Currently in Che there are still a number of requirements in upstream that are not required by the OIDC specification, so that Che still cannot be used with a number of OIDC compliant providers.
For example, in order to have Che working with the [`node-oidc-provider`](https://github.com/panva/node-oidc-provider), the following changes were necessary:
- Remove the requirement to have the email as a claim in the JWT access
token: this is not required the specification and is not supported by a
number of OIDC providers. Normally, the Id token contains such claims.
So now if the email is not in the JWT token the first time the user connects to Che, ten the email is retrieved from the OIDC provider through its `user-profile` endpoint.
- Explicitely specify the the `openid email profile` scope when requesting the access token. Because OIDC providers, when answering to the `userInfo` endpoint, are expected to return claims that corresponds to the scopes of the access token. So if an access token has the `openid` scope only, the `userinfo` might return no claim at all (according to the specification).
Until now it was working since keycloak allows adding claims to the returned tokens anyway.
- Allow supporting fixed redirect Uris: most OIDC providers support having a list of redirect URIs to come back to after the authorization step. But these authorized Uris don't necessarily support wildcards or prefix. Che doesn't support this currently, and these changes introduce 2 fixed callback HTML pages that redirect to the Dashboard / IDE URL of the final page we want to come back to after authentication. This makes Che compatible with more OIDC providers
We introduced a new boolean property to enable / disable fixed redirect URLs:
`che.keycloak.use_fixed_redirect_urls`
whose default value is `false`
- The previous points required some light changes in the Keycloak Javascript adapter file, that we will submit as a PR to the Keycloak project. I, the meantime the `OIDCKeycloak.js` file is still used, but has been updated to be now based on the `keycloak.js` file of the last `4.5.0-final` Keycloak release. This will make this Keycloak PR easier to get accepted.
Please keep in mind that this version upgrade only impacts the alternate OIDC provider case: when using a real Keycloak server, Che *always uses the `keycloak.js` file provided by the Keycloak server*.
Signed-off-by: David Festal <dfestal@redhat.com>
* CHE-9709: fix ability to create a factory from a Git URL
Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>
* fixup! CHE-9709: fix ability to create a factory from a Git URL
For workspace item in the organization's workspaces list added ng-click
directive to columns 'RAM', 'Projects' and 'Stack' to redirect to
Workspace Overview page.
Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>
* CHE-5650: fix stacks' order after sorting
This fix sets fixed sorting order for some prioritized stacks. These
stacks are marked by a 'thumb-tack' icon.
Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>
* fixup! CHE-5650: fix stacks' order after sorting
* fixup! fixup! CHE-5650: fix stacks' order after sorting
- make workspace name clickable to redirect to workspace overview page
- add workspace action button to be able to start/stop a workspace
- add workspace status indicator
Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>
Removed duplicated declaration of che-core-api-core dependency
Added attributes field to workspace config object
Fetch Che plugins from WorkspaceConfig's attributes instead of Workspace's ones
Remove duplicated declarations in pom file of postgresql-tck module
* CHE-10098: fix multiple installers
replace the obsolete installers list with the currently used one
Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>
* fix a bug regarding saving installer states
switching several installers in a row causes a bug when only the last
installer's state is stored in a stack configuration.
Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>
* CHE-10256: fix overlay
Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>
* add unit tests for stack-details directive
Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>
* CHE-10097: fix unexpected page scroll
Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>
* fixup! CHE-10097: fix unexpected page scroll
* fixup! fixup! CHE-10097: fix unexpected page scroll
* fixup! fixup! fixup! CHE-10097: fix unexpected page scroll
* Support identity provider token retrieval in both JSON or URL formats.
That's required because some identity providers (such a `openshift-v3`)
correctly return the token information in JSON, as expected. So
switching to the url-based syntax should only used when the returned
json is invalid.
Signed-off-by: David Festal <dfestal@redhat.com>
* Introduce an `OpenShiftClientConfigFactory` to allow customizing the OpenShift config returned according to the current context (workspace ID, current user)
Signed-off-by: David Festal <dfestal@redhat.com>
* Openshift Infra + Multi-user => allow using OpenShift identity provider to connect to openshift with the OS oauth token of the current Che user.
This introduces a new property:
`che.infra.openshift.oauth_identity_provider`
Signed-off-by: David Festal <dfestal@redhat.com>
* Notify the user when a workspace cannot be started from the nav bar.
Signed-off-by: David Festal <dfestal@redhat.com>
* Add the ability to install the Openshift certificate into Keycloak
Signed-off-by: David Festal <dfestal@redhat.com>
* Add a yaml file to provide the openshift certificate as a secret,
in case it has to be installed into the dedicated Keycloak server.
Then the commands to install Che multiuser on Minishift with this
certificate are:
```
oc new-project che
oc process -f multi/openshift-certificate-secret.yaml -p
CERTIFICATE="$(minishift ssh docker exec origin /bin/cat
./openshift.local.config/master/ca.crt)" | oc apply -f -; \
oc new-app -f multi/postgres-template.yaml; \
oc new-app -f multi/keycloak-template.yaml -p ROUTING_SUFFIX=$(minishift
ip).nip.io; \
oc apply -f pvc/che-server-pvc.yaml; \
oc new-app -f che-server-template.yaml -p ROUTING_SUFFIX=$(minishift
ip).nip.io -p CHE_MULTIUSER=true -p
CHE_INFRA_OPENSHIFT_OAUTH__IDENTITY__PROVIDER=openshift-v3; \
oc set volume dc/che --add -m /data --name=che-data-volume
--claim-name=che-data-volume
```
Of course it's still needed to register the `openshift-v3` identity
provider in the Keycloak server, as well as, add the corresponding
`OAuthClient` object in Minihshift.
Signed-off-by: David Festal <dfestal@redhat.com>
* check WebSocket connection
Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>
* check workspace and workspace agent for they to be existing
Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>
Sergii Leshchenko