diff --git a/client/components/main/layouts.js b/client/components/main/layouts.js index 9d376ff6a..220624f22 100644 --- a/client/components/main/layouts.js +++ b/client/components/main/layouts.js @@ -54,46 +54,37 @@ Template.userFormsLayout.onCreated(function() { } }); - Meteor.call('isOidcRedirectionEnabled', (_, result) => { - serviceName = 'oidc'; - if (result) { - if(Session.get("tmp") && ((Math.floor(Date.now() / 1000) - Session.get("tmp") < 5) )) + if(!Meteor.user()?.profile) + { + + Meteor.call('isOidcRedirectionEnabled', (_, result) => { + serviceName = 'oidc'; + if (result) { - window.location.reload(true); - console.log(Meteor.user().profile); - } - else - { - Session.set("tmp", Math.floor(Date.now() / 1000)); - console.log("Säschön", Session.get("tmp")); methodName = "loginWithOidc"; var loginWithService = Meteor[methodName]; AccountsTemplates.options.socialLoginStyle = 'redirect'; options = { - loginStyle: AccountsTemplates.options.socialLoginStyle, + loginStyle: AccountsTemplates.options.socialLoginStyle, }; - console.log("keys", options); loginWithService(options, function(err) { AccountsTemplates.setDisabled(false); if (err && err instanceof Accounts.LoginCancelledError) { - console.log("login cancelled"); } else if (err && err instanceof ServiceConfiguration.ConfigError) { - console.log("service config"); if (Accounts._loginButtonsSession) return Accounts._loginButtonsSession.configureService('oidc'); } else { - console.log("else_block"); AccountsTemplates.submitCallback(err, state); } - }); + }); } - } - else console.log("kein result"); - }); + else console.log("oidc redirect not set"); + }); + } Meteor.call('isDisableRegistration', (_, result) => { if (result) { $('.at-signup-link').hide(); @@ -326,7 +317,6 @@ Template.userFormsLayout.events({ event.preventDefault(); }, 'click #at-btn'(event, templateInstance) { - console.log("hello"); if (FlowRouter.getRouteName() === 'atSignIn') { templateInstance.isLoading.set(true); authentication(event, templateInstance).then(() => { diff --git a/config/accounts.js b/config/accounts.js index 987aabaf0..0d2515a46 100644 --- a/config/accounts.js +++ b/config/accounts.js @@ -3,7 +3,16 @@ const emailField = AccountsTemplates.removeField('email'); let disableRegistration = false; let disableForgotPassword = false; let passwordLoginDisabled = false; -let oidcEnabled = false; +let oidcRedirectionEnabled = false; +let oauthServerUrl = "home"; +let oauthDashboardUrl = ""; + +Meteor.call('isOidcRedirectionEnabled', (_, result) => { + if(result) + { + oidcRedirectionEnabled = true; + } +}); Meteor.call('isPasswordLoginDisabled', (_, result) => { if (result) { @@ -12,15 +21,17 @@ Meteor.call('isPasswordLoginDisabled', (_, result) => { //console.log(result); } }); + Meteor.call('getOauthServerUrl', (_, result) => { if (result) { oauthServerUrl = result; - const a = document.createElement("a"); - a.href = oauthServerUrl; - const baseUrl = `${a.protocol}//${a.hostname}`; - console.log(baseUrl); } - else oauthServerUrl = "home"; +}); + +Meteor.call('getOauthDashboardUrl', (_, result) => { + if (result) { + oauthDashboardUrl = result; + } }); Meteor.call('isDisableRegistration', (_, result) => { @@ -30,9 +41,7 @@ Meteor.call('isDisableRegistration', (_, result) => { //console.log(result); } }); -Meteor.call('isOidcRedirectionEnabled', (_, result) => { - oidcEnabled = result ? true : false; -}); + Meteor.call('isDisableForgotPassword', (_, result) => { if (result) { disableForgotPassword = true; @@ -70,17 +79,19 @@ AccountsTemplates.configure({ showForgotPasswordLink: !disableForgotPassword, forbidClientAccountCreation: disableRegistration, onLogoutHook() { - if(oidcEnabled && oauthServerUrl!