fix: support authentication with Open ID using Keycloak (#669) #none

* Changes for authentication with Open ID using Keycloak * Select authentication method * fix: missing params * fix: minor update --------- Co-authored-by: Sara <sara.jimenez@nuvu.cc>
Cinnamon · Feb 14, 2025 · 647d0a4 · 647d0a4
1 parent e3921f7
commit 647d0a4
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 10 deletions.
diff --git a/.env.example b/.env.example
@@ -40,3 +40,16 @@ PDF_SERVICES_CLIENT_SECRET=
 
 # settings for PDF.js
 PDFJS_VERSION_DIST="pdfjs-4.0.379-dist"
+
+# variable for authentication method selection
+# for authentication with google leave empty
+# for authentication with keycloak :
+# AUTHENTICATION_METHOD="KEYCLOAK"
+
+AUTHENTICATION_METHOD=
+
+# settings for keycloak
+KEYCLOAK_SERVER_URL=
+KEYCLOAK_CLIENT_ID=
+KEYCLOAK_REALM=
+KEYCLOAK_CLIENT_SECRET=
diff --git a/sso_app.py b/sso_app.py
@@ -8,31 +8,58 @@
 
 KH_APP_DATA_DIR = getattr(flowsettings, "KH_APP_DATA_DIR", ".")
 GRADIO_TEMP_DIR = os.getenv("GRADIO_TEMP_DIR", None)
+AUTHENTICATION_METHOD = config("AUTHENTICATION_METHOD")
+
 # override GRADIO_TEMP_DIR if it's not set
 if GRADIO_TEMP_DIR is None:
     GRADIO_TEMP_DIR = os.path.join(KH_APP_DATA_DIR, "gradio_tmp")
     os.environ["GRADIO_TEMP_DIR"] = GRADIO_TEMP_DIR
 
-
+# for authentication with Google
 GOOGLE_CLIENT_ID = config("GOOGLE_CLIENT_ID", default="")
 GOOGLE_CLIENT_SECRET = config("GOOGLE_CLIENT_SECRET", default="")
 
+# for authentication with Open ID by keycloak
+KEYCLOAK_SERVER_URL = config("KEYCLOAK_SERVER_URL")
+KEYCLOAK_REALM = config("KEYCLOAK_REALM")
+KEYCLOAK_CLIENT_ID = config("KEYCLOAK_CLIENT_ID")
+KEYCLOAK_CLIENT_SECRET = config("KEYCLOAK_CLIENT_SECRET")
 
 from ktem.main import App  # noqa
 
 gradio_app = App()
 demo = gradio_app.make()
 
 app = FastAPI()
-grlogin.register(
-    name="google",
-    server_metadata_url="https://accounts.google.com/.well-known/openid-configuration",
-    client_id=GOOGLE_CLIENT_ID,
-    client_secret=GOOGLE_CLIENT_SECRET,
-    client_kwargs={
-        "scope": "openid email profile",
-    },
-)
+
+if AUTHENTICATION_METHOD == "KEYCLOAK":
+    # for authentication with Open ID by keycloak
+    grlogin.register(
+        name="keycloak",
+        server_metadata_url=(
+            f"{KEYCLOAK_SERVER_URL}/realms/{KEYCLOAK_REALM}/"
+            ".well-known/openid-configuration"
+        ),
+        client_id=KEYCLOAK_CLIENT_ID,
+        client_secret=KEYCLOAK_CLIENT_SECRET,
+        client_kwargs={
+            "scope": "openid email profile",
+        },
+    )
+
+else:
+    # for authentication with Google
+    grlogin.register(
+        name="google",
+        server_metadata_url=(
+            "https://accounts.google.com/.well-known/openid-configuration"
+        ),
+        client_id=GOOGLE_CLIENT_ID,
+        client_secret=GOOGLE_CLIENT_SECRET,
+        client_kwargs={
+            "scope": "openid email profile",
+        },
+    )
 
 
 @app.get("/favicon.ico", include_in_schema=False)