yasithdev opened a new pull request, #245:
URL: https://github.com/apache/airavata-portals/pull/245

   Moves the OIDC flow into the browser and makes the Django portal 
Keycloak-token-only, matching the token-authoritative Airavata server 
(apache/airavata#695).
   
   - `keycloak_token_user_middleware` validates the access token from the 
`Authorization: Bearer` header or the `kc_token` cookie (JWKS) and sets 
`request.user` / `request.authz_token`. Replaces the server-side OIDC session 
(session + authz_token + bearer middlewares).
   - `oidc_login` / `oidc_callback` render small vanilla PKCE pages that run 
Authorization Code + PKCE against the public `pga-public` client and store the 
access token in the `kc_token` cookie (cookie authenticates page navigations, 
Bearer authenticates the API/SDK). `logout` clears the cookie + Keycloak 
end-session. No server-side client secret, no session-stored token.
   - The portal no longer injects client-asserted identity (`x-claims`) when 
constructing the gRPC client; the user's token alone carries identity.
   - Post-login redirect is guarded against open-redirect.
   
   ### Test plan
   - Verified a full browser login (`/auth/login` → Keycloak → 
`/auth/callback/` token exchange → `kc_token` cookie) renders the portal 
authenticated (admin nav + user menu) and `/workspace/projects` loads the 
user's project through the `/api` → token path.
   
   ### Note
   No refresh-token flow yet: the access token (~5 min) expires and the stale 
cookie then 401s; `login_required` re-completes silently via the Keycloak SSO 
session. A refresh-token exchange is a small follow-up.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to