feat(sso): wire Keycloak SSO end-to-end across all apps
New stack:
- stacks/oauth2-proxy/ — per-app sidecars (mlflow, portainer, rabbitmq)
that gate vhosts via nginx auth_request against Keycloak's wbd realm.
Native OIDC wired into:
- grafana (generic_oauth, role-attribute-path → Admin/Editor/Viewer)
- jupyterhub (oauthenticator.GenericOAuthenticator)
- node-red (passport-openidconnect; in-memory state store + users()
resolver because adminAuth doesn't expose req.session)
- jenkins (oic-auth plugin via JCasC; matrix-auth for authz; setup
wizard suppressed; custom image with plugins.txt)
Infra fixes uncovered while bringing the above online:
- nginx-proxy: bump proxy_buffer_size to 16k so oauth2-proxy callbacks
don't 502 on the JWT-bearing Set-Cookie header.
- nginx-proxy: add `resolver 127.0.0.11 valid=30s` so service names
re-resolve after sidecar recreates (was cross-wiring oauth2-proxy
upstreams after restart).
- jupyterhub: pass --allow-root to the singleuser spawner (hub runs as
root inside its container; jupyter-server refused root without flag).
- jupyterhub Dockerfile: install jupyterlab + notebook so
SimpleLocalProcessSpawner has something to launch.
- node-red Dockerfile: install passport-openidconnect into the image
so settings.js can require() it.
- portainer: pre-seed local admin via --admin-password=<bcrypt-hash>
so the 5-minute "no admin → lockout" timer can never trigger.
- deploy.sh: restore executable bit (was 644 in repo).
Admin/viewer policy:
- Created realm role `app-admin` in keycloak wbd realm.
- Grafana maps app-admin → Admin (default Viewer).
- Jenkins matrix-auth grants r.de.ren Overall/Administer, authenticated
users get Overall/Read + Job/Read + View/Read.
- Node-RED: NODERED_ADMIN_USERS env list → permissions "*", others
["read"]. (TODO: switch to app-admin realm role.)
- JupyterHub: JUPYTERHUB_ADMIN_USERS env list. (Same TODO.)
- Gitea: r.de.ren pre-created as local admin; OIDC auto-links via email.
Docs:
- README, cloud/README, stacks/oauth2-proxy/README, and per-stack
READMEs updated to reflect the new state and remove resolved TODOs.
- cloud/.env.example gains all the new OIDC client + cookie-secret keys.
- cloud/README documents the full kcadm realm bootstrap, including the
hardcoded-audience mapper and post-logout redirect URIs that are
non-obvious gotchas.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
73
stacks/oauth2-proxy/README.md
Normal file
73
stacks/oauth2-proxy/README.md
Normal file
@@ -0,0 +1,73 @@
|
||||
# oauth2-proxy
|
||||
|
||||
Keycloak SSO gate for apps **without native OIDC**: `mlflow`, `portainer-ce`, `rabbitmq`. One sidecar container per protected vhost. nginx-proxy's vhost for each gates user requests with `auth_request /oauth2/auth`, and forwards `/oauth2/*` paths to the sidecar for the OIDC handshake.
|
||||
|
||||
Cloud-only. Each sidecar binds to port 4180 on the `app` network so nginx can reach it.
|
||||
|
||||
## Files
|
||||
|
||||
```
|
||||
stacks/oauth2-proxy/
|
||||
├── compose.yml # three services: oauth2-proxy-mlflow, -portainer, -rabbitmq
|
||||
└── README.md
|
||||
```
|
||||
|
||||
## How a request flows
|
||||
|
||||
1. Browser → `https://ml.wbd-rd.nl/` (no cookie)
|
||||
2. nginx `auth_request /oauth2/auth` subrequest → oauth2-proxy → **401**
|
||||
3. nginx `error_page 401 = /oauth2/sign_in` → oauth2-proxy → **302** to Keycloak
|
||||
4. User authenticates at Keycloak → redirected to `https://ml.wbd-rd.nl/oauth2/callback?code=…`
|
||||
5. oauth2-proxy exchanges the code, sets `_oauth2_<app>` cookie, redirects to the original URL
|
||||
6. Browser retries `/`, this time `/oauth2/auth` returns **202**, request proxies through to mlflow
|
||||
|
||||
## Required Keycloak setup per client
|
||||
|
||||
Each client must have:
|
||||
- Standard flow enabled, confidential client (`publicClient=false`).
|
||||
- Redirect URI exactly: `https://<app-host>/oauth2/callback`
|
||||
- **Hardcoded audience mapper** so the access token's `aud` claim includes the client_id. Without this, oauth2-proxy rejects the callback with HTTP 500 because the default Keycloak `aud` is `[realm-management, account]` — see `cloud/README.md` for the kcadm bootstrap script.
|
||||
|
||||
## nginx vhost shape
|
||||
|
||||
```nginx
|
||||
server {
|
||||
listen 443 ssl; server_name <app>.wbd-rd.nl;
|
||||
# … cert directives …
|
||||
|
||||
location /oauth2/ {
|
||||
proxy_pass http://oauth2-proxy-<app>:4180;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Auth-Request-Redirect $request_uri;
|
||||
}
|
||||
location = /oauth2/auth {
|
||||
internal;
|
||||
proxy_pass http://oauth2-proxy-<app>:4180;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Original-URI $request_uri;
|
||||
proxy_pass_request_body off;
|
||||
proxy_set_header Content-Length "";
|
||||
}
|
||||
location / {
|
||||
auth_request /oauth2/auth;
|
||||
error_page 401 = /oauth2/sign_in;
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
proxy_pass http://<app-upstream>;
|
||||
# … app-specific headers …
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## Caveats
|
||||
|
||||
- **No fine-grained authorization.** oauth2-proxy only enforces "is this Keycloak user authenticated"; restricting to a subset (e.g. only `app-admin`) is a separate config (`OAUTH2_PROXY_ALLOWED_GROUPS` / `OAUTH2_PROXY_ALLOWED_EMAIL_DOMAINS`).
