vikunja
/
vikunja
6
43
Fork 71
Code Issues 150 Pull Requests 14 Packages Releases 32 Activity

OIDC redirect not working on non-public backend #977

New Issue
Closed
opened 2021-09-13 12:19:52 +00:00 by tcassaert · 3 comments
tcassaert commented 2021-09-13 12:19:52 +00:00
Copy Link

I have the following setup:

  • The api is available on a private address, let's say backend.internal.example.com.
  • The frontend is available on vikunja.example.com.
  • I have OIDC enabled with Keycloak on keycloak.example.com.

When I access the frontend on for example cellular, where I cannot resolve backend.internal.example.com, there is no redirection happening to login with Keycloak.

When I access the frontend from home, it does redirect to Keycloak.

I've enabled CORS for all the URL's above.

Am I doing anything wrong?

Relevant sections config.yml:

---
auth:
  local:
    enabled: false
  openid:
    enabled: true
    providers:
      - name: Keycloak
        authurl: https://keycloak.example.com/auth/realms/******
        clientid: *******
        clientsecret: *********
cors:
  enable: true
  origins:
    - https://keycloak.example.com
    - https://vikunja.example.com
    - https://vikunja-backend.internal.example.com
I have the following setup: * The api is available on a private address, let's say backend.internal.example.com. * The frontend is available on vikunja.example.com. * I have OIDC enabled with Keycloak on keycloak.example.com. When I access the frontend on for example cellular, where I cannot resolve backend.internal.example.com, there is no redirection happening to login with Keycloak. When I access the frontend from home, it does redirect to Keycloak. I've enabled CORS for all the URL's above. Am I doing anything wrong? Relevant sections config.yml: ``` --- auth: local: enabled: false openid: enabled: true providers: - name: Keycloak authurl: https://keycloak.example.com/auth/realms/****** clientid: ******* clientsecret: ********* cors: enable: true origins: - https://keycloak.example.com - https://vikunja.example.com - https://vikunja-backend.internal.example.com ```
konrad commented 2021-09-13 13:05:03 +00:00
Owner
Copy Link

I'm wondering, how do you plan to use the api at all from the outside? All requests the frontend makes to the api happen in your browser, that means if your device cannot access the api it won't work at all - not only authentication.

I'm wondering, how do you plan to use the api at all from the outside? All requests the frontend makes to the api happen in your browser, that means if your device cannot access the api it won't work at all - not only authentication.
tcassaert commented 2021-09-13 13:49:41 +00:00
Author
Copy Link

Thanks for the fast response!

To be honest, I had not tried that, as I couldn't login with Keycloak.

So the api has to be publicly available for the frontend to work at all?

I just put it on a private URL as I thought that would be a little more secure, to not open up the API to the outside world, and the frontend can reach that internal backend URL anyways. I didn't realize all requests go via the browser.

Thanks for the fast response! To be honest, I had not tried that, as I couldn't login with Keycloak. So the api has to be publicly available for the frontend to work at all? I just put it on a private URL as I thought that would be a little more secure, to not open up the API to the outside world, and the frontend can reach that internal backend URL anyways. I didn't realize all requests go via the browser.
konrad commented 2021-09-21 19:31:00 +00:00
Owner
Copy Link

So the api has to be publicly available for the frontend to work at all?

Yes, the frontend is running completely in your browser and directly talking to the api in the browser. In theory, you can use the api with other frontends (no other ones exist yet) or with only the desktop app and not a hosted frontend.

Closing as this seems to be a hosting issue, feel free to reopen if that's not the case.

> So the api has to be publicly available for the frontend to work at all? Yes, the frontend is running completely in your browser and directly talking to the api in the browser. In theory, you can use the api with other frontends (no other ones exist yet) or with only the desktop app and not a hosted frontend. Closing as this seems to be a hosting issue, feel free to reopen if that's not the case.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
renovate/camel-case-5.x
renovate/go-1.x
renovate/lowlight-3.x
renovate/golang.org-x-sync-0.x
renovate/major-dev-dependencies
renovate/github.com-wneessen-go-mail-0.x
renovate/golangci-golangci-lint-1.x
feature/better-filter-syntax
fix/tiptap-task-list
renovate/flexsearch-0.x
feature/zod-schema
renovate/github.com-typesense-typesense-go-1.x
renovate/github.com-golang-jwt-jwt-v4-5.x
automatic-year-range-for-go-header-template
feature/hide-forbidden-related-tasks
renovate/golang-1.x
release/0.20
release/0.17
release/0.16
release/0.15
release/0.14
release/0.13
v0.23.0
v0.22.1
v0.22.0
v0.21.0
v0.20.4
v0.20.3
v0.20.2
v0.20.1
v0.20.0
v0.19.2
v0.19.1
v0.19.0
v0.18.1
v0.18.0
v0.17.1
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.1
v0.13
v0.12
v0.11
v0.10
v0.9
v0.8
v0.7
v0.6
v0.5
v0.4
v0.3
v0.2
v0.1
Labels
Clear labels   
dependencies

   
duplicate

This issue or pull request already exists

  
help wanted

Need some help

  
invalid

Something is wrong

  
kind/bug

Something is not working

  
kind/feature

New feature

  
needs reproduction

   
question

More information is needed

  
security

   
wontfix

This won't be fixed

No Label
dependencies
duplicate
help wanted
invalid
kind/bug
kind/feature
needs reproduction
question
security
wontfix
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: vikunja/vikunja#977
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?