feat(auth): Add Authorization Code Flow and new Keycloak recipes with…

… new video tutorials (#4234)

Co-authored-by: Alireza <[email protected]>

.gitignore

@@ -43,7 +43,7 @@ videos/
 # autogenerated files
 platform/app/src/pluginImports.js
 /Viewers.iml
-platform/app/.recipes/Nginx-Dcm4Che/dcm4che/dcm4che-arc/*
+platform/app/.recipes/Nginx-Dcm4Chee/logs/*
 platform/app/.recipes/OpenResty-Orthanc/logs/*
 .vercel
 

platform/app/.recipes/Nginx-Dcm4chee-Keycloak/.gitignore

@@ -0,0 +1,6 @@
+logs/*
+volumes/*
+config/letsencrypt/*
+config/certbot/*
+!config/letsencrypt/.gitkeep
+!config/certbot/.gitkeep

platform/app/.recipes/Nginx-Dcm4chee-Keycloak/config/entrypoint.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Start oauth2-proxy
+oauth2-proxy --config=/etc/oauth2-proxy/oauth2-proxy.cfg &
+
+# Start nginx
+nginx -g "daemon off;"

platform/app/.recipes/Nginx-Dcm4chee-Keycloak/config/nginx.conf

@@ -0,0 +1,240 @@
+worker_processes auto;
+error_log /var/logs/nginx/error.log debug;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+    use epoll;
+    multi_accept on;
+}
+
+http {
+    include '/etc/nginx/mime.types';
+    default_type application/octet-stream;
+
+    keepalive_timeout 65;
+    keepalive_requests 100000;
+    tcp_nopush on;
+    tcp_nodelay on;
+
+    proxy_buffers 16 16k;
+    proxy_buffer_size 32k;
+    proxy_busy_buffers_size 64k;
+    proxy_max_temp_file_size 128k;
+
+
+    gzip on;
+    gzip_disable "msie6";
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
+
+    server {
+        listen 80;
+        server_name YOUR_DOMAIN;
+
+        client_max_body_size 0;
+
+        location /.well-known/acme-challenge/ {
+            root /var/www/certbot;
+        }
+
+        location / {
+            return 301 https://$host$request_uri;
+        }
+    }
+
+    server {
+        listen 443 ssl;
+        server_name YOUR_DOMAIN;
+        ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem;
+        root /var/www/html;
+
+        gzip on;
+        gzip_types text/css application/javascript application/json image/svg+xml;
+        gzip_comp_level 9;
+        etag on;
+
+        location /sw.js {
+            add_header Cache-Control "no-cache";
+            proxy_cache_bypass $http_pragma;
+            proxy_cache_revalidate on;
+            expires off;
+            access_log off;
+        }
+
+
+        location /oauth2 {
+            expires -1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Auth-Request-Redirect $request_uri;
+            proxy_pass http://localhost:4180$uri$is_args$args;
+        }
+
+        location /oauth2/callback {
+            proxy_pass http://localhost:4180;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        location /oauth2/sign_out {
+            expires -1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Auth-Request-Redirect /oauth2/sign_in;
+            proxy_pass http://localhost:4180;
+        }
+
+
+        location /pacs/ {
+            auth_request /oauth2/auth;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            expires 0;
+            add_header Cache-Control private;
+
+            add_header 'Access-Control-Allow-Origin' '*' always;
+            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+            add_header 'Access-Control-Allow-Headers' 'Authorization, Origin, X-Requested-With, Content-Type, Accept' always;
+
+            if ($request_method = OPTIONS) {
+                add_header 'Access-Control-Allow-Origin' '*';
+                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+                add_header 'Access-Control-Allow-Headers' 'Authorization, Origin, X-Requested-With, Content-Type, Accept';
+                add_header 'Access-Control-Max-Age' 1728000;
+                add_header 'Content-Type' 'text/plain; charset=utf-8';
+                add_header 'Content-Length' 0;
+                return 204;
+            }
+
+            rewrite ^/pacs/(.*) /dcm4chee-arc/aets/DCM4CHEE/rs/$1 break;
+            proxy_pass http://arc:8080;
+        }
+
+        location /pacs-admin {
+            return 301 /pacs-admin/;
+        }
+
+        # Redirect /pacs-admin to /dcm4chee-arc/ui2/
+        location = /pacs-admin {
