fix: support authentication with Open ID using Keycloak (#669) #none

* Changes for authentication with Open ID using Keycloak

* Select authentication method

* fix: missing params

* fix: minor update

---------

Co-authored-by: Sara <sara.jimenez@nuvu.cc>

.env.example

@@ -40,3 +40,16 @@ PDF_SERVICES_CLIENT_SECRET=
 
 # settings for PDF.js
 PDFJS_VERSION_DIST="pdfjs-4.0.379-dist"
+
+# variable for authentication method selection
+# for authentication with google leave empty
+# for authentication with keycloak :
+# AUTHENTICATION_METHOD="KEYCLOAK"
+
+AUTHENTICATION_METHOD=
+
+# settings for keycloak
+KEYCLOAK_SERVER_URL=
+KEYCLOAK_CLIENT_ID=
+KEYCLOAK_REALM=
+KEYCLOAK_CLIENT_SECRET=

sso_app.py

@@ -8,15 +8,22 @@ from theflow.settings import settings as flowsettings
 
 KH_APP_DATA_DIR = getattr(flowsettings, "KH_APP_DATA_DIR", ".")
 GRADIO_TEMP_DIR = os.getenv("GRADIO_TEMP_DIR", None)
+AUTHENTICATION_METHOD = config("AUTHENTICATION_METHOD")
+
 # override GRADIO_TEMP_DIR if it's not set
 if GRADIO_TEMP_DIR is None:
     GRADIO_TEMP_DIR = os.path.join(KH_APP_DATA_DIR, "gradio_tmp")
     os.environ["GRADIO_TEMP_DIR"] = GRADIO_TEMP_DIR
 
-
+# for authentication with Google
 GOOGLE_CLIENT_ID = config("GOOGLE_CLIENT_ID", default="")
 GOOGLE_CLIENT_SECRET = config("GOOGLE_CLIENT_SECRET", default="")
 
+# for authentication with Open ID by keycloak
+KEYCLOAK_SERVER_URL = config("KEYCLOAK_SERVER_URL")
+KEYCLOAK_REALM = config("KEYCLOAK_REALM")
+KEYCLOAK_CLIENT_ID = config("KEYCLOAK_CLIENT_ID")
+KEYCLOAK_CLIENT_SECRET = config("KEYCLOAK_CLIENT_SECRET")
 
 from ktem.main import App  # noqa
 
@@ -24,15 +31,35 @@ gradio_app = App()
 demo = gradio_app.make()
 
 app = FastAPI()
-grlogin.register(
+
-    name="google",
+if AUTHENTICATION_METHOD == "KEYCLOAK":
-    server_metadata_url="https://accounts.google.com/.well-known/openid-configuration",
+    # for authentication with Open ID by keycloak
-    client_id=GOOGLE_CLIENT_ID,
+    grlogin.register(
-    client_secret=GOOGLE_CLIENT_SECRET,
+        name="keycloak",
-    client_kwargs={
+        server_metadata_url=(
-        "scope": "openid email profile",
+            f"{KEYCLOAK_SERVER_URL}/realms/{KEYCLOAK_REALM}/"
-    },
+            ".well-known/openid-configuration"
-)
+        ),
+        client_id=KEYCLOAK_CLIENT_ID,
+        client_secret=KEYCLOAK_CLIENT_SECRET,
+        client_kwargs={
+            "scope": "openid email profile",
+        },
+    )
+
+else:
+    # for authentication with Google
+    grlogin.register(
+        name="google",
+        server_metadata_url=(
+            "https://accounts.google.com/.well-known/openid-configuration"
+        ),
+        client_id=GOOGLE_CLIENT_ID,
+        client_secret=GOOGLE_CLIENT_SECRET,
+        client_kwargs={
+            "scope": "openid email profile",
+        },
+    )
 
 
 @app.get("/favicon.ico", include_in_schema=False)