update keycloak login with offline access_type

NewbMiao · Jun 17, 2023 · 6a4d870 · 6a4d870
1 parent 963f52e
commit 6a4d870
Show file tree

Hide file tree

Showing 9 changed files with 59 additions and 55 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -7,3 +7,5 @@ Cargo.lock
 .idea
 .vscode
 .github
+infrastructure/
+examples/
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -14,10 +14,16 @@ oauth2 = "4.4.0"
 reqwest = "0.11.18"
 serde = { version = "1.0.163", features = ["derive"] }
 serde_json = "1.0.96"
-sqlx = { version = "0.6.3", features = ["postgres","runtime-tokio-rustls","chrono", "offline"] }
+sqlx = { version = "0.6.3", features = [
+    "postgres",
+    "runtime-tokio-rustls",
+    "chrono",
+    "offline",
+] }
 thiserror = "1.0.40"
-tokio = { version = "1.0", features = ["full"] }
+tokio = { version = "1.0", features = ["macros", "sync"] }
 tower = { version = "0.4", features = ["util", "filter"] }
 tower-http = { version = "0.4.0", features = ["cors", "trace"] }
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
+openssl = { version = "0.10.54", features = ["vendored"] }
diff --git a/Dockerfile b/Dockerfile
@@ -17,7 +17,6 @@ RUN cargo build --release --bin axum-koans
 
 # We do not need the Rust toolchain to run the binary!
 FROM debian:buster-slim AS runtime
-RUN apt-get update && apt-get install -y libssl-dev
 WORKDIR /app
 COPY --from=builder /app/target/release/axum-koans .
 EXPOSE 8000

diff --git a/precommit-init.sh → devtool-init.sh b/precommit-init.sh → devtool-init.sh
@@ -17,26 +17,36 @@ else
     echo "rustup already installed"
 fi
 
+if ! command -v cargo-binstall &>/dev/null; then
+    curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
+else
+    echo "cargo-binstall already installed"
+fi
+
 # Check if nextest is installed
 if ! command -v cargo-nextest &>/dev/null; then
     echo "cargo-nextest not found. Installing..."
-    cargo install cargo-nextest --locked
+    # cargo install cargo-nextest --locked
+    cargo binstall -y cargo-nextest
 else
     echo "cargo-nextest already installed"
 fi
 
 # Check if cargo-deny is installed
 if ! command -v cargo-deny &>/dev/null; then
     echo "cargo-deny not found. Installing..."
-    cargo install cargo-deny --locked
+    # cargo install cargo-deny --locked
+    cargo binstall -y cargo-deny
+
 else
     echo "cargo-deny already installed"
 fi
 
 # Check if typos is installed
 if ! command -v typos &>/dev/null; then
     echo "typos not found. Installing..."
-    cargo install typos-cli
+    cargo binstall -y typos-cli
+    # cargo install typos-cli
 else
     echo "typos already installed"
 fi
@@ -49,6 +59,15 @@ else
     echo "sqlx-cli already installed"
 fi
 
+# Check if sqlx-cli is installed, rerun when src code changed: `cargo watch -c -w src -x run`
+if ! command -v cargo-watch &>/dev/null; then
+    echo "cargo-watch not found. Installing..."
+    # cargo install cargo-watch
+    cargo binstall -y cargo-watch
+else
+    echo "cargo-watch already installed"
+fi
+
 # Install pre-commit hooks
 echo "Installing pre-commit hooks..."
 pre-commit install
diff --git a/infrastructure/keycloak/main.tf b/infrastructure/keycloak/main.tf
@@ -34,7 +34,7 @@ resource "keycloak_oidc_google_identity_provider" "google" {
   client_secret = var.google_client_secret
   trust_email   = true
   hosted_domain = "*"
-  sync_mode     = "FORCE" # force sync mode to user for all mappers attached to this idp
+  sync_mode     = "IMPORT"
   provider_id   = "google"
 
   default_scopes = "openid profile email"

diff --git a/readme.md b/readme.md
@@ -18,8 +18,8 @@
 3. init application
 
 ```shell
-# [Optional], for precommit initialization
-sh ./precommit-init.sh
+# [Optional], for devtool initialization
+sh ./devtool-init.sh
 
 # configure initialization, and put your google client configuration in
 cp .env.dev .env

diff --git a/src/extensions/keycloak_auth.rs b/src/extensions/keycloak_auth.rs
@@ -38,13 +38,13 @@ pub struct TokenExchangeResponse {
 }
 #[derive(Deserialize, Serialize, Debug)]
 pub struct UserInfo {
-    sub: String,
-    email_verified: bool,
-    name: String,
-    preferred_username: String,
-    given_name: String,
-    family_name: String,
-    email: String,
+    pub sub: String,
+    pub email_verified: bool,
+    pub name: String,
+    pub preferred_username: String,
+    pub given_name: String,
+    pub family_name: String,
+    pub email: String,
 }
 
 impl KeycloakAuth {
@@ -80,6 +80,8 @@ impl KeycloakAuth {
             .authorize_url(CsrfToken::new_random)
             .add_scope(Scope::new("openid".to_string()))
             .add_extra_param("kc_idp_hint", kc_idp_hint.as_str()) // use google directly
+            .add_extra_param("prompt", "consent")
+            .add_extra_param("access_type", "offline")
             .set_pkce_challenge(pkce_challenge.0.clone())
             .url();
         let csrf_token_key = csrf_token.secret().to_string();

diff --git a/src/handlers/login.rs b/src/handlers/login.rs
@@ -59,6 +59,5 @@ pub async fn login_callback_handler(
     let google_info = google_auth
         .get_user_info(google_tokens.access_token)
         .await?;
-
     Ok(Json(json!({ "google": google_info, "keycloak":userinfo })))
 }