enable redirect to oidc provider to empower sso solutions even further

client/components/main/layouts.js

@@ -54,46 +54,37 @@ Template.userFormsLayout.onCreated(function() {
     }
   });
 
-  Meteor.call('isOidcRedirectionEnabled', (_, result) => {
-    serviceName = 'oidc';
-    if (result) {
-      if(Session.get("tmp") && ((Math.floor(Date.now() / 1000) - Session.get("tmp") < 5) ))
-      {
-        window.location.reload(true);
-        console.log(Meteor.user().profile);
-      }
-      else
+  if(!Meteor.user()?.profile)
+  {
+
+    Meteor.call('isOidcRedirectionEnabled', (_, result) => {
+      serviceName = 'oidc';
+      if (result)
       {
-        Session.set("tmp", Math.floor(Date.now() / 1000));
-        console.log("Säschön", Session.get("tmp"));
         methodName = "loginWithOidc";
         var loginWithService = Meteor[methodName];
         AccountsTemplates.options.socialLoginStyle = 'redirect';
         options = {
-            loginStyle: AccountsTemplates.options.socialLoginStyle,
+          loginStyle: AccountsTemplates.options.socialLoginStyle,
         };
-        console.log("keys", options);
         loginWithService(options, function(err) {
           AccountsTemplates.setDisabled(false);
           if (err && err instanceof Accounts.LoginCancelledError)
           {
-            console.log("login cancelled");
           }
           else if (err && err instanceof ServiceConfiguration.ConfigError)
           {
-            console.log("service config");
             if (Accounts._loginButtonsSession) return Accounts._loginButtonsSession.configureService('oidc');
           }
           else
           {
-            console.log("else_block");
             AccountsTemplates.submitCallback(err, state);
           }
-      });
+        });
       }
-    }
-    else console.log("kein result");
-  });
+      else console.log("oidc redirect not set");
+    });
+  }
   Meteor.call('isDisableRegistration', (_, result) => {
     if (result) {
       $('.at-signup-link').hide();
@@ -326,7 +317,6 @@ Template.userFormsLayout.events({
     event.preventDefault();
   },
   'click #at-btn'(event, templateInstance) {
-    console.log("hello");
     if (FlowRouter.getRouteName() === 'atSignIn') {
       templateInstance.isLoading.set(true);
       authentication(event, templateInstance).then(() => {

config/accounts.js

@@ -3,7 +3,16 @@ const emailField = AccountsTemplates.removeField('email');
 let disableRegistration = false;
 let disableForgotPassword = false;
 let passwordLoginDisabled = false;
-let oidcEnabled = false;
+let oidcRedirectionEnabled = false;
+let oauthServerUrl = "home";
+let oauthDashboardUrl = "";
+
+Meteor.call('isOidcRedirectionEnabled', (_, result) => {
+  if(result)
+  {
+    oidcRedirectionEnabled = true;
+  }
+});
 
 Meteor.call('isPasswordLoginDisabled', (_, result) => {
   if (result) {
@@ -12,15 +21,17 @@ Meteor.call('isPasswordLoginDisabled', (_, result) => {
     //console.log(result);
   }
 });
+
 Meteor.call('getOauthServerUrl', (_, result) => {
   if (result) {
     oauthServerUrl = result;
-    const a = document.createElement("a");
-    a.href = oauthServerUrl;
-    const baseUrl = `${a.protocol}//${a.hostname}`;
-    console.log(baseUrl);
   }
-  else oauthServerUrl = "home";
+});
+
+Meteor.call('getOauthDashboardUrl', (_, result) => {
+  if (result) {
+    oauthDashboardUrl = result;
+  }
 });
 
