Authentication in WebUI#1350
Merged
Merged
Conversation
Allow configuring multiple identity providers in TagBasedAccessPolicy by accepting either a single string or a list of strings for the provider parameter.
Add authentication to the React web frontend: - Login page with password and OIDC provider support - Token persistence (localStorage) with automatic refresh - Authenticated image loading and file downloads via axios - User menu with logout in app bar - OAuth callback route for OIDC redirect flow - Favicon route on the server - Add prompt=login to OIDC authorize params
2 tasks
Support authenticating WebSocket connections by sending credentials in the first JSON message instead of exposing tokens in query parameters. - Add authenticate_websocket_first_message() helper - Add get_decoded_access_token_websocket() for JWT on WebSocket - Update get_current_principal_websocket to return None (instead of 401) when no credentials provided, enabling the first-message fallback - Update streaming handler to accept already_accepted parameter - Add tests for first-message auth (valid key, wrong key, invalid msg)
…agement Restructure the web UI authentication code into a dedicated auth/ module with proper separation of concerns: - auth/types.ts: shared AuthTokens and UserIdentity interfaces - auth/token-manager.ts: TokenManager class with JWT decode, expiry tracking, and localStorage management - auth/auth-context.tsx: React context definition and useAuth hook - auth/auth-provider.tsx: AuthProvider with axios interceptors (with cleanup on unmount), proactive token refresh scheduling, and deduplicated 401 retry logic Also: - Add link URL relativization in client.ts so the UI works regardless of the origin the server reports in links - Add root route redirect (/ → /browse/) - Remove module-level axios interceptors from client.ts (now managed by AuthProvider lifecycle) - Type selectMetadata as string | null instead of any Co-authored-by: Aditi Chikkali <achikkali1@bnl.gov>
- Wrap DynamicSpecView in ErrorBoundary so a crashing plugin doesn't take down the entire UI - Remove failed <script> elements from the DOM so retries are possible - Add comments explaining why loaded scripts are cached and not removed Co-authored-by: Aditi Chikkali <achikkali1@bnl.gov>
…tches, and dev proxy - Export axiosInstance and add response interceptor to transform absolute URLs in 'links' fields to relative paths, so the UI works regardless of the origin the server reports - Fix about() to use /api/v1/ instead of / (the correct API endpoint) - Fix selectMetadata type from any to string | null - Use axiosInstance for image loading in array-nd (blob fetch with auth) - Use axiosInstance for download/open in download-core (blob fetch with auth) - Add WebSocket proxy and /custom proxy to vite dev server config
- Add Tiled logo SVG, favicon (.ico and .svg) to public assets - Update index.html to use new Tiled favicon - Add /favicon.ico endpoint to serve the icon from the server - Replace text-only app bar with clickable Tiled logo + title linking to /browse/ - Fix CHANGELOG typo (compfixedliant -> compliant)
# Conflicts: # web-frontend/src/components/tiled-app-bar/tiled-app-bar.tsx
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds a complete authentication flow to the web frontend, enabling the browser UI to work with authenticated Tiled servers. Supports both password-based (internal) and OIDC (external) authentication providers (NOTE: currently, with the tag-based authz, only a single provider is fully supported at a time).
Login & Routing
Token Lifecycle (auth/ module)
window.__TILED_ACCESS_TOKEN__global (for use by spec view plugins)Client Improvements
Server-side
Branding
Testing
To test, use the following:
docker run --rm -p 9000:9000 -v $(pwd)/config:/config -e CONFIG_FILE=/config/oidc_qlik_config.json -e USERS_FILE=/config/oidc_qlik_users.json qlik/simple-oidc-provider:0.2.4using the following config files:
{ "idp_name": "http://simple-oidc-provider", "port": 9000, "client_config": [ { "client_id": "tiled_oidc_client", "client_secret": "tiled_oidc_secret", "redirect_uris": [ "http://localhost:8000/api/v1/auth/provider/oidc/code" ] } ], "claim_mapping": { "openid": [ "sub" ], "email": [ "email", "email_verified" ], "profile": [ "name", "nickname" ] } }[ { "id": "qlikuser", "email": "qlikuser@example.com", "email_verified": true, "name": "Qlik User", "nickname": "qlikuser", "password": "password", "groups": [] } ]Co-authored-by: Aditi Chikkali achikkali1@bnl.gov
Depends on #1351 and
#1352.Checklist