matt
/
port-nimara-client-portal
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
port-nimara-client-portal/composables/useKeycloak.ts

190 lines
5.4 KiB
TypeScript
Raw Normal View History

MAJOR: Replace nuxt-openid-connect with official Keycloak JS adapter - Remove problematic nuxt-openid-connect module that was causing OAuth issues - Install and implement official keycloak-js adapter for better reliability - Create new useKeycloak composable with proper token management - Update useUnifiedAuth to work with new Keycloak implementation - Fix authentication middleware to support both auth methods - Update login page to use new Keycloak login function - Clean up configuration and remove deprecated OIDC settings - This should resolve all the HTTP/HTTPS redirect and token exchange issues
2025-06-14 14:50:29 +02:00
import type Keycloak from 'keycloak-js'
export const useKeycloak = () => {
const config = useRuntimeConfig()
const keycloak = ref<Keycloak | null>(null)
const isAuthenticated = ref(false)
const user = ref<any>(null)
const token = ref<string | null>(null)
const isInitialized = ref(false)
Implement Official Keycloak JS Adapter with Proxy-Aware Configuration MAJOR ENHANCEMENT: Complete Keycloak integration with proper HTTPS/proxy handling ## Core Improvements: ### 1. Enhanced Configuration (nuxt.config.ts) - Added proxy trust configuration for nginx environments - Configured baseUrl for production HTTPS enforcement - Added debug mode configuration for development ### 2. Proxy-Aware Keycloak Composable (composables/useKeycloak.ts) - Intelligent base URL detection (production vs development) - Force HTTPS redirect URIs in production environments - Enhanced debugging and logging capabilities - Proper PKCE implementation for security - Automatic token refresh mechanism ### 3. Dual Authentication System - Updated middleware to support both Directus and Keycloak - Enhanced useUnifiedAuth for seamless auth source switching - Maintains backward compatibility with existing Directus users ### 4. OAuth Flow Implementation - Created proper callback handler (pages/auth/callback.vue) - Comprehensive error handling and user feedback - Automatic redirect to dashboard on success ### 5. Enhanced Login Experience (pages/login.vue) - Restored SSO login button with proper error handling - Maintained existing Directus login form - Clear separation between auth methods with visual divider ### 6. Comprehensive Testing Suite (pages/dashboard/keycloak-test.vue) - Real-time configuration display - Authentication status monitoring - Interactive testing tools - Detailed debug logging system ## Technical Solutions: **Proxy Detection**: Automatically detects nginx proxy and uses correct HTTPS URLs **HTTPS Enforcement**: Forces secure redirect URIs in production **Error Handling**: Comprehensive error catching with user-friendly messages **Debug Capabilities**: Enhanced logging for troubleshooting **Security**: Implements PKCE and secure token handling ## Infrastructure Compatibility: - Works with nginx reverse proxy setups - Compatible with Docker container networking - Handles SSL termination at proxy level - Supports both development and production environments This implementation specifically addresses the HTTP/HTTPS redirect URI mismatch that was causing 'unauthorized_client' errors in the proxy environment.
