matt/port-nimara-client-portal
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

MAJOR: Replace keycloak-js with nuxt-oidc-auth for seamless SSO integration

Browse Source 
##  **SOLUTION: Migrate to Server-Side OIDC Authentication**

This completely replaces the problematic keycloak-js client-side implementation
with nuxt-oidc-auth, eliminating all CORS and iframe issues.

###  **Benefits:**
- **No more CORS errors** - Server-side OAuth flow
- **No iframe dependencies** - Eliminates cross-domain issues
- **Works with nginx proxy** - No proxy configuration conflicts
- **Better security** - Tokens handled server-side
- **Cleaner integration** - Native Nuxt patterns
- **Maintains Directus compatibility** - Dual auth support

###  **Installation & Configuration:**
- Added
uxt-oidc-auth module to nuxt.config.ts
- Configured Keycloak provider with proper OIDC settings
- Updated environment variables for security keys

###  **Code Changes:**

#### **Authentication Flow:**
- **middleware/authentication.ts** - Updated to check both Directus + OIDC auth
- **composables/useUnifiedAuth.ts** - Migrated to use useOidcAuth()
- **pages/login.vue** - Updated SSO button to use oidcLogin('keycloak')

#### **Configuration:**
- **nuxt.config.ts** - Added OIDC provider configuration
- **.env.example** - Updated with nuxt-oidc-auth environment variables
- Removed old Keycloak runtime config

#### **Cleanup:**
- Removed keycloak-js dependency from package.json
- Deleted obsolete files:
  - composables/useKeycloak.ts
  - pages/auth/callback.vue
  - server/utils/keycloak-oauth.ts
  - server/api/debug/ directory

###  **Authentication Routes (Auto-Generated):**
- /auth/keycloak/login - SSO login endpoint
- /auth/keycloak/logout - SSO logout endpoint
- /auth/keycloak/callback - OAuth callback (handled automatically)

###  **Security Setup Required:**
Environment variables needed for production:
- NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_SECRET
- NUXT_OIDC_TOKEN_KEY (base64 encoded 32-byte key)
- NUXT_OIDC_SESSION_SECRET (48-character random string)
- NUXT_OIDC_AUTH_SESSION_SECRET (48-character random string)

###  **Expected Results:**
 SSO login should work without CORS errors
 Compatible with nginx proxy setup
 Maintains existing Directus authentication
 Server-side session management
 Automatic token refresh

Ready for container rebuild and production testing!
This commit is contained in:
Matt
2025-06-14 15:58:03 +02:00
parent c29f64b50b
commit 0ae190b255
12 changed files with 1693 additions and 779 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
pages/auth/callback.vue
View File

@@ -1,79 +0,0 @@
<template>
<v-app>
<v-main>
<v-container class="fill-height" fluid>
<v-row align="center" justify="center" class="fill-height">
<v-col cols="12" class="text-center">
<v-progress-circular
:size="70"
:width="7"
color="primary"
indeterminate
></v-progress-circular>
<h3 class="mt-4">Processing authentication...</h3>
<p class="text-body-2 mt-2">Please wait while we complete your login</p>
</v-col>
</v-row>
</v-container>
</v-main>
</v-app>
</template>
<script setup lang="ts">
// Define page meta for public access (no auth required)
definePageMeta({
auth: false,
layout: false
});
// Handle OAuth callback
onMounted(async () => {
try {
const route = useRoute()
const keycloak = useKeycloak()
// Check if we have an authorization code
const code = route.query.code as string
const state = route.query.state as string
const error = route.query.error as string
if (error) {
console.error('OAuth error:', error, route.query.error_description)
throw new Error(`Authentication failed: ${error}`)
}
if (!code) {
throw new Error('No authorization code received')
}
console.log('[CALLBACK] Processing OAuth callback with code:', code.substring(0, 10) + '...')
// Initialize Keycloak if not already done
if (!keycloak.isInitialized.value) {
await keycloak.initKeycloak()
}
// Check if user is now authenticated
if (keycloak.isAuthenticated.value) {
console.log('[CALLBACK] User authenticated successfully')
// Redirect to dashboard
await navigateTo('/dashboard')
} else {
throw new Error('Authentication process failed')
}
} catch (error) {
console.error('[CALLBACK] Authentication error:', error)
// Show error and redirect to login
const toast = useToast()
toast.error('Authentication failed. Unable to complete login. Please try again.')
await navigateTo('/login')
}
})
useHead({
title: 'Authenticating...'
})
</script>

25
pages/login.vue
View File

@@ -113,10 +113,10 @@ definePageMeta({
});
// Directus auth
const { login } = useDirectusAuth();
const { login: directusLogin } = useDirectusAuth();
// Keycloak auth
const keycloak = useKeycloak();
// OIDC auth (Keycloak)
const { login: oidcLogin } = useOidcAuth();
const loading = ref(false);
const keycloakLoading = ref(false);
@@ -128,24 +128,17 @@ const passwordVisible = ref(false);
const valid = ref(false);
// Keycloak login function with proper error handling
// SSO login function using nuxt-oidc-auth
const loginWithKeycloak = async () => {
try {
keycloakLoading.value = true;
console.log('[LOGIN] Starting SSO authentication via nuxt-oidc-auth...');
console.log('[LOGIN] Starting Keycloak authentication...');
// Initialize Keycloak first if needed
if (!keycloak.isInitialized.value) {
console.log('[LOGIN] Initializing Keycloak...');
await keycloak.initKeycloak();
}
// Perform login
await keycloak.login();
// nuxt-oidc-auth handles everything server-side, no CORS issues!
await oidcLogin('keycloak');
} catch (error) {
console.error('[LOGIN] Keycloak login error:', error);
console.error('[LOGIN] SSO login error:', error);
const toast = useToast();
toast.error('SSO login failed. Please try again or use email/password login.');
@@ -159,7 +152,7 @@ const loginWithKeycloak = async () => {
const submit = async () => {
try {
loading.value = true;
await login({ email: emailAddress.value, password: password.value });
await directusLogin({ email: emailAddress.value, password: password.value });
return navigateTo("/dashboard");
} catch (error) {
errorThrown.value = true;