=="home") + // here comeslogic for redirect + if(oidcRedirectionEnabled) { - - oidcEnabled = !oidcEnabled; - window.location.href = oauthServerUrl + "/if/user/#/library"; + window.location = oauthServerUrl + oauthDashboardUrl; } - const homePage = 'home'; - if (FlowRouter.getRouteName() === homePage) { - FlowRouter.reload(); - } else { - FlowRouter.go(homePage); + else + { + const homePage = 'home'; + if (FlowRouter.getRouteName() === homePage) { + FlowRouter.reload(); + } else { + FlowRouter.go(homePage); + } } }, }); diff --git a/models/settings.js b/models/settings.js index ea264e74e..4d8fb2a8e 100644 --- a/models/settings.js +++ b/models/settings.js @@ -508,8 +508,7 @@ if (Meteor.isServer) { return process.env.PASSWORD_LOGIN_ENABLED === 'false'; }, isOidcRedirectionEnabled(){ - console.log(process.env.REDIRECT_LOGIN_LOGOUT_TO_OIDC === 'true'); - return process.env.REDIRECT_LOGIN_LOGOUT_TO_OIDC === 'true'; + return process.env.OIDC_REDIRECTION_ENABLED === 'true'; }, }); } diff --git a/packages/wekan-oidc/README.md b/packages/wekan-oidc/README.md index 2dddc206d..8a1c5721d 100644 --- a/packages/wekan-oidc/README.md +++ b/packages/wekan-oidc/README.md @@ -47,6 +47,26 @@ See example below: NOTE: orgs & teams won't be updated if they already exist. - 5. Manages admin rights as well. If user is in Group which has isAdmin: set to true, user will get admin - privileges in Wekan as well. + 5. Manages admin rights as well. If user is in Group which has isAdmin: set to true, user will get admin + privileges in Wekan as well. If no adjustments (e.g. 1-3) are made on oidc provider's side, user will receive his/her admin rights from before. + +## For further empowerment of oidc as sso solution + +If you want to be redirected to your oidc provider on LOGIN without going the extra loop of signing in. +On LOGOUT you will be redirected to the oidc provider as well. + +Add to your .env file: + +OIDC_REDIRECTION_ENABLED=true +OAUTH2_SERVER_URL=http://localhost:9000 +DASHBOARD_URL=/if/session-end/wekan/ + +Example for authentik. +The latter specifies the OIDC Dashboard you'll get redirected on logout + +Flow: +You need to have an oidc provider configured to get this feature +Make sure to have +Authorize Application (default-provider-authorization-implicit-consent) +enabled diff --git a/packages/wekan-oidc/oidc_client.js b/packages/wekan-oidc/oidc_client.js index ba1e8329e..6da9d9f0e 100644 --- a/packages/wekan-oidc/oidc_client.js +++ b/packages/wekan-oidc/oidc_client.js @@ -7,8 +7,6 @@ Oidc = {}; // error. Oidc.requestCredential = function (options, credentialRequestCompleteCallback) { // support both (options, callback) and (callback). - console.log("from client"); - console.log(options); if (!credentialRequestCompleteCallback && typeof options === 'function') { credentialRequestCompleteCallback = options; options = {}; @@ -57,14 +55,13 @@ Oidc.requestCredential = function (options, credentialRequestCompleteCallback) { width: options.popupOptions.width || 320, height: options.popupOptions.height || 450 }; - OAuth.saveDataForRedirect(options.loginService, options.credentialToken); - Accounts.oauth.tryLoginAfterPopupClosed(credentialToken, credentialRequestCompleteCallback); - // OAuth.launchLogin({ - // loginService: 'oidc', - // loginStyle: loginStyle, - // loginUrl: loginUrl, - // credentialRequestCompleteCallback: credentialRequestCompleteCallback, - // credentialToken: credentialToken, - // popupOptions: popupOptions, - // }); + + OAuth.launchLogin({ + loginService: 'oidc', + loginStyle: loginStyle, + loginUrl: loginUrl, + credentialRequestCompleteCallback: credentialRequestCompleteCallback, + credentialToken: credentialToken, + popupOptions: popupOptions, + }); }; diff --git a/packages/wekan-oidc/oidc_server.js b/packages/wekan-oidc/oidc_server.js index c76284673..aa2c09a46 100644 --- a/packages/wekan-oidc/oidc_server.js +++ b/packages/wekan-oidc/oidc_server.js @@ -19,8 +19,6 @@ var serviceData = {}; var userinfo = {}; OAuth.registerService('oidc', 2, null, function (query) { - console.log(Date.now()); - console.log("query: ", query); var debug = process.env.DEBUG || false; var token = getToken(query);