MAJOR: Replace keycloak-js with nuxt-oidc-auth for seamless SSO integration

## **SOLUTION: Migrate to Server-Side OIDC Authentication** This completely replaces the problematic keycloak-js client-side implementation with nuxt-oidc-auth, eliminating all CORS and iframe issues. ### **Benefits:** - **No more CORS errors** - Server-side OAuth flow - **No iframe dependencies** - Eliminates cross-domain issues - **Works with nginx proxy** - No proxy configuration conflicts - **Better security** - Tokens handled server-side - **Cleaner integration** - Native Nuxt patterns - **Maintains Directus compatibility** - Dual auth support ### **Installation & Configuration:** - Added uxt-oidc-auth module to nuxt.config.ts - Configured Keycloak provider with proper OIDC settings - Updated environment variables for security keys ### **Code Changes:** #### **Authentication Flow:** - **middleware/authentication.ts** - Updated to check both Directus + OIDC auth - **composables/useUnifiedAuth.ts** - Migrated to use useOidcAuth() - **pages/login.vue** - Updated SSO button to use oidcLogin('keycloak') #### **Configuration:** - **nuxt.config.ts** - Added OIDC provider configuration - **.env.example** - Updated with nuxt-oidc-auth environment variables - Removed old Keycloak runtime config #### **Cleanup:** - Removed keycloak-js dependency from package.json - Deleted obsolete files: - composables/useKeycloak.ts - pages/auth/callback.vue - server/utils/keycloak-oauth.ts - server/api/debug/ directory ### **Authentication Routes (Auto-Generated):** - /auth/keycloak/login - SSO login endpoint - /auth/keycloak/logout - SSO logout endpoint - /auth/keycloak/callback - OAuth callback (handled automatically) ### **Security Setup Required:** Environment variables needed for production: - NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_SECRET - NUXT_OIDC_TOKEN_KEY (base64 encoded 32-byte key) - NUXT_OIDC_SESSION_SECRET (48-character random string) - NUXT_OIDC_AUTH_SESSION_SECRET (48-character random string) ### **Expected Results:** SSO login should work without CORS errors Compatible with nginx proxy setup Maintains existing Directus authentication Server-side session management Automatic token refresh Ready for container rebuild and production testing!
2025-06-14 15:58:03 +02:00
parent c29f64b50b
commit 0ae190b255
12 changed files with 1693 additions and 779 deletions
--- a/server/api/debug/oidc-config.ts
+++ b/server/api/debug/oidc-config.ts
@@ -1,30 +0,0 @@
-export default defineEventHandler((event) => {
-  const config = useRuntimeConfig()
-  
-  // Return the OIDC configuration (without showing the actual secret)
-  return {
-    // Runtime config
-    runtime: {
-      issuer: config.openidConnect?.op?.issuer || 'NOT_SET',
-      clientId: config.openidConnect?.op?.clientId || 'NOT_SET',
-      clientSecret: config.openidConnect?.op?.clientSecret ? '***SET***' : 'NOT_SET',
-      secretLength: config.openidConnect?.op?.clientSecret?.length || 0,
-    },
-    // Build-time config (what the module actually uses)
-    buildTime: {
-      issuer: process.env.KEYCLOAK_ISSUER || 'NOT_SET',
-      clientId: process.env.KEYCLOAK_CLIENT_ID || 'NOT_SET',
-      clientSecret: process.env.KEYCLOAK_CLIENT_SECRET ? '***SET***' : 'NOT_SET',
-      secretLength: process.env.KEYCLOAK_CLIENT_SECRET?.length || 0,
-    },
-    environment: process.env.NODE_ENV,
-    envVars: {
-      KEYCLOAK_ISSUER: process.env.KEYCLOAK_ISSUER ? '***SET***' : 'NOT_SET',
-      KEYCLOAK_CLIENT_ID: process.env.KEYCLOAK_CLIENT_ID ? '***SET***' : 'NOT_SET', 
-      KEYCLOAK_CLIENT_SECRET: process.env.KEYCLOAK_CLIENT_SECRET ? '***SET***' : 'NOT_SET',
-      OIDC_SESSION_SECRET: process.env.OIDC_SESSION_SECRET ? '***SET***' : 'NOT_SET',
-      OIDC_ENCRYPT_KEY: process.env.OIDC_ENCRYPT_KEY ? '***SET***' : 'NOT_SET',
-      OIDC_ENCRYPT_IV: process.env.OIDC_ENCRYPT_IV ? '***SET***' : 'NOT_SET',
-    }
-  }
-})
--- a/server/api/debug/test-token-exchange.ts
+++ b/server/api/debug/test-token-exchange.ts
@@ -1,37 +0,0 @@
-export default defineEventHandler(async (event) => {
-  // Test the actual token exchange that's failing
-  const config = useRuntimeConfig()
-  
-  const testCode = "test-code-123" // We won't use this for real exchange, just test setup
-  
-  const tokenRequest = {
-    grant_type: 'authorization_code',
-    client_id: process.env.KEYCLOAK_CLIENT_ID,
-    client_secret: process.env.KEYCLOAK_CLIENT_SECRET,
-    code: testCode,
-    redirect_uri: 'https://client.portnimara.dev/oidc/cbt',
-  }
-  
-  return {
-    message: "Token exchange test configuration",
-    issuer: process.env.KEYCLOAK_ISSUER,
-    tokenEndpoint: `${process.env.KEYCLOAK_ISSUER}/protocol/openid-connect/token`,
-    clientId: process.env.KEYCLOAK_CLIENT_ID,
-    clientSecretLength: process.env.KEYCLOAK_CLIENT_SECRET?.length || 0,
-    redirectUri: 'https://client.portnimara.dev/oidc/cbt',
-    requestPayload: {
-      grant_type: tokenRequest.grant_type,
-      client_id: tokenRequest.client_id,
-      client_secret: tokenRequest.client_secret ? '***MASKED***' : 'NOT_SET',
-      code: 'test-code-will-be-replaced',
-      redirect_uri: tokenRequest.redirect_uri,
-    },
-    // Test the actual HTTP vs HTTPS issue
-    environment: {
-      NODE_ENV: process.env.NODE_ENV,
-      headers: getHeaders(event),
-      host: getHeader(event, 'host'),
-      protocol: getHeader(event, 'x-forwarded-proto') || 'http',
-    }
-  }
-})