Automatic login via OIDC

[bgruening]

We have the same OIDC provider in Galaxy and an external service called EEN. Users can login via this OIDC provider in both services.

Users logged-in into EEN should now be redirected to Galaxy.
What is the direct login URL with the IDP hinting for this specific IDP / OIDP provider that both sides support.

I thought its https://usegalaxy.eu/authnz/keycloak/login. But this seems to be wrong.

Is there such a URL, or any other way to login users automatically?

A different example would be the IWC use-case. Assuming that IWC is a full application where you login with Google and then want to start a workflow on usegalaxy.org using your google account.

---

Could you please provide us with the direct login URL to usegalaxy.eu with IDP hinting for "EOSC AAI"
to enable SSO from EEN User Space (testing environment) to usegalaxy.eu without the user having to click "Login" again at the Galaxy service side?

There is an external website "EEN", where people can authenticate via OIDC. On EU we have this same login mechanism enabled. So users can login via the same mechanism on EU and EEN. So far so good.
The EEN people now would like to redirect users to EU, without the need for them to click "login" again. The login should happen automatically and the workflow-landing page etc should be shown.

My understanding is that external services like EEN, need to call

curl -v https://usegalaxy.eu/authnz/keycloak/login

parse the response and extract the redirect_url?

We got the following request/question and use-case:

Could you please provide a GET endpoint with all the required parameters selected (IDP selection, REDIRECT_URI) to enable SSO from EEN User Space (testing environment) to usegalaxy.eu without the user having to click "Login" again at the Galaxy service side?

In case it helps please find below a similar request to an OpenStack service:
https://api.cloud.psnc.pl:5000/redirect_uri?iss=https://proxy.aai.open-science-cloud.ec.europa.eu&target_link_uri=https://api.cloud.psnc.pl:5000/v3/auth/OS-FEDERATION/identity_providers/aai.open-science-cloud.ec.europa.eu/protocols/openid/websso?origin=https://eu-1.iaas.open-science-cloud.ec.europa.eu/auth/websso/

Is there anyway currently we can provide this? Or do external services need to parse the https://usegalaxy.eu/authnz/keycloak/login response?

[uwwint]

Hi Bjoern,
in essence you are correct, but it is not that simple ;) because why would it be. The easiest way to do what you want is to include a js function on the EEN side like this:

// Fetch redirect URI from Galaxy EU auth endpoint and redirect user
fetch("https://usegalaxy.eu/authnz/keycloak/login")
  .then(response => response.json())
  .then(data => {
    if (data.redirect_uri) {
      window.location.href = data.redirect_uri;
    } else {
      console.error("No redirect_uri found in response:", data);
    }
  })
  .catch(err => console.error("Request failed:", err));

and then call that on click of their button. HOWEVER in order to make that work you need to adjust the CORS header on https://usegalaxy.eu/authnz/keycloak/login - to my knowledge that is not possible in galaxy, therefore you need to add it in your reverse proxy. I can see you are behind an nginx, in which case you need something like this (note how eosc-test-ds.acc.myaccessid.org could change or you could have multiple others):

# Allowlist the external origin(s) that may call the endpoint
map $http_origin $cors_allow_origin {
    default "";
    "~^https://(usegalaxy.eu|eosc-test-ds.acc.myaccessid.org)$" $http_origin;
}

location = /authnz/keycloak/login {
    proxy_pass http://galaxy_upstream;

    # Only add CORS for cross-origin callers we allow
    if ($cors_allow_origin != "") {
        add_header Access-Control-Allow-Origin $cors_allow_origin always;
        add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
        add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;
        # If you need cookies/tokens across origins (you might have to test this):
        # add_header Access-Control-Allow-Credentials "true" always;
    }

    # Preflight for cross-origin callers
    if ($request_method = OPTIONS) {
        add_header Access-Control-Max-Age 86400 always;
        add_header Content-Length 0 always;
        add_header Content-Type text/plain always;
        return 204;
    }
}

from here this would work in the browser, but please regression test your own login button too.

--- Galaxy could be changed to yield a Temporary Redirect (302), when querying authnz. That would allow anyone to create a button wherever they want, in contrast to the current situation where it needs to be explicitly allowed.
The other option is allowing to configure CORS headers per OIDC provider. That would remove the need of configuring anything in the reverse proxy.

[bgruening]

Thanks a lot @uwwint.

My understanding is now, that we need to decide if we want to keep /authz/*/login as GET endpoint and enable CORS. Or if we return a 302 and redirect the user automatically.

Any ideas @galaxyproject/wg-backend ?

[bgruening]

I have updated the description. I think we have been on the wrong track.

[enolfc]

I did a small test for a similar requirement where the community wanted to login to Galaxy directly from a third party service without the need to re-enter the credentials if the user was already logged in in the OIDC provider.

The solution was to return a 302 with the redirect URL and that will start the flow without user having to click anywhere. To not break the current button I introduced a new param called redirect that will be enable the new behaviour, but happy to adapt to better names or approaches. See the PR #21678.