2025-06-14 15:26:26 +02:00
// Get the correct base URL considering proxy setup
const getBaseUrl = () => {
if (process.server) {
// In production, always use the configured HTTPS base URL
return config.public.baseUrl
}
// Client-side: detect if we're behind a proxy
const currentOrigin = window.location.origin
const isProduction = !currentOrigin.includes('localhost') && !currentOrigin.includes('127.0.0.1')
if (isProduction) {
// Force HTTPS in production environments
return config.public.baseUrl
}
// Development: use current origin
return currentOrigin
}
const logDebug = (message: string, data?: any) => {
if (config.public.keycloakDebug) {
console.log(`[KEYCLOAK] ${message}`, data)
}
}
MAJOR: Replace nuxt-openid-connect with official Keycloak JS adapter - Remove problematic nuxt-openid-connect module that was causing OAuth issues - Install and implement official keycloak-js adapter for better reliability - Create new useKeycloak composable with proper token management - Update useUnifiedAuth to work with new Keycloak implementation - Fix authentication middleware to support both auth methods - Update login page to use new Keycloak login function - Clean up configuration and remove deprecated OIDC settings - This should resolve all the HTTP/HTTPS redirect and token exchange issues
2025-06-14 14:50:29 +02:00
const initKeycloak = async () => {
Fix SSR and defensive coding for Keycloak integration - Add proper SSR guards and error handling - Make authentication middleware more defensive - Add null checks in useUnifiedAuth composable - Prevent JavaScript errors from breaking page load - Prioritize Directus auth over Keycloak for stability
2025-06-14 15:01:45 +02:00
if (process.server) return false
MAJOR: Replace nuxt-openid-connect with official Keycloak JS adapter - Remove problematic nuxt-openid-connect module that was causing OAuth issues - Install and implement official keycloak-js adapter for better reliability - Create new useKeycloak composable with proper token management - Update useUnifiedAuth to work with new Keycloak implementation - Fix authentication middleware to support both auth methods - Update login page to use new Keycloak login function - Clean up configuration and remove deprecated OIDC settings - This should resolve all the HTTP/HTTPS redirect and token exchange issues
2025-06-14 14:50:29 +02:00
try {
Implement Official Keycloak JS Adapter with Proxy-Aware Configuration MAJOR ENHANCEMENT: Complete Keycloak integration with proper HTTPS/proxy handling ## Core Improvements: ### 1. Enhanced Configuration (nuxt.config.ts) - Added proxy trust configuration for nginx environments - Configured baseUrl for production HTTPS enforcement - Added debug mode configuration for development ### 2. Proxy-Aware Keycloak Composable (composables/useKeycloak.ts) - Intelligent base URL detection (production vs development) - Force HTTPS redirect URIs in production environments - Enhanced debugging and logging capabilities - Proper PKCE implementation for security - Automatic token refresh mechanism ### 3. Dual Authentication System - Updated middleware to support both Directus and Keycloak - Enhanced useUnifiedAuth for seamless auth source switching - Maintains backward compatibility with existing Directus users ### 4. OAuth Flow Implementation - Created proper callback handler (pages/auth/callback.vue) - Comprehensive error handling and user feedback - Automatic redirect to dashboard on success ### 5. Enhanced Login Experience (pages/login.vue) - Restored SSO login button with proper error handling - Maintained existing Directus login form - Clear separation between auth methods with visual divider ### 6. Comprehensive Testing Suite (pages/dashboard/keycloak-test.vue) - Real-time configuration display - Authentication status monitoring - Interactive testing tools - Detailed debug logging system ## Technical Solutions: **Proxy Detection**: Automatically detects nginx proxy and uses correct HTTPS URLs **HTTPS Enforcement**: Forces secure redirect URIs in production **Error Handling**: Comprehensive error catching with user-friendly messages **Debug Capabilities**: Enhanced logging for troubleshooting **Security**: Implements PKCE and secure token handling ## Infrastructure Compatibility: - Works with nginx reverse proxy setups - Compatible with Docker container networking - Handles SSL termination at proxy level - Supports both development and production environments This implementation specifically addresses the HTTP/HTTPS redirect URI mismatch that was causing 'unauthorized_client' errors in the proxy environment.