+            return 301 $scheme://$host/dcm4chee-arc/ui2/;
+        }
+
+        # Handle /pacs-admin/ requests
+        location /pacs-admin/ {
+            return 301 $scheme://$host/dcm4chee-arc/ui2/;
+        }
+
+        # Proxy pass for /dcm4chee-arc/ui2/
+        location /dcm4chee-arc/ui2/ {
+            error_page 401 = /oauth2/sign_in?rd=$scheme://$host$request_uri;
+            auth_request /oauth2/auth?allowed_groups=pacsadmin;
+
+            auth_request_set $user $upstream_http_x_auth_request_user;
+            auth_request_set $token $upstream_http_x_auth_request_access_token;
+            auth_request_set $auth_cookie $upstream_http_set_cookie;
+
+            proxy_set_header X-User $user;
+            proxy_set_header X-Access-Token $token;
+            add_header Set-Cookie $auth_cookie;
+
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            expires 0;
+            add_header Cache-Control private;
+
+            add_header 'Access-Control-Allow-Origin' '*' always;
+            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+            add_header 'Access-Control-Allow-Headers' 'Authorization, Origin, X-Requested-With, Content-Type, Accept' always;
+
+            if ($request_method = OPTIONS) {
+                add_header 'Access-Control-Allow-Origin' '*';
+                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+                add_header 'Access-Control-Allow-Headers' 'Authorization, Origin, X-Requested-With, Content-Type, Accept';
+                add_header 'Access-Control-Max-Age' 1728000;
+                add_header 'Content-Type' 'text/plain; charset=utf-8';
+                add_header 'Content-Length' 0;
+                return 204;
+            }
+
+            proxy_pass http://arc:8080;
+        }
+
+        # Proxy pass for other /dcm4chee-arc/ requests
+        location /dcm4chee-arc/ {
+            proxy_pass http://arc:8080;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+
+        location /pacs {
+            return 301 /pacs/;
+        }
+
+
+        location /ohif-viewer/ {
+            expires -1;
+            error_page 401 = /oauth2/sign_in?rd=$scheme://$host$request_uri;
+            auth_request /oauth2/auth;
+
+            auth_request_set $user $upstream_http_x_auth_request_user;
+            auth_request_set $token $upstream_http_x_auth_request_access_token;
+            auth_request_set $auth_cookie $upstream_http_set_cookie;
+
+            proxy_set_header X-User $user;
+            proxy_set_header X-Access-Token $token;
+            add_header Set-Cookie $auth_cookie;
+
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Server $host;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            index index.html;
+            try_files $uri $uri/ /index.html;
+        }
+
+
+        location /ohif-viewer {
+            return 301 /ohif-viewer/;
+        }
+
+        location = / {
+            return 301 /ohif-viewer/;
+        }
+
+        location / {
+            add_header Cache-Control "no-store, no-cache, must-revalidate";
+            add_header 'Cross-Origin-Opener-Policy' 'same-origin' always;
+            add_header 'Cross-Origin-Embedder-Policy' 'require-corp' always;
+        }
+
+        location /keycloak/ {
+            proxy_pass http://keycloak:8080/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        location /keycloak {
+            return 301 /keycloak/;
+        }
+    }
+}

platform/app/.recipes/Nginx-Dcm4chee-Keycloak/config/oauth2-proxy.cfg

@@ -0,0 +1,22 @@
+http_address="0.0.0.0:4180"
+cookie_secret="GENERATEACOOKIESECRET----------------------="
+email_domains=["*"]
+cookie_secure="false"
+cookie_expire="9m30s"
+cookie_refresh="5m"
+client_secret="2Xtlde7aozdkzzYHdIxQNfPDr0wNPTgg"
+client_id="ohif_viewer"
+redirect_url="http://YOUR_DOMAIN/oauth2/callback"
+
+ssl_insecure_skip_verify = true
+insecure_oidc_allow_unverified_email = true
+pass_access_token = true
+provider="keycloak-oidc"
+provider_display_name="Keycloak"
+user_id_claim="oid"
+oidc_email_claim="sub"
+scope="openid"
+pass_host_header=true
+code_challenge_method="S256"
+oidc_issuer_url="http://YOUR_DOMAIN/keycloak/realms/ohif"
+insecure_oidc_skip_issuer_verification = true