Keycloak/Oauth forwarding (#76)

* upgrade to node 16

* add keycloak forwarding

* update oauth configs

* readme updates

README.md

@@ -73,6 +73,12 @@ In a geo-replication configuration, you will want to use the cluster name for th
 | server_config.kubernetes.service_port | | When using `k8s` auth_mode, specify a custom Kubernetes port. |
 | server_config.user_auth.username | | When using `user` auth_mode, the login user name. |
 | server_config.user_auth.password | | When using `user` auth_mode, the login password. |
+| server_config.oauth2.enabled | | When using `openidconnect` set to `true` to forward token requests. |
+| server_config.oauth2.hostname | | When using `openidconnect` set to your hostname ex: `localhost` |
+| server_config.oauth2.forwardingPath | | When using `openidconnect` set to the path you need to forward to to get the token |
+| server_config.oauth2.enableTls | | When using `openidconnect` set to `true` if you wish to use `HTTPS` |
+| server_config.oauth2.http | | When using `openidconnect` and only using `HTTP` set to your port |
+| server_config.oauth2.https | | When using `openidconnect` and using `HTTPS` set to your port |
 | polling_interval | 10000 | How often the console polls Pulsar for updated values. In milliseconds. |
 | ca_certificate | | String of CA certificate to display in the console under Credentials. |
 | api_version | 2.8.3 | Version of the Pulsar client API to recommend under Samples. |

config/default.json

@@ -2,7 +2,7 @@
     "auth_mode": "none",
     "cluster_name": "standalone",
     "tenant": "public",
-    "oauth_client_id": "",
+    "oauth_client_id": "console",
     "server_config": {
         "port": "6454",
         "pulsar_url": "http://localhost:8080",
@@ -26,6 +26,14 @@
         "user_auth": {
             "username": "",
             "password": ""
+        },
+        "oauth2": {
+            "enabled": false,
+            "hostname": "",
+            "forwardingPath": "/token",
+            "enableTls": false,
+            "httpPort": "",
+            "httpsPort": ""
         }
     },
     "polling_interval": "10000",

server/server.js

@@ -192,6 +192,24 @@ app.use(`/api/v1/${cluster}/sources`, createProxyMiddleware({
   selfHandleResponse: true
 }));
 
+const  keycloakTarget = cfg.globalConf.server_config.oauth2.enableTls ?
+      `https://${cfg.globalConf.server_config.oauth2.hostname}:${cfg.globalConf.server_config.oauth2.httpsPort}` :
+      `http://${cfg.globalConf.server_config.oauth2.hostname}:${cfg.globalConf.server_config.oauth2.httpPort}`
+
+app.use(createProxyMiddleware({
+  target: keycloakTarget,
+  pathFilter: (path, req) => {
+    if (cfg.globalConf.server_config.oauth2.enabled && path.includes('/api/v1/auth/token')) {
+      return true;
+    }
+    return false;
+  },
+  pathRewrite: (path, req) => {
+    return path.replace('/api/v1/auth/token', cfg.globalConf.server_config.oauth2.forwardingPath)
+  },
+  secure: cfg.globalConf.server_config.ssl.verify_certs,
+}))
+
 app.use(`/api/v1/${cluster}`, createProxyMiddleware({
   target: cfg.globalConf.server_config.pulsar_url,
   pathRewrite: rootPathRewrite,