2025-06-14 15:26:26 +02:00
const baseUrl = getBaseUrl()
logDebug('Initializing Keycloak', {
baseUrl,
keycloakUrl: config.public.keycloak.url,
realm: config.public.keycloak.realm,
clientId: config.public.keycloak.clientId
})
MAJOR: Replace nuxt-openid-connect with official Keycloak JS adapter - Remove problematic nuxt-openid-connect module that was causing OAuth issues - Install and implement official keycloak-js adapter for better reliability - Create new useKeycloak composable with proper token management - Update useUnifiedAuth to work with new Keycloak implementation - Fix authentication middleware to support both auth methods - Update login page to use new Keycloak login function - Clean up configuration and remove deprecated OIDC settings - This should resolve all the HTTP/HTTPS redirect and token exchange issues
2025-06-14 14:50:29 +02:00
// Dynamically import keycloak-js
const KeycloakModule = await import('keycloak-js')
const KeycloakConstructor = KeycloakModule.default
keycloak.value = new KeycloakConstructor({
url: config.public.keycloak.url,
realm: config.public.keycloak.realm,
clientId: config.public.keycloak.clientId,
})
const authenticated = await keycloak.value.init({
onLoad: 'check-sso',
Implement Official Keycloak JS Adapter with Proxy-Aware Configuration MAJOR ENHANCEMENT: Complete Keycloak integration with proper HTTPS/proxy handling ## Core Improvements: ### 1. Enhanced Configuration (nuxt.config.ts) - Added proxy trust configuration for nginx environments - Configured baseUrl for production HTTPS enforcement - Added debug mode configuration for development ### 2. Proxy-Aware Keycloak Composable (composables/useKeycloak.ts) - Intelligent base URL detection (production vs development) - Force HTTPS redirect URIs in production environments - Enhanced debugging and logging capabilities - Proper PKCE implementation for security - Automatic token refresh mechanism ### 3. Dual Authentication System - Updated middleware to support both Directus and Keycloak - Enhanced useUnifiedAuth for seamless auth source switching - Maintains backward compatibility with existing Directus users ### 4. OAuth Flow Implementation - Created proper callback handler (pages/auth/callback.vue) - Comprehensive error handling and user feedback - Automatic redirect to dashboard on success ### 5. Enhanced Login Experience (pages/login.vue) - Restored SSO login button with proper error handling - Maintained existing Directus login form - Clear separation between auth methods with visual divider ### 6. Comprehensive Testing Suite (pages/dashboard/keycloak-test.vue) - Real-time configuration display - Authentication status monitoring - Interactive testing tools - Detailed debug logging system ## Technical Solutions: **Proxy Detection**: Automatically detects nginx proxy and uses correct HTTPS URLs **HTTPS Enforcement**: Forces secure redirect URIs in production **Error Handling**: Comprehensive error catching with user-friendly messages **Debug Capabilities**: Enhanced logging for troubleshooting **Security**: Implements PKCE and secure token handling ## Infrastructure Compatibility: - Works with nginx reverse proxy setups - Compatible with Docker container networking - Handles SSL termination at proxy level - Supports both development and production environments This implementation specifically addresses the HTTP/HTTPS redirect URI mismatch that was causing 'unauthorized_client' errors in the proxy environment.
2025-06-14 15:26:26 +02:00
// Use proper HTTPS redirect URI
redirectUri: `${baseUrl}/auth/callback`,
Fix Keycloak CORS and iframe issues for cross-domain authentication CRITICAL FIX: Resolve SSO login endless loading and CORS errors ## Issues Resolved: ### 1. CORS Policy Violations - Disabled checkLoginIframe (causes cross-origin iframe errors) - Removed silentCheckSsoRedirectUri (blocked by modern browsers) - Disabled checkLoginIframeInterval to prevent 3rd party cookie checks ### 2. Cross-Domain Compatibility - Set responseMode to 'query' for better proxy compatibility - Configured standard flow instead of implicit - Added proper timeout handling (messageReceiveTimeout: 10000) - Enhanced debug logging for troubleshooting ### 3. Redirect URI Consistency - Fixed login() to use proper baseUrl for redirect URIs - Ensures HTTPS URLs in production environment - Consistent URL generation across initialization and login ### 4. Browser Security Compliance - Disabled enableLogging to reduce console noise - Removed iframe-based features that modern browsers block - Maintained PKCE (S256) for security while fixing compatibility ## Technical Details: The previous errors were caused by Keycloak trying to use: - /protocol/openid-connect/3p-cookies/step1.html - /protocol/openid-connect/login-status-iframe.html These are blocked by browsers' cross-origin policies when the app and Keycloak are on different domains (client.portnimara.dev vs auth.portnimara.dev). This fix disables these problematic features while maintaining full OAuth functionality and security. The SSO login should now work without endless loading issues.
