From 2c32072ab2ccac010708ce648f9eba5d82113dc6 Mon Sep 17 00:00:00 2001 From: nour-borgi Date: Fri, 28 Apr 2023 16:23:23 +0100 Subject: [PATCH 1/6] PLAT-704 Add singlesignout Grafana --- identity-access-manager-keycloak/config/grafana.json | 1 + monitoring/docker-compose.yml | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/identity-access-manager-keycloak/config/grafana.json b/identity-access-manager-keycloak/config/grafana.json index 9d86910b..0c6ea0f2 100644 --- a/identity-access-manager-keycloak/config/grafana.json +++ b/identity-access-manager-keycloak/config/grafana.json @@ -24,6 +24,7 @@ "protocol": "openid-connect", "attributes": { "oidc.ciba.grant.enabled": "false", + "post.logout.redirect.uris": "${KC_GRAFANA_ROOT_URL}/login", "client.secret.creation.time": "1672390081", "backchannel.logout.session.required": "true", "oauth2.device.authorization.grant.enabled": "false", diff --git a/monitoring/docker-compose.yml b/monitoring/docker-compose.yml index 026407f6..f977cdcd 100644 --- a/monitoring/docker-compose.yml +++ b/monitoring/docker-compose.yml @@ -32,6 +32,7 @@ services: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'" GF_SERVER_DOMAIN: ${GF_SERVER_DOMAIN} GF_SERVER_ROOT_URL: ${KC_GRAFANA_ROOT_URL} + GF_AUTH_SIGNOUT_REDIRECT_URL: "${KC_FRONTEND_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/logout?client_id=${KC_GRAFANA_CLIENT_ID}&post_logout_redirect_uri=${KC_GRAFANA_ROOT_URL}/login" configs: - target: /etc/grafana/grafana.ini source: grafana.ini @@ -56,6 +57,7 @@ services: reverse-proxy: default: + prometheus: image: prom/prometheus:v2.38.0 user: root @@ -75,6 +77,7 @@ services: public: default: + cadvisor: image: gcr.io/cadvisor/cadvisor:v0.45.0 command: -docker_only @@ -153,6 +156,7 @@ services: reverse-proxy: default: + configs: grafana.ini: file: ./grafana/grafana.ini @@ -222,6 +226,7 @@ volumes: minio-01-data1: minio-01-data2: + networks: keycloak: name: keycloak_public From 221878ff8b4dbc060af0cb7fb5ab8792f8dba75d Mon Sep 17 00:00:00 2001 From: Arran Standish Date: Fri, 5 May 2023 09:35:38 +0200 Subject: [PATCH 2/6] Add front-channel logout config for single signout started from other apps --- identity-access-manager-keycloak/config/grafana.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/identity-access-manager-keycloak/config/grafana.json b/identity-access-manager-keycloak/config/grafana.json index 0c6ea0f2..29d83bf5 100644 --- a/identity-access-manager-keycloak/config/grafana.json +++ b/identity-access-manager-keycloak/config/grafana.json @@ -29,7 +29,8 @@ "backchannel.logout.session.required": "true", "oauth2.device.authorization.grant.enabled": "false", "display.on.consent.screen": "false", - "backchannel.logout.revoke.offline.tokens": "false" + "backchannel.logout.revoke.offline.tokens": "false", + "frontchannel.logout.url": "${KC_GRAFANA_ROOT_URL}/logout" }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": true, From d095d1715ddfd7aa9ffa6cde4e1f0331e67b8133 Mon Sep 17 00:00:00 2001 From: nour-borgi Date: Mon, 8 May 2023 14:38:28 +0100 Subject: [PATCH 3/6] Fix single logout superset and login secure mode --- .../config/client_secret_env.json | 2 +- .../config/keycloack_security_manager.py | 12 ++++++++++++ .../config/superset_config.py | 1 + .../config/superset.json | 3 ++- 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/dashboard-visualiser-superset/config/client_secret_env.json b/dashboard-visualiser-superset/config/client_secret_env.json index f9b5a351..727a3cc7 100644 --- a/dashboard-visualiser-superset/config/client_secret_env.json +++ b/dashboard-visualiser-superset/config/client_secret_env.json @@ -4,7 +4,7 @@ "auth_uri": "${KC_FRONTEND_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/auth", "client_id": "${KC_SUPERSET_CLIENT_ID}", "client_secret": "${KC_SUPERSET_CLIENT_SECRET}", - "redirect_uris": ["${SUPERSET_SERVER_ROOT_URL}/*"], + "redirect_uris": ["${KC_SUPERSET_ROOT_URL}/oidc_callback"], "userinfo_uri": "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/userinfo", "token_uri": "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/token", "token_introspection_uri": "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/token/introspect" diff --git a/dashboard-visualiser-superset/config/keycloack_security_manager.py b/dashboard-visualiser-superset/config/keycloack_security_manager.py index 58cea877..ba053b30 100644 --- a/dashboard-visualiser-superset/config/keycloack_security_manager.py +++ b/dashboard-visualiser-superset/config/keycloack_security_manager.py @@ -6,6 +6,7 @@ from flask_login import login_user