 Meteor.call('isDisableRegistration', (_, result) => {
@@ -30,9 +41,7 @@ Meteor.call('isDisableRegistration', (_, result) => {
     //console.log(result);
   }
 });
-Meteor.call('isOidcRedirectionEnabled', (_, result) => {
-  oidcEnabled = result ? true : false;
-});
+
 Meteor.call('isDisableForgotPassword', (_, result) => {
   if (result) {
     disableForgotPassword = true;
@@ -70,17 +79,19 @@ AccountsTemplates.configure({
   showForgotPasswordLink: !disableForgotPassword,
   forbidClientAccountCreation: disableRegistration,
   onLogoutHook() {
-    if(oidcEnabled && oauthServerUrl!=="home")
+    // here comeslogic for redirect
+    if(oidcRedirectionEnabled)
     {
-
-      oidcEnabled = !oidcEnabled;
-      window.location.href = oauthServerUrl + "/if/user/#/library";
+      window.location = oauthServerUrl + oauthDashboardUrl;
     }
-    const homePage = 'home';
-    if (FlowRouter.getRouteName() === homePage) {
-      FlowRouter.reload();
-    } else {
-      FlowRouter.go(homePage);
+    else
+    {
+      const homePage = 'home';
+      if (FlowRouter.getRouteName() === homePage) {
+        FlowRouter.reload();
+      } else {
+        FlowRouter.go(homePage);
+      }
     }
   },
 });

models/settings.js

@@ -508,8 +508,7 @@ if (Meteor.isServer) {
       return process.env.PASSWORD_LOGIN_ENABLED === 'false';
     },
     isOidcRedirectionEnabled(){
-      console.log(process.env.REDIRECT_LOGIN_LOGOUT_TO_OIDC === 'true');
-      return process.env.REDIRECT_LOGIN_LOGOUT_TO_OIDC === 'true';
+      return process.env.OIDC_REDIRECTION_ENABLED === 'true';
     },
   });
 }

packages/wekan-oidc/README.md

@@ -47,6 +47,26 @@ See example below:
 
   NOTE: orgs & teams won't be updated if they already exist.
 
-  5. Manages admin rights as well. If user is in Group which has isAdmin: set to true, user will get admin 
-     privileges in Wekan as well. 
+  5. Manages admin rights as well. If user is in Group which has isAdmin: set to true, user will get admin
+     privileges in Wekan as well.
      If no adjustments (e.g. 1-3) are made on oidc provider's side, user will receive his/her admin rights from before.
+
+## For further empowerment of oidc as sso solution
+
+If you want to be redirected to your oidc provider on LOGIN without going the extra loop of signing in.
+On LOGOUT you will be redirected to the oidc provider as well.
+
+Add to your .env file:
+
+OIDC_REDIRECTION_ENABLED=true
+OAUTH2_SERVER_URL=http://localhost:9000
+DASHBOARD_URL=/if/session-end/wekan/
+
+Example for authentik.
+The latter specifies the OIDC Dashboard you'll get redirected on logout
+
+Flow:
+You need to have an oidc provider configured to get this feature
+Make sure to have
+Authorize Application (default-provider-authorization-implicit-consent)
+enabled

packages/wekan-oidc/oidc_client.js

@@ -7,8 +7,6 @@ Oidc = {};
 //   error.
 Oidc.requestCredential = function (options, credentialRequestCompleteCallback) {
   // support both (options, callback) and (callback).
-  console.log("from client");
-  console.log(options);
   if (!credentialRequestCompleteCallback && typeof options === 'function') {
     credentialRequestCompleteCallback = options;
     options = {};
@@ -57,14 +55,13 @@ Oidc.requestCredential = function (options, credentialRequestCompleteCallback) {
     width:  options.popupOptions.width || 320,
     height: options.popupOptions.height || 450
   };
-  OAuth.saveDataForRedirect(options.loginService, options.credentialToken);
-  Accounts.oauth.tryLoginAfterPopupClosed(credentialToken, credentialRequestCompleteCallback);
-  // OAuth.launchLogin({
-  //   loginService: 'oidc',
-  //   loginStyle: loginStyle,
-  //   loginUrl: loginUrl,
-  //   credentialRequestCompleteCallback: credentialRequestCompleteCallback,
-  //   credentialToken: credentialToken,
-  //   popupOptions: popupOptions,
-  // });
+
+  OAuth.launchLogin({
+    loginService: 'oidc',
+    loginStyle: loginStyle,
+    loginUrl: loginUrl,
+    credentialRequestCompleteCallback: credentialRequestCompleteCallback,
+    credentialToken: credentialToken,
+    popupOptions: popupOptions,
+  });
 };

packages/wekan-oidc/oidc_server.js

@@ -19,8 +19,6 @@ var serviceData = {};
 var userinfo = {};
 
 OAuth.registerService('oidc', 2, null, function (query) {
-  console.log(Date.now());
-  console.log("query: ", query);
   var debug = process.env.DEBUG || false;
 
   var token = getToken(query);