frontend: Redirect to the authorization server from the apiserver

This simplifies the apiserver logic, and improves security since the
Web browser never get access to the access/refresh tokens.

* No longer need to configure the redirect URL on the apiserver
* the /web/login/start and /web/login/end endpoints are now simpler 
  GET operations that use redirects.  
* /web/refresh now does NOT send the tokens back to the frontend
* Keycloak is configured to redirect to the apiserver instead of the front end.
* Simplified the refresh logic too.

Signed-off-by: Hiram Chirino <[email protected]>

cmd/apiserver/main.go

@@ -189,13 +189,6 @@ func main() {
 				Usage:   "OTLP endpoint for trace data",
 				Sources: cli.EnvVars("NEXAPI_TRACE_ENDPOINT_OTLP"),
 			},
-
-			&cli.StringFlag{
-				Name:    "redirect-url",
-				Usage:   "Redirect URL. This is the URL of the SPA.",
-				Value:   "https://example.com",
-				Sources: cli.EnvVars("NEXAPI_REDIRECT_URL"),
-			},
 			&cli.StringSliceFlag{
 				Name:    "scopes",
 				Usage:   "Additional OAUTH2 scopes",
@@ -344,6 +337,12 @@ func main() {
 					log.Fatal(err)
 				}
 
+				api.URL = command.String("url")
+				api.URLParsed, err = url.Parse(api.URL)
+				if err != nil {
+					log.Fatal(fmt.Errorf("invalid url: %w", err))
+				}
+
 				smtpServer := email.SmtpServer{
 					HostPort: command.String("smtp-host-port"),
 					User:     command.String("smtp-user"),
@@ -368,7 +367,7 @@ func main() {
 					command.Bool("insecure-tls"),
 					command.String("oidc-client-id-web"),
 					command.String("oidc-client-secret-web"),
-					command.String("redirect-url"),
+					fmt.Sprintf("%s/web/login/end", api.URL),
 					scopes,
 					command.String("domain"),
 					command.StringSlice("origins"),
@@ -403,11 +402,6 @@ func main() {
 				if err != nil {
 					log.Fatal(fmt.Errorf("invalid tls-key: %w", err))
 				}
-				api.URL = command.String("url")
-				api.URLParsed, err = url.Parse(api.URL)
-				if err != nil {
-					log.Fatal(fmt.Errorf("invalid url: %w", err))
-				}
 
 				router, err := routers.NewAPIRouter(ctx, routers.APIRouterOptions{
 					Logger:          logger.Sugar(),

deploy/nexodus/base/apiserver/deployment.yaml

@@ -103,11 +103,6 @@ spec:
                 configMapKeyRef:
                   name: apiserver
                   key: NEXAPI_FFLAG_SECURITY_GROUPS
-            - name: NEXAPI_REDIRECT_URL
-              valueFrom:
-                configMapKeyRef:
-                  name: apiserver
-                  key: NEXAPI_REDIRECT_URL
             - name: NEXAPI_ORIGINS
               valueFrom:
                 configMapKeyRef:

deploy/nexodus/base/apiserver/kustomization.yaml

@@ -13,7 +13,6 @@ configMapGenerator:
       - NEXAPI_DB_SSLMODE=require
       - NEXAPI_DOMAIN=api.try.nexodus.127.0.0.1.nip.io
       - NEXAPI_URL=https://api.try.nexodus.127.0.0.1.nip.io
-      - NEXAPI_REDIRECT_URL=https://try.nexodus.127.0.0.1.nip.io/#/login
       - NEXAPI_ORIGINS=https://try.nexodus.127.0.0.1.nip.io
       - NEXAPI_SCOPES=read:organizations,write:organizations,read:users,write:users,read:devices,write:devices
       - NEXAPI_REDIS_SERVER=redis:6379

deploy/nexodus/base/auth/deployment.yaml

@@ -83,6 +83,11 @@ spec:
                 configMapKeyRef:
                   name: auth-config
                   key: frontend-url
+            - name: REDIRECT_URL
+              valueFrom:
+                configMapKeyRef:
+                  name: auth-config
+                  key: redirect-url
             - name: GOOGLE_CLIENT_ID
               valueFrom:
                 secretKeyRef:

deploy/nexodus/base/auth/files/nexodus.json

@@ -742,7 +742,7 @@
       "clientAuthenticatorType": "client-secret",
       "secret": "${WEB_CLIENT_SECRET}",
       "redirectUris": [
-        "${FRONTEND_URL}/*"
+        "${REDIRECT_URL}/*"
       ],
       "webOrigins": [
         "+"

