Merge pull request #178 from cultuurnet/III-6207-keycloak-jwt

III-6207 keycloak jwt

.gitignore

@@ -5,4 +5,5 @@
 config.yml
 /log
 /.php_cs.cache
-.phpunit.result.cache
+.phpunit.result.cache
+

Makefile

@@ -1,4 +1,4 @@
-.PHONY: up down build install ci bash init
+.PHONY: up down build install ci bash init config
 
 up:
 	docker-compose up -d
@@ -21,4 +21,7 @@ cs-fix:
 bash:
 	docker exec -it jwt-provider bash
 
+config:
+	sh ./docker/config.sh
+
 init: install

app/ActionServiceProvider.php

@@ -98,16 +98,16 @@ public function register(): void
                 $this->get(Auth0::class),
                 new Authentication(
                     [
-                        'domain' => $this->parameter('auth0.domain'),
-                        'clientId' => $this->parameter('auth0.client_id'),
-                        'clientSecret' => $this->parameter('auth0.client_secret'),
-                        'cookieSecret' => $this->parameter('auth0.cookie_secret'),
+                        'domain' => $this->parameter($this->getIdentityProvider() . '.domain'),
+                        'clientId' => $this->parameter($this->getIdentityProvider() . '.client_id'),
+                        'clientSecret' => $this->parameter($this->getIdentityProvider() . '.client_secret'),
+                        'cookieSecret' => $this->parameter($this->getIdentityProvider() . '.cookie_secret'),
                     ]
                 ),
                 $this->get(ResponseFactoryInterface::class),
                 new UriFactory(),
-                $this->parameter('auth0.log_out_uri'),
-                $this->parameter('auth0.client_id')
+                $this->parameter($this->getIdentityProvider() . '.log_out_uri'),
+                $this->parameter($this->getIdentityProvider() . '.client_id')
             )
         );
 
@@ -127,25 +127,25 @@ public function register(): void
             RefreshServiceInterface::class,
             fn (): RefreshAuth0Adapter => new RefreshAuth0Adapter(
                 new Client(),
-                $this->parameter('auth0.client_id'),
-                $this->parameter('auth0.client_secret'),
-                $this->parameter('auth0.domain')
+                $this->parameter($this->getIdentityProvider() . '.client_id'),
+                $this->parameter($this->getIdentityProvider() . '.client_secret'),
+                $this->parameter($this->getIdentityProvider() . '.domain')
             )
         );
 
         $this->addShared(
             Auth0::class,
             fn (): Auth0 => new Auth0(
                 [
-                    'domain' => $this->parameter('auth0.domain'),
-                    'clientId' => $this->parameter('auth0.client_id'),
-                    'clientSecret' => $this->parameter('auth0.client_secret'),
-                    'redirectUri' => $this->parameter('auth0.redirect_uri'),
+                    'domain' => $this->parameter($this->getIdentityProvider() . '.domain'),
+                    'clientId' => $this->parameter($this->getIdentityProvider() . '.client_id'),
+                    'clientSecret' => $this->parameter($this->getIdentityProvider() . '.client_secret'),
+                    'redirectUri' => $this->parameter($this->getIdentityProvider() . '.redirect_uri'),
                     'scope' => ['openid','email','profile','offline_access'],
                     'persistIdToken' => true,
                     'persistRefreshToken' => true,
-                    'tokenLeeway' => $this->parameter('auth0.id_token_leeway'),
-                    'cookieSecret' => $this->parameter('auth0.cookie_secret'),
+                    'tokenLeeway' => $this->parameter($this->getIdentityProvider() . '.id_token_leeway'),
+                    'cookieSecret' => $this->parameter($this->getIdentityProvider() . '.cookie_secret'),
                 ]
             )
         );
@@ -154,7 +154,7 @@ public function register(): void
             IsAllowedRefreshToken::class,
             fn (): IsAllowedRefreshToken => new IsAllowedRefreshToken(
                 $this->get(ConsumerReadRepositoryInterface::class),
-                (string)$this->parameter('auth0.allowed_refresh_permission')
+                (string)$this->parameter($this->getIdentityProvider() . '.allowed_refresh_permission')
             )
         );
 
