fix: support authentication with Open ID using Keycloak (#669) #none

* Changes for authentication with Open ID using Keycloak * Select authentication method * fix: missing params * fix: minor update --------- Co-authored-by: Sara <sara.jimenez@nuvu.cc>
2025-06-26 23:19:56 +00:00 · 2025-02-14 21:26:37 +07:00 · 2025-02-14 21:26:37 +07:00 · 647d0a4afe
commit 647d0a4afe
parent e3921f7704
2 changed files with 50 additions and 10 deletions
--- a/.env.example
+++ b/.env.example
@ -40,3 +40,16 @@ PDF_SERVICES_CLIENT_SECRET=

 # settings for PDF.js
 PDFJS_VERSION_DIST="pdfjs-4.0.379-dist"
+
+# variable for authentication method selection
+# for authentication with google leave empty
+# for authentication with keycloak :
+# AUTHENTICATION_METHOD="KEYCLOAK"
+
+AUTHENTICATION_METHOD=
+
+# settings for keycloak
+KEYCLOAK_SERVER_URL=
+KEYCLOAK_CLIENT_ID=
+KEYCLOAK_REALM=
+KEYCLOAK_CLIENT_SECRET=
--- a/sso_app.py
+++ b/sso_app.py
@ -8,15 +8,22 @@ from theflow.settings import settings as flowsettings

 KH_APP_DATA_DIR = getattr(flowsettings, "KH_APP_DATA_DIR", ".")
 GRADIO_TEMP_DIR = os.getenv("GRADIO_TEMP_DIR", None)
+AUTHENTICATION_METHOD = config("AUTHENTICATION_METHOD")
+
 # override GRADIO_TEMP_DIR if it's not set
 if GRADIO_TEMP_DIR is None:
    GRADIO_TEMP_DIR = os.path.join(KH_APP_DATA_DIR, "gradio_tmp")
    os.environ["GRADIO_TEMP_DIR"] = GRADIO_TEMP_DIR

-
+# for authentication with Google
 GOOGLE_CLIENT_ID = config("GOOGLE_CLIENT_ID", default="")
 GOOGLE_CLIENT_SECRET = config("GOOGLE_CLIENT_SECRET", default="")

+# for authentication with Open ID by keycloak
+KEYCLOAK_SERVER_URL = config("KEYCLOAK_SERVER_URL")
+KEYCLOAK_REALM = config("KEYCLOAK_REALM")
+KEYCLOAK_CLIENT_ID = config("KEYCLOAK_CLIENT_ID")
+KEYCLOAK_CLIENT_SECRET = config("KEYCLOAK_CLIENT_SECRET")

 from ktem.main import App  # noqa

@ -24,15 +31,35 @@ gradio_app = App()
 demo = gradio_app.make()

 app = FastAPI()
-grlogin.register(
-    name="google",
-    server_metadata_url="https://accounts.google.com/.well-known/openid-configuration",
-    client_id=GOOGLE_CLIENT_ID,
-    client_secret=GOOGLE_CLIENT_SECRET,
-    client_kwargs={
-        "scope": "openid email profile",
-    },
-)
+
+if AUTHENTICATION_METHOD == "KEYCLOAK":
+    # for authentication with Open ID by keycloak
+    grlogin.register(
+        name="keycloak",
+        server_metadata_url=(
+            f"{KEYCLOAK_SERVER_URL}/realms/{KEYCLOAK_REALM}/"
+            ".well-known/openid-configuration"
+        ),
+        client_id=KEYCLOAK_CLIENT_ID,
+        client_secret=KEYCLOAK_CLIENT_SECRET,
+        client_kwargs={
+            "scope": "openid email profile",
+        },
+    )
+
+else:
+    # for authentication with Google
+    grlogin.register(
+        name="google",
+        server_metadata_url=(
+            "https://accounts.google.com/.well-known/openid-configuration"
+        ),
+        client_id=GOOGLE_CLIENT_ID,
+        client_secret=GOOGLE_CLIENT_SECRET,
+        client_kwargs={
+            "scope": "openid email profile",
+        },
+    )


@app.get("/favicon.ico", include_in_schema=False)