MAJOR: Replace keycloak-js with nuxt-oidc-auth for seamless SSO integration
## **SOLUTION: Migrate to Server-Side OIDC Authentication**
This completely replaces the problematic keycloak-js client-side implementation
with nuxt-oidc-auth, eliminating all CORS and iframe issues.
### **Benefits:**
- **No more CORS errors** - Server-side OAuth flow
- **No iframe dependencies** - Eliminates cross-domain issues
- **Works with nginx proxy** - No proxy configuration conflicts
- **Better security** - Tokens handled server-side
- **Cleaner integration** - Native Nuxt patterns
- **Maintains Directus compatibility** - Dual auth support
### **Installation & Configuration:**
- Added
uxt-oidc-auth module to nuxt.config.ts
- Configured Keycloak provider with proper OIDC settings
- Updated environment variables for security keys
### **Code Changes:**
#### **Authentication Flow:**
- **middleware/authentication.ts** - Updated to check both Directus + OIDC auth
- **composables/useUnifiedAuth.ts** - Migrated to use useOidcAuth()
- **pages/login.vue** - Updated SSO button to use oidcLogin('keycloak')
#### **Configuration:**
- **nuxt.config.ts** - Added OIDC provider configuration
- **.env.example** - Updated with nuxt-oidc-auth environment variables
- Removed old Keycloak runtime config
#### **Cleanup:**
- Removed keycloak-js dependency from package.json
- Deleted obsolete files:
- composables/useKeycloak.ts
- pages/auth/callback.vue
- server/utils/keycloak-oauth.ts
- server/api/debug/ directory
### **Authentication Routes (Auto-Generated):**
- /auth/keycloak/login - SSO login endpoint
- /auth/keycloak/logout - SSO logout endpoint
- /auth/keycloak/callback - OAuth callback (handled automatically)
### **Security Setup Required:**
Environment variables needed for production:
- NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_SECRET
- NUXT_OIDC_TOKEN_KEY (base64 encoded 32-byte key)
- NUXT_OIDC_SESSION_SECRET (48-character random string)
- NUXT_OIDC_AUTH_SESSION_SECRET (48-character random string)
### **Expected Results:**
SSO login should work without CORS errors
Compatible with nginx proxy setup
Maintains existing Directus authentication
Server-side session management
Automatic token refresh
Ready for container rebuild and production testing!
This commit is contained in:
16
.env.example
16
.env.example
@@ -21,14 +21,8 @@ NUXT_DOCUMENSO_BASE_URL=https://signatures.portnimara.dev
|
||||
# Webhook Configuration for Embedded Signing
|
||||
WEBHOOK_SECRET_SIGNING=96BQQRiKkTIN2w0rHbqo7yHggV/sT8702HtHih3uNSY=
|
||||
|
||||
# Keycloak Configuration
|
||||
KEYCLOAK_ISSUER=https://auth.portnimara.dev/realms/client-portal
|
||||
KEYCLOAK_CLIENT_ID=client-portal
|
||||
KEYCLOAK_CLIENT_SECRET=your-keycloak-client-secret
|
||||
KEYCLOAK_CALLBACK_URL=https://client.portnimara.dev/auth/callback
|
||||
# For local development, use: http://localhost:3000/auth/callback
|
||||
|
||||
# OIDC Session Configuration
|
||||
OIDC_SESSION_SECRET=your-32-character-session-secret
|
||||
OIDC_ENCRYPT_KEY=your-32-character-encryption-key
|
||||
OIDC_ENCRYPT_IV=16-char-enc-iv!
|
||||
# nuxt-oidc-auth Configuration
|
||||
NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_SECRET=your-keycloak-client-secret
|
||||
NUXT_OIDC_TOKEN_KEY=base64_encoded_32_byte_key
|
||||
NUXT_OIDC_SESSION_SECRET=48_character_random_string_for_session_security
|
||||
NUXT_OIDC_AUTH_SESSION_SECRET=48_character_random_string_for_auth_session
|
||||
|
||||
Reference in New Issue
Block a user