2025-06-14 15:38:40 +02:00
// Disable all iframe-based features that cause CORS issues
checkLoginIframe: false,
silentCheckSsoRedirectUri: undefined, // Disable silent SSO check
enableLogging: false, // Reduce console noise
// Use standard flow compatible with proxy setups
flow: 'standard',
responseMode: 'query', // Use query params instead of fragments
// Disable third-party cookie checks
checkLoginIframeInterval: 0,
// PKCE for security
pkceMethod: 'S256',
// Timeout settings
messageReceiveTimeout: 10000,
// Disable adapter features that can cause issues in proxied environments
adapter: 'default'
Implement Official Keycloak JS Adapter with Proxy-Aware Configuration MAJOR ENHANCEMENT: Complete Keycloak integration with proper HTTPS/proxy handling ## Core Improvements: ### 1. Enhanced Configuration (nuxt.config.ts) - Added proxy trust configuration for nginx environments - Configured baseUrl for production HTTPS enforcement - Added debug mode configuration for development ### 2. Proxy-Aware Keycloak Composable (composables/useKeycloak.ts) - Intelligent base URL detection (production vs development) - Force HTTPS redirect URIs in production environments - Enhanced debugging and logging capabilities - Proper PKCE implementation for security - Automatic token refresh mechanism ### 3. Dual Authentication System - Updated middleware to support both Directus and Keycloak - Enhanced useUnifiedAuth for seamless auth source switching - Maintains backward compatibility with existing Directus users ### 4. OAuth Flow Implementation - Created proper callback handler (pages/auth/callback.vue) - Comprehensive error handling and user feedback - Automatic redirect to dashboard on success ### 5. Enhanced Login Experience (pages/login.vue) - Restored SSO login button with proper error handling - Maintained existing Directus login form - Clear separation between auth methods with visual divider ### 6. Comprehensive Testing Suite (pages/dashboard/keycloak-test.vue) - Real-time configuration display - Authentication status monitoring - Interactive testing tools - Detailed debug logging system ## Technical Solutions: **Proxy Detection**: Automatically detects nginx proxy and uses correct HTTPS URLs **HTTPS Enforcement**: Forces secure redirect URIs in production **Error Handling**: Comprehensive error catching with user-friendly messages **Debug Capabilities**: Enhanced logging for troubleshooting **Security**: Implements PKCE and secure token handling ## Infrastructure Compatibility: - Works with nginx reverse proxy setups - Compatible with Docker container networking - Handles SSL termination at proxy level - Supports both development and production environments This implementation specifically addresses the HTTP/HTTPS redirect URI mismatch that was causing 'unauthorized_client' errors in the proxy environment.
2025-06-14 15:26:26 +02:00
})
logDebug('Keycloak initialization result', {
authenticated,
Fix Keycloak CORS and iframe issues for cross-domain authentication CRITICAL FIX: Resolve SSO login endless loading and CORS errors ## Issues Resolved: ### 1. CORS Policy Violations - Disabled checkLoginIframe (causes cross-origin iframe errors) - Removed silentCheckSsoRedirectUri (blocked by modern browsers) - Disabled checkLoginIframeInterval to prevent 3rd party cookie checks ### 2. Cross-Domain Compatibility - Set responseMode to 'query' for better proxy compatibility - Configured standard flow instead of implicit - Added proper timeout handling (messageReceiveTimeout: 10000) - Enhanced debug logging for troubleshooting ### 3. Redirect URI Consistency - Fixed login() to use proper baseUrl for redirect URIs - Ensures HTTPS URLs in production environment - Consistent URL generation across initialization and login ### 4. Browser Security Compliance - Disabled enableLogging to reduce console noise - Removed iframe-based features that modern browsers block - Maintained PKCE (S256) for security while fixing compatibility ## Technical Details: The previous errors were caused by Keycloak trying to use: - /protocol/openid-connect/3p-cookies/step1.html - /protocol/openid-connect/login-status-iframe.html These are blocked by browsers' cross-origin policies when the app and Keycloak are on different domains (client.portnimara.dev vs auth.portnimara.dev). This fix disables these problematic features while maintaining full OAuth functionality and security. The SSO login should now work without endless loading issues.
