@geogirafe/lib-geoportal
Version:
GeoGirafe is a flexible application to build online geoportals.
38 lines (37 loc) • 2.08 kB
TypeScript
import IGirafeContext from '../context/icontext.js';
import AbstractConnectManager from './abstractconnectmanager.js';
import GMFManager from './gmfmanager.js';
/**
* For diverse reasons, this could NOT be done using the oAuth2 mechanisms of GMF:
* 1. There is no .well-know discovery endpoint
* 2. The token endpoint needs a client_secret, and for security reasons it has to be called from the backend itself.
* There is not custom backend for GeoGirafe and we cannot do this.
* 3. The redirect url is limited to exact matches, and we cannot pass the state of the application in the redirect_uri
* 4. Using GMF oAuth2 routes for authentification does not authenticate the user to the backend.
* It just tells the client that you have a correct user in GMF.
* But you do not get any valid cookie for the GMF Backend.
*
* For all those reasons, we cannot use the geomapfish oAuth process
* Instead we will use the login.html page of the backend to delegate the login to the backend
* This will be a standard GMF login, there is no oAuth Process here.
*
* NOTE: If the geogirafe client is not running on the same domain as the GMF backend,
* the GMF Backend needs to be configured with :
* - CORS with credentials for specific domain (this can be done for example with an lua script at the in the haproxy configuration)
* - The frontend domain has to be allowed as referer in the vars.yaml file.
* - The variable AUTHTKT_SAMESITE has to be set to None, to allow authentication cookies to be sent to the backend from another domain
* There is no need for any oAuth2 configuration in the admin tool.
*/
export default class GMFConnectManager extends AbstractConnectManager {
private readonly gmfManager;
constructor(context: IGirafeContext, gmfManager: GMFManager);
private get authConfig();
private isAuthentified;
initialize(): Promise<void>;
login(): Promise<void>;
silentLogin(): Promise<void>;
logout(): Promise<void>;
private redirectToIssuerLogin;
private handleLoggedInToIssuer;
private refreshToken;
}