Hi, we have been working on the usage of a SSO extension, allowing a front-end that has users authenticated at an identity provider known to a moqui backend, to transparently accessing that moqui backend with the granted permissions as defined by the identity provider.
These requires changes at both, the moqui-sso component and at the Framework.
One aspect that could be improved limiting the moqui session duration.
The changes are in following pull requests:
Could you please explain it with a use case example?
An example would be following:
A front-end system authenticates a user with credentials stored in a Keycloak server, interacts with the user and eventually needs to access a moqui REST API. The authentication data is stored in a JWT generated by the Keycloak server, which includes an access token.
The moqui instance is previously configured with data about the Keycloak server, stored in the moqui.security.sso.AuthFlow entity. This includes credentials for moqui to authenticate before the Keycloak server as a client, as well as mappings for userAccount fields and group memberships.
In order for moqui to authenticate the user, the front-end sends a header named “sso_access_token”, and optionally another header named sso_auth_flow with the identifier of the AuthFlow. With this data, moqui checks the validity of the Keycloak session and synchronizes UserAccount and GroupMembership data, logs in the user and serves the request.
This works seamlessly for the user, without the need to type in new (or same) credentials in order to gain access to the moqui back-end.
I would love to see a demo of this on a Moqui call if you’re up for it
I know of 3 companies that have built a keycloak integration to some degree. It’s probably worth coming together and sharing effort on keycloak integrations.
Dear @jenshp ,
I’m still a little unclear about the sso flow in moqui, if I have a keycloak server running independently of moqui, will I use that keycloak server to generate sso-token to login to moqui?
I’m using Keycloak as authenticated server, after successful authenticated, Moqui server will return accessToken to client/browser, then client will append accessToken to requestHeader with headerName=sso_access_token to call api resource to fetch or push data. However, if I do it this way, each request call API, moqui server will access to database to fetch data from UserAccount table and maybe update this table if detect data changing, it will lead to server overload. Did you have this problem and how to resolve it?
Note: I disable using JSSESSIONID in cookie, because my API is used for both webapp and mobile app
I have not reviewed it in detail, but the moqui server should be using the cached data and only access the database occasionally or when there is something to update.