2025-06-14 15:38:40 +02:00
redirectUri: `${baseUrl}/auth/callback`,
checkLoginIframe: false,
silentSso: 'disabled'
MAJOR: Replace nuxt-openid-connect with official Keycloak JS adapter - Remove problematic nuxt-openid-connect module that was causing OAuth issues - Install and implement official keycloak-js adapter for better reliability - Create new useKeycloak composable with proper token management - Update useUnifiedAuth to work with new Keycloak implementation - Fix authentication middleware to support both auth methods - Update login page to use new Keycloak login function - Clean up configuration and remove deprecated OIDC settings - This should resolve all the HTTP/HTTPS redirect and token exchange issues
2025-06-14 14:50:29 +02:00
})
isAuthenticated.value = authenticated
isInitialized.value = true
if (authenticated && keycloak.value.token) {
token.value = keycloak.value.token || null
user.value = {
id: keycloak.value.subject,
username: keycloak.value.tokenParsed?.preferred_username,
email: keycloak.value.tokenParsed?.email,
firstName: keycloak.value.tokenParsed?.given_name,
lastName: keycloak.value.tokenParsed?.family_name,
fullName: keycloak.value.tokenParsed?.name,
roles: keycloak.value.tokenParsed?.realm_access?.roles || [],
}
// Set up token refresh
keycloak.value.onTokenExpired = () => {
keycloak.value?.updateToken(30).then((refreshed) => {
if (refreshed) {
token.value = keycloak.value?.token || null
console.log('Token refreshed')
} else {
console.log('Token still valid')
}
}).catch(() => {
console.log('Failed to refresh token')
logout()
})
}
}
return authenticated
} catch (error) {
console.error('Failed to initialize Keycloak:', error)
isInitialized.value = true
return false
}
}
const login = async () => {
if (!keycloak.value) {
await initKeycloak()
}
if (keycloak.value) {
try {
Fix Keycloak CORS and iframe issues for cross-domain authentication CRITICAL FIX: Resolve SSO login endless loading and CORS errors ## Issues Resolved: ### 1. CORS Policy Violations - Disabled checkLoginIframe (causes cross-origin iframe errors) - Removed silentCheckSsoRedirectUri (blocked by modern browsers) - Disabled checkLoginIframeInterval to prevent 3rd party cookie checks ### 2. Cross-Domain Compatibility - Set responseMode to 'query' for better proxy compatibility - Configured standard flow instead of implicit - Added proper timeout handling (messageReceiveTimeout: 10000) - Enhanced debug logging for troubleshooting ### 3. Redirect URI Consistency - Fixed login() to use proper baseUrl for redirect URIs - Ensures HTTPS URLs in production environment - Consistent URL generation across initialization and login ### 4. Browser Security Compliance - Disabled enableLogging to reduce console noise - Removed iframe-based features that modern browsers block - Maintained PKCE (S256) for security while fixing compatibility ## Technical Details: The previous errors were caused by Keycloak trying to use: - /protocol/openid-connect/3p-cookies/step1.html - /protocol/openid-connect/login-status-iframe.html These are blocked by browsers' cross-origin policies when the app and Keycloak are on different domains (client.portnimara.dev vs auth.portnimara.dev). This fix disables these problematic features while maintaining full OAuth functionality and security. The SSO login should now work without endless loading issues.
2025-06-14 15:38:40 +02:00
const baseUrl = getBaseUrl()
logDebug('Starting login', { redirectUri: `${baseUrl}/dashboard` })
MAJOR: Replace nuxt-openid-connect with official Keycloak JS adapter - Remove problematic nuxt-openid-connect module that was causing OAuth issues - Install and implement official keycloak-js adapter for better reliability - Create new useKeycloak composable with proper token management - Update useUnifiedAuth to work with new Keycloak implementation - Fix authentication middleware to support both auth methods - Update login page to use new Keycloak login function - Clean up configuration and remove deprecated OIDC settings - This should resolve all the HTTP/HTTPS redirect and token exchange issues
2025-06-14 14:50:29 +02:00
await keycloak.value.login({
Fix Keycloak CORS and iframe issues for cross-domain authentication CRITICAL FIX: Resolve SSO login endless loading and CORS errors ## Issues Resolved: ### 1. CORS Policy Violations - Disabled checkLoginIframe (causes cross-origin iframe errors) - Removed silentCheckSsoRedirectUri (blocked by modern browsers) - Disabled checkLoginIframeInterval to prevent 3rd party cookie checks ### 2. Cross-Domain Compatibility - Set responseMode to 'query' for better proxy compatibility - Configured standard flow instead of implicit - Added proper timeout handling (messageReceiveTimeout: 10000) - Enhanced debug logging for troubleshooting ### 3. Redirect URI Consistency - Fixed login() to use proper baseUrl for redirect URIs - Ensures HTTPS URLs in production environment - Consistent URL generation across initialization and login ### 4. Browser Security Compliance - Disabled enableLogging to reduce console noise - Removed iframe-based features that modern browsers block - Maintained PKCE (S256) for security while fixing compatibility ## Technical Details: The previous errors were caused by Keycloak trying to use: - /protocol/openid-connect/3p-cookies/step1.html - /protocol/openid-connect/login-status-iframe.html These are blocked by browsers' cross-origin policies when the app and Keycloak are on different domains (client.portnimara.dev vs auth.portnimara.dev). This fix disables these problematic features while maintaining full OAuth functionality and security. The SSO login should now work without endless loading issues.
