Skip to content

Proof of concept showing the frontend using keycloak on an arbitrary domain #2385

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Proof of concept showing the frontend using keycloak on an arbitrary domain #2385

wants to merge 3 commits into from

Conversation

@kgudel
Copy link
Contributor

@kgudel kgudel commented Jan 7, 2025

No description provided.

tptignor
tptignor reviewed Jan 13, 2025
View reviewed changes
src/common/api/Keycloak.js
keycloak = new Keycloak('/local_keycloak.json')
} else {
keycloak = new Keycloak('/keycloak.json')
keycloak = new Keycloak(keycloakConfig)
Copy link

@tptignor tptignor Jan 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be any easier to manage/revert the keycloak config as a ConfigMap?

ojbravo
ojbravo reviewed Jan 13, 2025
View reviewed changes
src/common/api/Keycloak.js Outdated

const keycloakConfig = {
"realm": "hmda2",
"url": "https://{{domain}}}/auth",
Copy link
Contributor

@ojbravo ojbravo Jan 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you try replacing line 9 with the following to make it dynamic?
"url": `https://${window.location.hostname}/auth`,

Copy link
Contributor

@ojbravo ojbravo Jan 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To account for local testing, please use the following:

let keycloakRedirect = null
if (hostname == 'localhost') {
  keycloakRedirect = 'ffiec.cfpb.gov'
} else {
  keycloakRedirect = hostname
}

const keycloakConfig = {
  "realm": "hmda2",
  "url": `https://${keycloakRedirect}/auth`,
  "clientId": "hmda2-api",
  "public-client": true,
  "use-resource-role-mappings": true,
  "confidential-port": 0,
  "ssl-required": "all"
}```

@billhimmelsbach billhimmelsbach mentioned this pull request Oct 8, 2025
Merged
billhimmelsbach added a commit that referenced this pull request Oct 9, 2025
@billhimmelsbach
Merge pull request #2625 from cfpb/5181-fix-keycloak-redirections-for…
d2134f7 
…-aws

We're taking [Kenneth's good work](#2385), making it work for more domains, and trying to get it into `master` so it doesn't have to get deployed separately.

## Changes

- redirects to the correct keycloak instance for a given hostname (see the logic diagrams on the enterprise wiki for [Keycloak Redirect Logic as of October 8th 2025](https://[ENT]/HMDA-Operations/hmda-devops/wiki/Keycloak-Redirect-Logic-as-of-October-8th-2025))
- changes `checkLoginIframe` to false due to CORS issues now related to trying to access an iframe from another domain...
  <img width="1492" height="136" alt="Screenshot 2025-10-08 at 2 04 48 PM" src="https://github.com/user-attachments/assets/a5a6ae7d-9b83-4b70-9638-62a647da61c3" />

  ... and probably future problems with it as cookies get more locked down based on some of my digging through keycloak docs and issues. Take a look at issue 23872 [on the keycloak repo](https://github.com/keycloak/keycloak/issues) (avoiding a direct link to the issue so we're not linked into it) for more info on browser incompatibilities.

  There are some downsides to not having it, particularly if someone logs off in another tab then it might not auto-detect the log out. Having said that, Kenneth's PR that implements it has been on [hmda beta side](https://ffiec.beta.cfpb.gov/) for almost a year without complaints. I still [made an issue](#2624) to follow up and investigate re-enabling it or ameliorating any issues, if we feel like we need to down the line.

## Testing

1. Does it work on all the environments?
### Local
<img width="775" height="692" alt="5181-works-on-local" src="https://github.com/user-attachments/assets/b55cbcd5-0730-4255-8c36-a7d920a2dc6a" />

### Dev
<img width="613" height="587" alt="5181-works-on-hmdadev" src="https://github.com/user-attachments/assets/0e92a982-17fc-436f-821e-e1eba870384f" />

### Dev Beta
<img width="609" height="295" alt="5181-works-on-dev-beta" src="https://github.com/user-attachments/assets/d0f8a23b-9be8-432d-83cc-532844cbe11f" />

### Prod Beta
<img width="625" height="360" alt="5181-works-on-prod-beta" src="https://github.com/user-attachments/assets/6bac9d33-77ec-4fef-8d24-e26c2fb5d0a9" />

### Prod
(will wait till release)

### Alto environments
(will need to wait to see on those)

## Notes

- Although we're moving [Kenneth's PR](#2385) into master, I don't need to replicate `update prod-beta-config.json` like [Kenneth did](https://github.com/cfpb/hmda-frontend/pull/2385/files#diff-2ab1df37bbc1d33f86eebba246041c6c3a549ad602fb661251acaebcd096b1ee), because those changes were already [merged into master](https://github.com/cfpb/hmda-frontend/pull/2389/files#diff-2ab1df37bbc1d33f86eebba246041c6c3a549ad602fb661251acaebcd096b1eeR71) earlier.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@ojbravo ojbravo ojbravo left review comments

@tptignor tptignor tptignor left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kgudel @ojbravo @tptignor