Hawthorn: Implement SSO with no EdX login page

[Brian Levine]

Hello,

We're integrating OpenEdX with a number of other services all of which are secured using SSO via Keycloak.  Keycloak will be the only auth provider available.  We've successfully integrated Keycloak as an EdX 3rd-party OAuth provider.  Since this is the only auth provider, we'd prefer that the user not have to click the 3rd-party provider button on the EdX login page.  In fact, we'd prefer not to show the EdX login page at all.  However, we'd still need some way for EdX to create its own session.

Is it possible to somehow disable the EdX login page, but still provide a URL (to Keycloak) such that when the user is redirected to that URL, an EdX session is created? We thought of creating a page that simulates the user clicking the 3rd-party provider button by programmatically doing the POST that that button would have done on load. But we're looking for something a bit less hack-y if possible.

Thanks!

[Stan V]

We hardcoded a redirect in EDX to the Keycloak own login, which then redirects you back into EDX, sending the User ID that seamlessly flows into the EDX login logic in the background. As I recall, there've been a few places to change, but not a big deal. I have the code from that POC somewhere - in Ginkgo, though

[Brian Levine]

Thank Stan,

If you wouldn't mind sharing the code (or pointers to what you changed), I'd certainly appreciate it.  We can figure out how to "translate" it into Hawthorne.

[Stan V]

Brian,

 

Sure, glad to help. The platform changes seem to be concentrated in 3-4 files, aside from the Theme that was fully custom, but I think the logic is actually driven by the platform code. I’ll email the zipped extract to your gmail, see what you can do with it. If you get stuck, let me know, I’ll look at the Theme code again.

 

 

 

Stan Varlamov

CTO

EXL Inc. | EXLskills.com

 

Phone (USA): (734) 230-2825

Phone (HK): +852 5506 5715

LinkedIn: https://www.linkedin.com/in/stanvarlamov

Skype: stanvarlamov

Whatsapp: +852 5506 5715

WeChat: stanvarlamov

[Brian Levine]

Thanks again Stan.  It turns out there's a much easier way to accomplish this.  I'm not sure if this is available pre-Hawthorne.  When configuring the OAuth2 provider, you can check "Skip hinted login dialog."  If you then append ?tpa_hint=<oauth2_provider> to any URL for a protected resource, the EdX login page is skipped and you're brought directly to the SSO login page.

I'm not sure why I didn't notice this earlier.

Brian

[stv stnfrd]

Hi Brian, Stan, and all,

We've actually built this into our fork at Stanford [1].
We use it for our on-campus deployment where we require university
credentials to access the site.

Instead of being shown the login/register page, users are automatically
redirected to the SSO provider and then back again :)

It's configurable via JSON/settings, so it can be enabled/disabled on a
per instance basis.

If there's interest, we can look to submit it upstream to edX!

Let us know what you think!
-- Steven

- [1] https://github.com/Stanford-Online/edx-platform/commit/3271d113e5a572939e9859266639e8770e50441a

[Brian Levine]

Thanks Steven. At the moment is looks like the tpa_hint mechanism will work fine for us.  We can rewrite URLs in our reverse proxy to add that as a query param.  Although it would be nice to be able to turn that behavior on by default without having to use the tpa_hint query param.

Brian

[Stan V]

Looks like the pipeline and student_account changes are all that's needed, and they are pretty minor: bypass the login screen popup and enable an automatic EDX user creation with the info coming in from the 3rd party. I still don't recall what's happening on the logout side, though - weather the Keycloak session can be closed easily

[Stan V]

After taking another look at my customizations archive, common/djangoapps/student/views.py, method dispatch(self, request, *args, **kwargs) is where the few lines of the keycloak logout custom code have been added, so the loop is complete