Advice on new frontend (Angular SPA)

[francescor]

Hi,
we have a rails app with the following

gem "rodauth-rails", "~> 1.12"
gem 'omniauth'
gem 'omniauth-oauth2'
gem 'rodauth-omniauth'

and in app/misc/rodauth_main.rb

    enable :login, :logout, :remember, :jwt, :jwt_refresh, :internal_request, :omniauth 

which correctly login with SSO with Authentik (made with your help as in #25 )

Everything works perfectly.

We can still use the old authorization (LDAP with rodauth app/misc/rodauth_ldap.rb) which we want to remove.

We have a working new frontend: an Angular Single Page Application, that talk to the Rails backend with API (swagger) and use JWT (with rodauth, of course): before enabling Oauth2, the Agular SPA ask for login/password, send it to the backend to receive an authorized JWT (and refresh it cyclically).

Now we want the new Augular fronted to use Authentik SSO, too.

Can you give us some tips on how to set this up?

We can easily enable SSO in the new Angular frontend, but then how does the rails backend know the frontend is authorized?

[janko]

Have you gone through the JSON section of the README?

[francescor]

Oh, yes, GREAT, it works!

here two lines in case somebody need help (pls double check we are not writing any studipidy ;) )

Postman helped us on testing this

So

• the SPA frontend makes a POST to the rails backend myrailsapp.it/auth/authentik?action=login with Content-Type: application/json
• we get back the authorize_url but also the access_token,
• the SPA frontend (store access_token locally and) redirect the user to the authorize_url
• now the user is taken to Authentik for the login, then
• Authentik redirects back to the frontend: frontend.it/auth/authentik/callback?code=...&state=...
• the SPA take that url and makes a GET (with the above access_token as Authorization: Bearer) to the same URI but with the myrailsapp.it backend domain
• the rails backend return "success": "You have been logged in"with theaccess-token(the JWT), and therefresh-token`

Then the SPA is authorized to query the backend (and the user who is logged in is encoded in the JWT), and can also refresh the token (exactly as we did before enabling Oauth2)

Thank you so much @janko !!!

btw: do we get that access_token because we enabled :jwt in app/misc/rodauth_main.rb:

 enable :login, :logout, :remember, :jwt, :jwt_refresh, :omniauth

[janko]

Glad it's working!

btw: do we get that access_token because we enabled :jwt in app/misc/rodauth_main.rb:

That's correct, the access_token in the JSON response is coming from the jwt_refresh feature.