciba.grant.enabled": "false",
+    "post.logout.redirect.uris": "${KC_GRAFANA_ROOT_URL}/login",
     "client.secret.creation.time": "1672390081",
     "backchannel.logout.session.required": "true",
     "oauth2.device.authorization.grant.enabled": "false",
     "display.on.consent.screen": "false",
-    "backchannel.logout.revoke.offline.tokens": "false"
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "frontchannel.logout.url": "${KC_GRAFANA_ROOT_URL}/logout"
   },
   "authenticationFlowBindingOverrides": {},
   "fullScopeAllowed": true,

identity-access-manager-keycloak/config/openhim.json

@@ -29,7 +29,8 @@
     "post.logout.redirect.uris": "${KC_OPENHIM_ROOT_URL}",
     "display.on.consent.screen": "false",
     "oauth2.device.authorization.grant.enabled": "false",
-    "backchannel.logout.revoke.offline.tokens": "false"
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "frontchannel.logout.url": "${KC_OPENHIM_ROOT_URL}/#!/logout"
   },
   "authenticationFlowBindingOverrides": {},
   "fullScopeAllowed": true,

identity-access-manager-keycloak/config/superset.json

@@ -29,7 +29,8 @@
     "post.logout.redirect.uris": "${KC_SUPERSET_ROOT_URL}/login/",
     "display.on.consent.screen": "false",
     "oauth2.device.authorization.grant.enabled": "false",
-    "backchannel.logout.revoke.offline.tokens": "false"
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "frontchannel.logout.url": "${KC_SUPERSET_ROOT_URL}/backchannel-logout/"
   },
   "authenticationFlowBindingOverrides": {},
   "fullScopeAllowed": true,

interoperability-layer-openhim/docker-compose.yml

@@ -30,7 +30,7 @@ services:
           memory: ${OPENHIM_MEMORY_RESERVE}
 
   openhim-console:
-    image: jembi/openhim-console:v1.16.1
+    image: jembi/openhim-console:v1.16.2
     environment:
       OPENHIM_CORE_MEDIATOR_HOSTNAME: ${OPENHIM_CORE_MEDIATOR_HOSTNAME}
       OPENHIM_MEDIATOR_API_PORT: ${OPENHIM_MEDIATOR_API_PORT}

monitoring/docker-compose.yml

@@ -32,6 +32,7 @@ services:
       GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"
       GF_SERVER_DOMAIN: ${GF_SERVER_DOMAIN}
       GF_SERVER_ROOT_URL: ${KC_GRAFANA_ROOT_URL}
+      GF_AUTH_SIGNOUT_REDIRECT_URL: "${KC_FRONTEND_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/logout?client_id=${KC_GRAFANA_CLIENT_ID}&post_logout_redirect_uri=${KC_GRAFANA_ROOT_URL}/login"
     configs:
       - target: /etc/grafana/grafana.ini
         source: grafana.ini