yasithdev opened a new pull request, #245: URL: https://github.com/apache/airavata-portals/pull/245
Moves the OIDC flow into the browser and makes the Django portal Keycloak-token-only, matching the token-authoritative Airavata server (apache/airavata#695). - `keycloak_token_user_middleware` validates the access token from the `Authorization: Bearer` header or the `kc_token` cookie (JWKS) and sets `request.user` / `request.authz_token`. Replaces the server-side OIDC session (session + authz_token + bearer middlewares). - `oidc_login` / `oidc_callback` render small vanilla PKCE pages that run Authorization Code + PKCE against the public `pga-public` client and store the access token in the `kc_token` cookie (cookie authenticates page navigations, Bearer authenticates the API/SDK). `logout` clears the cookie + Keycloak end-session. No server-side client secret, no session-stored token. - The portal no longer injects client-asserted identity (`x-claims`) when constructing the gRPC client; the user's token alone carries identity. - Post-login redirect is guarded against open-redirect. ### Test plan - Verified a full browser login (`/auth/login` → Keycloak → `/auth/callback/` token exchange → `kc_token` cookie) renders the portal authenticated (admin nav + user menu) and `/workspace/projects` loads the user's project through the `/api` → token path. ### Note No refresh-token flow yet: the access token (~5 min) expires and the stale cookie then 401s; `login_required` re-completes silently via the Keycloak SSO session. A refresh-token exchange is a small follow-up. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