from urllib.parse import quote from flask_appbuilder.views import ModelView, SimpleFormView, expose +import logging import urllib.parse class OIDCSecurityManager(SupersetSecurityManager): @@ -57,3 +58,14 @@ def logout(self): return redirect( oidc.client_secrets.get('issuer') + '/protocol/openid-connect/logout?client_id=' + oidc.client_secrets.get('client_id') + '&post_logout_redirect_uri=' + quote(redirect_url)) + + + @expose('/backchannel-logout/', methods=['GET', 'POST']) + def backchannel_logout(self): + oidc = self.appbuilder.sm.oid + + oidc.logout() + super(AuthOIDCView, self).logout() + redirect_url = request.url_root.strip('/') + self.appbuilder.get_url_for_login + + return redirect(oidc.client_secrets.get('issuer') + '/protocol/openid-connect/logout') diff --git a/dashboard-visualiser-superset/config/superset_config.py b/dashboard-visualiser-superset/config/superset_config.py index 5dc1367d..ac067199 100644 --- a/dashboard-visualiser-superset/config/superset_config.py +++ b/dashboard-visualiser-superset/config/superset_config.py @@ -58,4 +58,5 @@ AUTH_USER_REGISTRATION = True AUTH_USER_REGISTRATION_ROLE = AUTH_USER_REGISTRATION_ROLE OIDC_VALID_ISSUERS = [KC_FRONTEND_URL + '/realms/' + KC_REALM_NAME] + ENABLE_PROXY_FIX = True diff --git a/identity-access-manager-keycloak/config/superset.json b/identity-access-manager-keycloak/config/superset.json index 135ea1de..4043250d 100644 --- a/identity-access-manager-keycloak/config/superset.json +++ b/identity-access-manager-keycloak/config/superset.json @@ -29,7 +29,8 @@ "post.logout.redirect.uris": "${KC_SUPERSET_ROOT_URL}/login/", "display.on.consent.screen": "false", "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" + "backchannel.logout.revoke.offline.tokens": "false", + "frontchannel.logout.url": "${KC_SUPERSET_ROOT_URL}/backchannel-logout/" }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": true, From a9d9fa7d063b36ddcc0612ddfb46e9946d937af6 Mon Sep 17 00:00:00 2001 From: Arran Standish Date: Tue, 9 May 2023 08:09:32 +0200 Subject: [PATCH 4/6] Add openhim frontchannel logout url for single sign out --- identity-access-manager-keycloak/config/openhim.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/identity-access-manager-keycloak/config/openhim.json b/identity-access-manager-keycloak/config/openhim.json index ed98b14b..6d830b52 100644 --- a/identity-access-manager-keycloak/config/openhim.json +++ b/identity-access-manager-keycloak/config/openhim.json @@ -29,7 +29,8 @@ "post.logout.redirect.uris": "${KC_OPENHIM_ROOT_URL}", "display.on.consent.screen": "false", "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" + "backchannel.logout.revoke.offline.tokens": "false", + "frontchannel.logout.url": "${KC_OPENHIM_ROOT_URL}/#!/logout" }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": true, From 08f834ec5ea31622dc973150f200b94a0ea6e605 Mon Sep 17 00:00:00 2001 From: arran-standish <125864621+arran-standish@users.noreply.github.com> Date: Thu, 11 May 2023 06:59:55 +0200 Subject: [PATCH 5/6] Remove double new line in monitoring compose file --- monitoring/docker-compose.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/monitoring/docker-compose.yml b/monitoring/docker-compose.yml index f977cdcd..2f562a54 100644 --- a/monitoring/docker-compose.yml +++ b/monitoring/docker-compose.yml @@ -57,7 +57,6 @@ services: reverse-proxy: default: - prometheus: image: prom/prometheus:v2.38.0 user: root @@ -77,7 +76,6 @@ services: public: default: - cadvisor: image: gcr.io/cadvisor/cadvisor:v0.45.0 command: -docker_only @@ -156,7 +154,6 @@ services: reverse-proxy: default: - configs: grafana.ini: file: ./grafana/grafana.ini @@ -226,7 +223,6 @@ volumes: minio-01-data1: minio-01-data2: - networks: keycloak: name: keycloak_public From e8d316817382f04680e7deecde0c3c31509708be Mon Sep 17 00:00:00 2001 From: nour-borgi Date: Mon, 22 May 2023 15:51:41 +0100 Subject: [PATCH 6/6] Update the version of openhim console --- interoperability-layer-openhim/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interoperability-layer-openhim/docker-compose.yml b/interoperability-layer-openhim/docker-compose.yml index 0f857e63..97f7e88a 100644 --- a/interoperability-layer-openhim/docker-compose.yml +++ b/interoperability-layer-openhim/docker-compose.yml @@ -30,7 +30,7 @@ services: memory: ${OPENHIM_MEMORY_RESERVE} openhim-console: - image: jembi/openhim-console:v1.16.1 + image: jembi/openhim-console:v1.16.2 environment: OPENHIM_CORE_MEDIATOR_HOSTNAME: ${OPENHIM_CORE_MEDIATOR_HOSTNAME} OPENHIM_MEDIATOR_API_PORT: ${OPENHIM_MEDIATOR_API_PORT}