|
||||
- **Cookies are HUGE.** oauth2-proxy embeds the JWT + refresh token in the session cookie. Without raising `proxy_buffer_size` to ≥ 16k in nginx, the callback returns 502 "upstream sent too big header". The nginx-proxy stack already sets this globally.
|
||||
- **DNS caching on nginx restart.** When oauth2-proxy containers are recreated they get new Docker bridge IPs. nginx will keep using the old IPs until reloaded. The nginx-proxy stack now ships `resolver 127.0.0.11 valid=30s;` so this self-heals on the resolver TTL.
|
||||
- **Cookie secrets must be exactly 16, 24, or 32 bytes** (raw, not base64). `openssl rand -hex 16` gives 32 hex chars = the right shape.
|
||||
|
||||
## TODO
|
||||
|
||||
- Restrict access per app via `OAUTH2_PROXY_ALLOWED_GROUPS=app-admin` (or similar) once we have proper realm groups
|
||||
- Consider consolidating to a single oauth2-proxy with a wildcard cookie domain `.wbd-rd.nl` once we trust the shared-cookie tradeoff
|
||||
58
stacks/oauth2-proxy/compose.yml
Normal file
58
stacks/oauth2-proxy/compose.yml
Normal file
@@ -0,0 +1,58 @@
|
||||
# oauth2-proxy — Keycloak SSO gate for apps without native OIDC.
|
||||
# One container per protected vhost; each presents itself on the `app` network
|
||||
# so nginx-proxy can hit it via auth_request.
|
||||
|
||||
x-oauth2-proxy-common: &oauth2-proxy-common
|
||||
image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
|
||||
restart: unless-stopped
|
||||
networks: [app]
|
||||
environment: &oauth2-proxy-env
|
||||
OAUTH2_PROXY_PROVIDER: keycloak-oidc
|
||||
OAUTH2_PROXY_OIDC_ISSUER_URL: https://auth.wbd-rd.nl/realms/wbd
|
||||
OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4180
|
||||
OAUTH2_PROXY_REVERSE_PROXY: "true"
|
||||
OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true"
|
||||
OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER: "true"
|
||||
OAUTH2_PROXY_SET_XAUTHREQUEST: "true"
|
||||
OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: "true"
|
||||
OAUTH2_PROXY_EMAIL_DOMAINS: "*"
|
||||
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true"
|
||||
OAUTH2_PROXY_UPSTREAM: static://202
|
||||
OAUTH2_PROXY_COOKIE_SECURE: "true"
|
||||
OAUTH2_PROXY_COOKIE_SAMESITE: lax
|
||||
OAUTH2_PROXY_WHITELIST_DOMAINS: ".wbd-rd.nl"
|
||||
TZ: ${TZ:-Europe/Amsterdam}
|
||||
|
||||
services:
|
||||
oauth2-proxy-mlflow:
|
||||
<<: *oauth2-proxy-common
|
||||
environment:
|
||||
<<: *oauth2-proxy-env
|
||||
OAUTH2_PROXY_CLIENT_ID: ${MLFLOW_OAUTH_CLIENT_ID:-mlflow}
|
||||
OAUTH2_PROXY_CLIENT_SECRET: ${MLFLOW_OAUTH_CLIENT_SECRET}
|
||||
OAUTH2_PROXY_COOKIE_SECRET: ${OAUTH2_PROXY_COOKIE_SECRET_MLFLOW}
|
||||
OAUTH2_PROXY_REDIRECT_URL: https://ml.wbd-rd.nl/oauth2/callback
|
||||
OAUTH2_PROXY_COOKIE_NAME: _oauth2_mlflow
|
||||
|
||||
oauth2-proxy-portainer:
|
||||
<<: *oauth2-proxy-common
|
||||
environment:
|
||||
<<: *oauth2-proxy-env
|
||||
OAUTH2_PROXY_CLIENT_ID: ${PORTAINER_OAUTH_CLIENT_ID:-portainer-ce}
|
||||
OAUTH2_PROXY_CLIENT_SECRET: ${PORTAINER_OAUTH_CLIENT_SECRET}
|
||||
OAUTH2_PROXY_COOKIE_SECRET: ${OAUTH2_PROXY_COOKIE_SECRET_PORTAINER}
|
||||
OAUTH2_PROXY_REDIRECT_URL: https://ops.wbd-rd.nl/oauth2/callback
|
||||
OAUTH2_PROXY_COOKIE_NAME: _oauth2_portainer
|
||||
|
||||
oauth2-proxy-rabbitmq:
|
||||
<<: *oauth2-proxy-common
|
||||
environment:
|
||||
<<: *oauth2-proxy-env
|
||||
OAUTH2_PROXY_CLIENT_ID: ${RABBITMQ_OAUTH_CLIENT_ID:-rabbitmq}
|
||||
OAUTH2_PROXY_CLIENT_SECRET: ${RABBITMQ_OAUTH_CLIENT_SECRET}
|
||||
OAUTH2_PROXY_COOKIE_SECRET: ${OAUTH2_PROXY_COOKIE_SECRET_RABBITMQ}
|
||||
OAUTH2_PROXY_REDIRECT_URL: https://mq.wbd-rd.nl/oauth2/callback
|
||||
OAUTH2_PROXY_COOKIE_NAME: _oauth2_rabbitmq
|
||||
|
||||
networks:
|
||||
app:
|
||||
Reference in New Issue
Block a user