2025-06-14 15:38:40 +02:00
redirectUri: `${baseUrl}/dashboard`
MAJOR: Replace nuxt-openid-connect with official Keycloak JS adapter - Remove problematic nuxt-openid-connect module that was causing OAuth issues - Install and implement official keycloak-js adapter for better reliability - Create new useKeycloak composable with proper token management - Update useUnifiedAuth to work with new Keycloak implementation - Fix authentication middleware to support both auth methods - Update login page to use new Keycloak login function - Clean up configuration and remove deprecated OIDC settings - This should resolve all the HTTP/HTTPS redirect and token exchange issues
2025-06-14 14:50:29 +02:00
})
} catch (error) {
console.error('Login failed:', error)
Fix Keycloak CORS and iframe issues for cross-domain authentication CRITICAL FIX: Resolve SSO login endless loading and CORS errors ## Issues Resolved: ### 1. CORS Policy Violations - Disabled checkLoginIframe (causes cross-origin iframe errors) - Removed silentCheckSsoRedirectUri (blocked by modern browsers) - Disabled checkLoginIframeInterval to prevent 3rd party cookie checks ### 2. Cross-Domain Compatibility - Set responseMode to 'query' for better proxy compatibility - Configured standard flow instead of implicit - Added proper timeout handling (messageReceiveTimeout: 10000) - Enhanced debug logging for troubleshooting ### 3. Redirect URI Consistency - Fixed login() to use proper baseUrl for redirect URIs - Ensures HTTPS URLs in production environment - Consistent URL generation across initialization and login ### 4. Browser Security Compliance - Disabled enableLogging to reduce console noise - Removed iframe-based features that modern browsers block - Maintained PKCE (S256) for security while fixing compatibility ## Technical Details: The previous errors were caused by Keycloak trying to use: - /protocol/openid-connect/3p-cookies/step1.html - /protocol/openid-connect/login-status-iframe.html These are blocked by browsers' cross-origin policies when the app and Keycloak are on different domains (client.portnimara.dev vs auth.portnimara.dev). This fix disables these problematic features while maintaining full OAuth functionality and security. The SSO login should now work without endless loading issues.
2025-06-14 15:38:40 +02:00
logDebug('Login error', error)
MAJOR: Replace nuxt-openid-connect with official Keycloak JS adapter - Remove problematic nuxt-openid-connect module that was causing OAuth issues - Install and implement official keycloak-js adapter for better reliability - Create new useKeycloak composable with proper token management - Update useUnifiedAuth to work with new Keycloak implementation - Fix authentication middleware to support both auth methods - Update login page to use new Keycloak login function - Clean up configuration and remove deprecated OIDC settings - This should resolve all the HTTP/HTTPS redirect and token exchange issues
2025-06-14 14:50:29 +02:00
throw error
}
}
}
const logout = async () => {
if (keycloak.value) {
try {
await keycloak.value.logout({
redirectUri: window.location.origin
})
} catch (error) {
console.error('Logout failed:', error)
}
}
// Clear local state
isAuthenticated.value = false
user.value = null
token.value = null
}
const getToken = () => {
return token.value
}
const hasRole = (role: string) => {
return user.value?.roles?.includes(role) || false
}
const hasAnyRole = (roles: string[]) => {
return roles.some(role => hasRole(role))
}
return {
keycloak: readonly(keycloak),
isAuthenticated: readonly(isAuthenticated),
user: readonly(user),
token: readonly(token),
isInitialized: readonly(isInitialized),
initKeycloak,
login,
logout,
getToken,
hasRole,
hasAnyRole,
}
}