Viewers: keycloak redirect

Created on 7 Sep 2018  路  11Comments  路  Source: OHIF/Viewers

Hello.
I managed to configure keycloak authenication. And it works.

If I use "loginStyle": "popup" it works as expected.

The only problem is that if I use "loginStyle": "redirect" (and I would like to use this method), even in case of a successful authentication, I'm redirected back to the login page. However, if in the browser I change the URL to http://server/studyList, I'm actually able to see the study list, and at the same time, in keycloak, the user has a session and so on.

If in /opt/ohif/bundle/programs/server/packages/oauth.js, in var config = { I _force_ the redirectUrl to "/studyList", then I'm able to use redirect login style.

Do you have any suggestion or experience?

Thanks.

Community

Most helpful comment

Yep, there is an 'Implicit Flow Enabled' toggle when you set up a Keycloak client. It's disabled by default, but you need to enable it.

screen shot 2018-09-25 at 11 09 58

All 11 comments

Hi there,

Is authRedirectUri set?

https://github.com/OHIF/Viewers/blob/33755f7b8b92e33dd45974315fb6c7fe779df8f8/Packages/ohif-user-keycloak/imports/server/setup.js#L13

There might also be a bug in this setup, though I haven't seen this behaviour myself.

This is my configuration

{
...
  "defaultServiceType": "dimse",
  "dropCollections": true,
  "keycloak": {
    "clientId": "my-client",
    "authRedirectUrl": "/studyList",
    "sslRequired": "external",
    "loginStyle": "redirect",
    "realmPublicKey": "xxx",
    "clientSecret": "yyy"
  },
  "public": {
    "userAuthenticationRoutesEnabled": true,
    "custom": {
      "keycloak": {
          "authServerUrl": "https://keycloak:8443/auth",
          "realmName": "dcm4che",
          "adminUsername": "admin",
          "adminPassword": "xxxxxxxxxx"
        }
    },
...
}

It's an i, not an l in authRedirectUri. Could you change that? I apologize for the confusion.

No problem at all. My fault.
However, it seems that this option is not taken into account. Or I'm writing it in the wrong place.
This is what I can see in the browser address bar:

https://keycloak:8443/auth/realms/dcm4che/protocol/openid-connect/auth?client_id=my-client&redirect_uri=http://ohif:3000/_oauth/keycloak&state=eyJsb2dpblN0e.....

Interesting.. There might be an issue somewhere. I see it pulling the redirectUri here: https://github.com/mxab/meteor-keycloak/blob/fd34f7c29712cef3e8c20c8dcd792193ac39683e/keycloak-oauth/keycloak-client.js#L38

so maybe indeed the option isn't being used properly. I swear I've used it before, though.

In any case, the short term plan is to drop the accounts:keycloak package in favour of a generic OpenID Connect client library. There's a branch here: https://github.com/OHIF/Viewers/tree/oidc where it's in progress.

Should be fixed now, though you have to change your settings to use something like:

javascript "public": { "custom": { "oidc": [{ "authServerUrl": "Your OAuth provider URL", "clientId": "Your OAuth ClientID", "authRedirectUri": "The redirect URI after the user is logged in (e.g. /studylist)", "postLogoutRedirectUri": "The redirect URI after the user is logged out (e.g. /)", "responseType": "OAuth response type, which defines which flow is used. Default is 'id_token token'. You should probably leave this as is", "scope": "Scope for the token request. Default 'email profile openid'. You should generally include 'oidc'" }] } }

Should be fixed now, though you have to change your settings to use something like:

Sorry, I'm totally new to keycloak and openid...
I get this _error_ in the URL

http://hostname:3000/#error=unsupported_response_type&error_description=Client+is+not+allowed+to+initiate+browser+login+with+given+response_type.+Implicit+flow+is+disabled+for+the+client.&state=b56e3b0f502b418787b302753fb9cd3f

Maybe keycloak is not configured in the right way. Do you have any hint?
Thanks.

Yep, there is an 'Implicit Flow Enabled' toggle when you set up a Keycloak client. It's disabled by default, but you need to enable it.

screen shot 2018-09-25 at 11 09 58

It works!
Thank you very much!

My console error is
image

so, change setting 'Implicit Flow Enabled' works for me! 3Q

Hello, I want to configure Ohif Viewer with dcm4che secure. But I am getting an error

Login with username password.

TypeError: OHIF.user.userLoggedIn is not a function.

Login with Keycloak.

Invalid parameter: redirect_uri
Capture

:8843/auth/realms/dcm4che/protocol/openid-connect/auth?client_id=ohif-viewer&redirect_uri=http://0.0.0.0:3300/_oauth/keycloak&state=eyJsb2dpblN0eWxlIjoicG9wdXAiLCJjcmVkZW50aWFsVG9rZW4iOiIyYVUySlBpeWYzNW5PZWszejJPUGRVR2RGcGxNQ0hOY1lBblhFNHNlV2JNIiwiaXNDb3Jkb3ZhIjpmYWxzZX0=&nonce=rGVP0srYL0LkhZnqLCPNPpJZofJSPKH6uB3hEp8HCWw&response_mode=query&response_type=code&scope=oidc:1 GET https://192.168.1.109:8843/auth/realms/dcm4che/protocol/openid-connect/auth?client_id=ohif-viewer&redirect_uri=http://0.0.0.0:3300/_oauth/keycloak&state=eyJsb2dpblN0eWxlIjoicG9wdXAiLCJjcmVkZW50aWFsVG9rZW4iOiIyYVUySlBpeWYzNW5PZWszejJPUGRVR2RGcGxNQ0hOY1lBblhFNHNlV2JNIiwiaXNDb3Jkb3ZhIjpmYWxzZX0=&nonce=rGVP0srYL0LkhZnqLCPNPpJZofJSPKH6uB3hEp8HCWw&response_mode=query&response_type=code&scope=oidc 400

Was this page helpful?
0 / 5 - 0 ratings