Client in "OIDC mode" #5889
Description
OIDC (Keycloak) Authentication Support via Traefik Middleware
Context
OpenSlides is being extended with Keycloak-based OIDC authentication. In OIDC mode, Traefik acts as the OIDC relying party — it handles the OAuth2 code flow, manages encrypted session cookies, and injects an Authorization: Bearer <access_token> header into every proxied request. The auth
service is disabled entirely in OIDC mode; token validation moves to the backend and Go services via JWKS.
The client must support a dual-mode authentication model: traditional (JWT via auth service) and OIDC (Traefik-managed session).
Related PRs
| Repository | PR |
|---|---|
| openslides-client | #5888 |
| openslides-proxy | #35 — Traefik OIDC plugin config, middleware routing |
| openslides-backend | #3340 — OIDC token validation, user provisioning, backchannel logout |
| openslides-go | #170 — Go OIDC auth for autoupdate/ICC/vote services |
| openslides-auth-service | #918 — osauthlib OIDC authenticator |
| openslides-autoupdate-service | #1345 — OIDC logout handling |
Requirements
1. OIDC Session Detection
The client must detect whether it is running in OIDC mode. Since there is no organization-level setting for this (OIDC is an infrastructure concern), detection is based on the presence of the Traefik session cookie (TraefikOidcAuth.Session.*).
This detection should be centralized and reusable across the login page, auth service, and auth worker.
2. Login Page
In OIDC mode, the user never sees the login form. Traefik redirects unauthenticated users to Keycloak before the client even loads. When the client does load, the user is already authenticated.
Expected behavior:
- When an OIDC session is detected → show a "redirecting" indicator instead of the login form
- Hide the username/password form, SAML button, and "Forgot Password" link
- If the user already has a known identity → redirect to the home page immediately
3. User Identity
In legacy mode, the user ID is extracted from a JWT token. In OIDC mode, there is no JWT — Traefik manages tokens transparently. Instead, the who-am-i endpoint returns the user ID directly in the response body (user_id field) rather than in an authentication header.
The client must:
- Recognize both response formats from
who-am-i(JWT header vs. bodyuser_id) - Track user identity regardless of which auth mode is active
- Consider the user authenticated if either a valid JWT or an OIDC user ID is present
4. Token Management
In OIDC mode, the client does not manage access tokens. Traefik handles token storage, refresh, and injection entirely.
Implications:
- The HTTP interceptor must not add an
Authorizationheader when no JWT is present — Traefik already provides one - The auth worker's refresh strategy must adapt: instead of scheduling refresh based on JWT expiry, perform periodic session validity checks (e.g., polling
who-am-ion a fixed interval)
5. Logout
In OIDC mode, the auth service's logout endpoint is not available (auth service is disabled).
Logout flow:
- Clear all local client state (user identity, cached data, worker state)
- Redirect to Traefik's OIDC logout endpoint (
/oauth2/logout), which:- Clears session cookies
- Triggers Keycloak single sign-out
Note: Keycloak also sends backchannel logout notifications to the backend for server-side session invalidation. The client does not need to handle this.
6. Shared Worker Communication
The shared worker communicates user changes to the main thread. In OIDC mode, these messages carry a user ID instead of a JWT token.
The main thread must handle both message formats gracefully.