deploy/nexodus/base/auth/kustomization.yaml

@@ -9,6 +9,7 @@ configMapGenerator:
   - literals:
       - hostname=auth.try.nexodus.127.0.0.1.nip.io
       - frontend-url=https://try.nexodus.127.0.0.1.nip.io
+      - redirect-url=https://api.try.nexodus.127.0.0.1.nip.io/web
     name: auth-config
   - files:
       - files/nexodus.json

deploy/nexodus/overlays/playground/files/nexodus.json

@@ -742,7 +742,7 @@
       "clientAuthenticatorType": "client-secret",
       "secret": "${WEB_CLIENT_SECRET}",
       "redirectUris": [
-        "${FRONTEND_URL}/*"
+        "${REDIRECT_URL}/*"
       ],
       "webOrigins": [
         "+"

deploy/nexodus/overlays/playground/kustomization.yaml

@@ -11,6 +11,7 @@ configMapGenerator:
     literals:
       - hostname=auth.playground.nexodus.io
       - frontend-url=https://playground.nexodus.io
+      - redirect-url=https://api.playground.nexodus.io/web
   - behavior: replace
     name: realm
     files:
@@ -30,7 +31,6 @@ configMapGenerator:
       - NEXAPI_URL=https://api.playground.nexodus.io
       - NEXAPI_OIDC_URL=https://auth.playground.nexodus.io/realms/nexodus
       - NEXAPI_DOMAIN=api.playground.nexodus.io
-      - NEXAPI_REDIRECT_URL=https://playground.nexodus.io/#/login
       - NEXAPI_ORIGINS=https://playground.nexodus.io
       - NEXAPI_ENVIRONMENT=qa
       - NEXAPI_FFLAG_DEVICES=false

deploy/nexodus/overlays/prod/files/nexodus.json

@@ -742,7 +742,7 @@
       "clientAuthenticatorType": "client-secret",
       "secret": "${WEB_CLIENT_SECRET}",
       "redirectUris": [
-        "${FRONTEND_URL}/*"
+        "${REDIRECT_URL}/*"
       ],
       "webOrigins": [
         "+"

deploy/nexodus/overlays/prod/kustomization.yaml

@@ -10,6 +10,7 @@ configMapGenerator:
     literals:
       - hostname=auth.try.nexodus.io
       - frontend-url=https://try.nexodus.io
+      - redirect-url=https://api.try.nexodus.io/web
     name: auth-config
   - behavior: replace
     files:
@@ -29,7 +30,6 @@ configMapGenerator:
       - NEXAPI_URL=https://api.try.nexodus.io
       - NEXAPI_OIDC_URL=https://auth.try.nexodus.io/realms/nexodus
       - NEXAPI_DOMAIN=api.try.nexodus.io
-      - NEXAPI_REDIRECT_URL=https://try.nexodus.io/#/login
       - NEXAPI_ORIGINS=https://try.nexodus.io
       - NEXAPI_ENVIRONMENT=production
       - NEXAPI_FFLAG_SITES=false

deploy/nexodus/overlays/qa/files/nexodus.json

@@ -742,7 +742,7 @@
       "clientAuthenticatorType": "client-secret",
       "secret": "${WEB_CLIENT_SECRET}",
       "redirectUris": [
-        "${FRONTEND_URL}/*"
+        "${REDIRECT_URL}/*"
       ],
       "webOrigins": [
         "+"

deploy/nexodus/overlays/qa/kustomization.yaml

@@ -14,6 +14,7 @@ configMapGenerator:
     literals:
       - hostname=auth.qa.nexodus.io
       - frontend-url=https://qa.nexodus.io
+      - redirect-url=https://api.qa.nexodus.io/web
     name: auth-config
   - behavior: merge
     literals:
@@ -29,7 +30,6 @@ configMapGenerator:
       - NEXAPI_URL=https://api.qa.nexodus.io
       - NEXAPI_OIDC_URL=https://auth.qa.nexodus.io/realms/nexodus
       - NEXAPI_DOMAIN=api.qa.nexodus.io
-      - NEXAPI_REDIRECT_URL=https://qa.nexodus.io/#/login
       - NEXAPI_ORIGINS=https://qa.nexodus.io
       - NEXAPI_ENVIRONMENT=qa
       - NEXAPI_DEBUG=0

internal/api/public/.openapi-generator/FILES

@@ -29,14 +29,8 @@ model_models_endpoint.go
 model_models_internal_server_error.go
 model_models_invitation.go
 model_models_key_usage.go
-model_models_login_end_request.go
-model_models_login_end_response.go
-model_models_login_start_response.go
-model_models_logout_response.go
 model_models_not_allowed_error.go
 model_models_organization.go
-model_models_refresh_token_request.go
-model_models_refresh_token_response.go
 model_models_reg_key.go
 model_models_security_group.go
 model_models_security_rule.go