Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

keycloack token refreshing added + logout on token expiry #1638

Merged
merged 9 commits into from
Oct 17, 2024
Merged

keycloack token refreshing added + logout on token expiry #1638

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
2c5e478
keycloack token refreshing added + logout on token expiry
dudiiiiiiii May 22, 2024
de77f1a
logout on failed refresh
dudiiiiiiii May 22, 2024
c881cff
logout with token verification fail
dudiiiiiiii Jun 12, 2024
519ccec
auth fixes
dudiiiiiiii Jun 18, 2024
f77560d
auth docs added
dudiiiiiiii Jun 18, 2024
698a648
mkdocs.yml mermaid added
dudiiiiiiii Jun 18, 2024
3d843b2
remove unnecessary, add changes good for logout
dudiiiiiiii Oct 12, 2024
2413a68
small fix
dudiiiiiiii Oct 13, 2024
377f820
better comments and easier boolean logic
dudiiiiiiii Oct 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions docs/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# Sequence diagrams

## Keycloak

Overview of login and logout process using keycloak

```mermaid
sequenceDiagram
autonumber
actor User
participant AuthService
participant Keycloak
participant Backend

User ->> AuthService: Request login
AuthService ->> Keycloak: Redirect to keycloak login
User ->> Keycloak: Login with credentials
Keycloak ->> AuthService: Return authenticated token
AuthService ->> AuthService: Check token for access to yaptide
opt user has access
AuthService ->> Backend: Verify token with backend (POST /auth/keycloak)
Backend ->> Keycloak: Verify if token is correct
opt token verified
Keycloak ->> Backend: Signature verified
Backend ->> AuthService: Response with accessExp
AuthService ->> AuthService: Set token refresh interval based on accessExp
AuthService ->> User: Provide auth context
end
opt signature expired or invalid token or keycloak connection error
Backend ->> AuthService: Raise exception Forbidden (403)
end
end
opt user doesn't have access
AuthService ->> User: Message with access denied
end
loop Refresh backend connection every 3 minutes
AuthService ->> Backend: Refresh token (GET auth/refresh)
Backend ->> AuthService: Response with new backend access token in cookies
end
loop Refresh token every 1/3 of tokens lifetime
grzanka marked this conversation as resolved.
Show resolved Hide resolved
AuthService ->> Keycloak: Refresh token
Keycloak ->> AuthService: Updated token
end
User ->> AuthService: Logout
AuthService ->> Backend: Invalidate session (DELETE /auth/logout)
Backend ->> AuthService: Response with cookies deleted
AuthService ->> Keycloak: Logout
AuthService ->> User: Clear user data
```

## Non-Keycloak

Overview of login and logout process while in demo or dev modes

```mermaid
sequenceDiagram
autonumber
participant User
participant AuthService
participant Backend

User ->> AuthService: Request Login
AuthService ->> Backend: Validate Credentials (POST /auth/login)
Backend ->> AuthService: Response with accessExp and set access and refresh tokens in cookies
AuthService ->> User: Provide Auth Context
loop Refresh backend connection every 3 minutes
AuthService ->> Backend: Refresh token (GET auth/refresh)
Backend ->> AuthService: Response with new backend access token in cookies
end
User ->> AuthService: Logout
AuthService ->> Backend: Invalidate session (DELETE /auth/logout)
Backend ->> AuthService: Response with cookies deleted
AuthService ->> User: Clear User Data
```
10 changes: 10 additions & 0 deletions mkdocs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,16 @@ theme:
nav:
- Home:
- Overview: index.md
- Authentication: authentication.md

plugins:
- search

markdown_extensions:
- pymdownx.superfences:
custom_fences:
- name: mermaid
class: mermaid
format: !!python/name:pymdownx.superfences.fence_code_format
- pymdownx.tabbed:
alternate_style: true
16 changes: 15 additions & 1 deletion src/services/AuthService.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,21 @@ const Auth = ({ children }: GenericContextProviderProps) => {
);
};

if (!initialized || !keycloak.authenticated) return;
if (!initialized) {
// keycloak authentication system not initilized (working in demo mode or keycloak not to handle authentication and authorization)
// skipping futher checks (for example: to ask backend if the keycloak token is OK
return;
} else {
// keycloak authentication is initilized, so it makes sense to check if user is authenticated in keycloak
if (!keycloak.authenticated) {
// user not authenticated, forcing logout from yaptide app
logout();

// skipping futher checks (for example: to ask backend if the keycloak token is OK
return;
}
// user authenticated, we proceed with further checks
}

checkPlgridAccessServices(keycloak.tokenParsed)
.then(() => {
Expand Down
Loading