eIAM Integration

[sosiology]

Enhance Visualize such that users can log in using an OIDC Identity Provider – in this case a Swiss federal login. Furthermore, they should be able to save visualizations as drafts and resume these at a later point in time.

DoD:

• eIAM login is available in Visualize on TEST
• eIAM login is available in Visualize on INT
• eIAM login is available in Visualize on PROD
• A user can log in with his eIAM credentials in each of these environments and create visualisations.

[sosiology]

OIDC metadata for the connection to eIAM REF environment -> Info received Rene Kreidemacher

[adintegra]

Followed up on PKCE settings with BIT today – awaiting answer.

[sosiology]

Feedback BIT: Reduce request of the scope down to Open ID

[bprusinowski]

Might be solved by #1471

[sosiology]

can i support with testing anything?

[bprusinowski]

@sosiology not yet, we need to merge #1471 first (cc @ptbrowne)

[adintegra]

After merging #1471, looks like the Sign In currently takes the user to the Keycloak Login screen. IIRC we had this once before. Maybe a configuration issue somewhere @bprusinowski?

[bprusinowski]

@adintegra I am taking a look 👍

[bprusinowski]

I think that we get the correct information from Keycloak back, but have some problem with dealing with it afterwards. After a quick investigation it turns out it might be related to Prisma, and e.g. a different type of id we get from Keycloak now.

It's hard for me to debug this without having access to logs – I pushed a commit with a debug KeycloakProvider flag set to true – once it deploys on TEST, we can do several attempts to log in, and then ask Abraxas for server logs to check what's the exact problem.

[ptbrowne]

Maybe it'd be good to try and connect to abraxas servers ? It's been a long time since I have tried and it is quite painful since we have to login through a windows jump point, but it might be helpful.

[bprusinowski]

@ptbrowne it's a good idea, I can try to do it tomorrow 👍

[adintegra]

Quick update: After trying out various configurations (primarily around using Keycloak as an Authentication Bridge), I believe we may not need a Keycloak instance at all, but could connect directly to the BIT OIDC trust broker. This would simplify our architecture substantially.
BIT has provided the information that their trust broker/IdP is a custom implementation of Microsoft ADFS (Active Directory FS). While there is no built-in provider for this in next-auth, there is a discussion here on how to go about implementing this. Thus, the next step would be to adjust our current implementation in line with this and test it.
/cc @bprusinowski

[bprusinowski]

I will try to change the implementation @adintegra and deploy to TEST to see if it works 👍 Thanks for the investigation 🙇‍♂️

[ptbrowne]

I could login in test.visualize.admin.ch with eIAM credentials, save a chart to draft then publish it 🎉 . @sosiology

[sosiology]

Closing this issue as the login is available on PROD now, please re-open if i missed something @adintegra