@@ -178,4 +178,12 @@ function (): SessionClientInformation {
             )
         );
     }
+
+    private function getIdentityProvider(): string
+    {
+        if ($this->parameter('keycloak.enabled')) {
+            return 'keycloak';
+        }
+        return 'auth0';
+    }
 }

docker.md

@@ -0,0 +1,39 @@
+# JWTProvider with Docker
+
+## Prerequisite
+- Install Docker Desktop
+- appconfig: you'll have to clone [appconfig](https://github.com/cultuurnet/appconfig) in the same folder as where you will clone [udb3-backend](https://github.com/cultuurnet/udb3-backend)
+
+## Configure
+
+```
+$ make config
+```
+
+## Start
+
+### Docker
+
+Start the docker containers with the following command. Make sure to execute this inside the root of the project.
+```
+$ make up
+```
+
+### Composer packages
+
+To install all composer packages & migrate the database, run the following command:
+```
+$ make init
+```
+
+### CI
+
+To execute all CI tasks, run the following command:
+```
+$ make ci
+```
+
+### Debugging
+
+For local debugging purposes, a sample `jwt-example.php` is included in the `web`-folder. 
+To test it go to http://localhost:9999/jwt-example.php

docker/config.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+DIR="../appconfig/files/udb3/docker/jwt-provider/"
+if [ -d "$DIR" ]; then
+  cp -R "$DIR"/* .
+else
+  echo "Error: missing appconfig see docker.md prerequisites to fix this."
+  exit 1
+fi

docker/php/Dockerfile

@@ -19,4 +19,5 @@ RUN a2enmod rewrite
 
 ENV APACHE_DOCUMENT_ROOT=/var/www/html/web
 RUN sed -ri -e 's!/var/www/html!${APACHE_DOCUMENT_ROOT}!g' /etc/apache2/sites-available/*.conf
-RUN sed -ri -e 's!/var/www/html!${APACHE_DOCUMENT_ROOT}!g' /etc/apache2/apache2.conf /etc/apache2/conf-available/*.conf
+RUN sed -ri -e 's!/var/www/html!${APACHE_DOCUMENT_ROOT}!g' /etc/apache2/apache2.conf /etc/apache2/conf-available/*.conf
+RUN echo '\nLimitRequestFieldSize 163840\nLimitRequestFields 1000\nLimitRequestLine 81900\n' >> /etc/apache2/apache2.conf

lib/tasks/jwt-provider/build.rake

@@ -3,4 +3,8 @@ namespace 'jwt-provider' do
   task :build do |task|
     system('composer2 install --no-dev --ignore-platform-reqs --prefer-dist --optimize-autoloader') or exit 1
   end
+  desc "remove debug files"
+  task :remove_debug_files do |task|
+      system('rm web/jwt-example.php')
+  end
 end

web/jwt-example.php

@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+session_start();
+
+if ($_SERVER['HTTP_HOST'] === 'localhost') {
+    header('response-code: 400');
+    die('Access denied.');
+}
+
+$url = urlencode('http://localhost:9999/jwt-example.php?apiKey=f3527f1c-210f-4075-99d3-ece98cf2b391');
+?>
+
+<ul>
+    <li><a href="http://localhost:9999/connect?destination=<?php echo $url?>">Connect without apiKey</a></li>
+    <li><a href="http://localhost:9999/connect?apiKey=f3527f1c-210f-4075-99d3-ece98cf2b391&destination=<?php echo $url?>">Connect with apiKey</a></li>
+    <li><a href="http://localhost:9999/logout?destination=<?php echo $url?>">Logout</a></li>
+    <li><a href="http://localhost:9999/logout-confirm">Logout confirm</a></li>
+    <li><a href="http://localhost:9999/refresh?apiKey=f3527f1c-210f-4075-99d3-ece98cf2b391&refresh=<?php echo $_GET['refresh'] ?? '' ?>">Refresh</a></li>
+</ul>
+
+    <style>
+        td {
+            word-wrap: anywhere;
+        }
+    </style>
+
+<?php
+if (!empty($_GET)) {
+    echo '<table border="1">';
+    echo '<tr><th>Parameter</th><th>Value</th></tr>';
+    foreach ($_GET as $key => $value) {
+        echo '<tr><td>' . htmlspecialchars($key) . '</td><td>' . htmlspecialchars($value) . '</td></tr>';
+    }
+    echo '</table>';
+}