doudoumai edited a comment on issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect URL: https://github.com/apache/zeppelin/pull/2373#issuecomment-578557856 I succeeded to make zeppelin SSO with keycloak, with roles & logout successfully. For roles: 1) rewrite (or inherit from) Pac4jRealm to overwrite doGetAuthenticationInfo to fetch the roles into a member variable (and provide getter for this variable). I have not yet figured out why doGetAuthorizationInfo is not called. 2) In SecurityUtils, the getRoles function needs to be updated to access the Pac4jRealm instance to get the roles from the above member variable For logout, you do not need to provide logout handler in shiro.ini, instead you need to: 1) Configure the Pac4jRealm (the one you overwrite or inherit from) with a new parameter in shiro.ini for the keycloak logout address, which is in the form of "http://\<ip\>:\<port\>/auth/realms/\<realm\>/protocol/openid-connect/logout?redirect_uri=". Please make sure you follow the above pattern, or else Keycloak will complain the redirect uri is not valid when logout. 2) update logout function in LoginRestApi: if the realm is Pac4jRealm (the one you overwrite or inherit from), the send the response with redirect as below: `Map<String, String> data = new HashMap<>();` `data.put("redirectURL", ((ZeppelinPac4jRealm) realm).getLogoutUrl());` `response = new JsonResponse(Status.UNAUTHORIZED, "", data);` With the above setting, when logout, it will redirect to keycloak logout address (appending zeppelin home address after "redirect_uri" automatically) and it will logout the session from keycloak successfully. After logout, it will then redirect to your zeppelin server home page, which will redirect you to keycloak login page. Of course, the above looks not that elegant, say: - the doGetAuthorizationInfo shall be called in the flow - the keycloak baseUri is configured in "oidcConfigure" but can not be reused in logout and we have to retype similar url pattern in Pac4jRealm's variable for logout - the SecurityUtils have to instrument the realm to fetch the roles, which I believe the zeppelin itself has to fix, not only for Pac4jRealm but also other realms.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
