[#50] Setup keycloak#162
Conversation
|
@omargoher Remember the authors file, and license header |
|
@omargoher We will keep this as draft until everything is in place. Then take it out of draft mode, and PTAL me |
omargoher
force-pushed
the
keycloak-migration
branch
4 times, most recently
from
8d9c649 to
4434cbe
Compare
Migrate cookie-based auth to Keycloak OIDCReplace the custom cookie session authentication system with Keycloak What changedReplace custom cookie session authentication with Keycloak OIDC bearer Changes:
Backend resources
Infrastructure
Breaking changeCookie-based sessions no longer work. All clients must send: React frontend is not yet updated and will not work until the frontend How to testNote: should Apply how to start section in first msg Two helper scripts are provided under 1. Create a Keycloak user ./keycloak/create-user.sh <username> <email> <password> <role> <firstName> <lastName>
# examples
./keycloak/create-user.sh admin admin@mnemosyne-systems.ai admin admin System Administrator
./keycloak/create-user.sh user1 user1@mnemosyne-systems.ai user1 user John Doe
./keycloak/create-user.sh support1 support1@mnemosyne-systems.ai support1 support Sarah Johnson2. Get a JWT token ./keycloak/login.sh <username> <password>
# example
./keycloak/login.sh admin admin3. Call any endpoint TOKEN=$(./keycloak/login.sh user1 user1)
curl -s "http://localhost:8080/api/user/tickets" \
-H "Authorization: Bearer $TOKEN" | jq .Role → endpoint mapping
|
|
@omargoher Please, rebase and resolve conflicts such that we can review |
omargoher
force-pushed
the
keycloak-migration
branch
from
4434cbe to
f2211f4
Compare
|
@jesperpedersen Conflicts resolved and branch rebased successfully. |
|
@omargoher See CI |
|
@jesperpedersen Sorry, I forgot to run the tests before pushing. Some resource tests are currently failing. I will fix tests and push my changes. |
… (backend + tests) Replace custom cookie session authentication with Keycloak OIDC bearer token authentication across all resources, and update the full test suite to work without a running Keycloak instance. Changes: - Add CurrentUser bean for request-scoped user resolution via JWT - Add UserProvisioningService for JIT user provisioning on first login - Replace @CookieParam + AuthHelper.findUser() with SecurityIdentity - Replace manual requireX() guards with @RolesAllowed annotations - Add keycloakId field to User entity for principal linking - Configure OIDC in application.properties with role claim mapping - Add Keycloak realm configuration and docker-compose setup Test changes: - Remove login() and cookie-based auth from AccessTestSupport - Remove password parameter from ensureUser() — Keycloak owns passwords - Replace .cookie(AUTH_COOKIE) with @testsecurity + @JwtSecurity on every test method across all test classes - Disable real Keycloak in test profile using quarkus.oidc.enabled=false Breaking change: cookie-based sessions no longer work; clients must send Authorization: Bearer <token> header on all protected requests.
omargoher
force-pushed
the
keycloak-migration
branch
from
f2211f4 to
e98e684
Compare
|
@jesperpedersen Tests are now fixed. |
|
@omargoher We need to move the keycloak stuff to |
I want to know more details about why we should do this. Using parameters in the URL follow REST best practices ! |
|
@omargoher Parameters in the URL leaks the data model to the user. It also make it more difficult to make precise bookmarks. So, REST URLs is a no-go |
|
@omargoher REST URLs are for API calls, not UI |
|
@omargoher Although REST is basically dead - we use HTTP w/ JSON payload instead |
Good point. I noticed that our backend is still handling some redirects and UI-related navigation. Would it make sense to move those responsibilities to React and keep the backend focused on exposing APIs only? That way, the frontend can manage the UI flow and control what appears in the URL, while authentication and session handling stay managed through keycloak-js and the Keycloak server. |
|
@omargoher Yes, backend is an API and its data model isn't exposed |
|
Hi @omargoher excellent work man:) These @get redirect paths (like |
| quarkus.oidc.application-type=service | ||
| quarkus.oidc.authentication.scopes=openid,profile,email | ||
| quarkus.oidc.roles.role-claim-path=realm_access/roles | ||
| quarkus.oidc.token.principal-claim=sub\ |
There was a problem hiding this comment.
Hey @omargoher, good catch on the configuration properties, but there is a sneaky syntax issue here I think ?
|
Hi @omargoher any update ? |
|
@sksingh2005 Sorry, I'm busy with some work until June 12. Also, frontend isn't my strongest area. If you want to pick up that part, go ahead. You can use this repo as a reference: |
3 participants
Summary
This is the first phase of the Keycloak migration.
The PR introduces Keycloak infrastructure, realm generation, and backend OIDC configuration.
i added Keycloak service in
docker-compose.yml.and to load Keycloak configuration: created
keycloak-realm.template.json,.env-keycloak.exampleand
generate_realm.pyscript to generate a project-specifickeycloak-realm.jsonthis avoids changing
keycloak-realm.jsonmanually and allows configuration changes through.env-keycloak.i also added OIDC configuration in
src/backend/main/resources/application.propertiesand made
/api/*endpoints private.all requests to
/api/*now require a valid JWT token in theAuthorizationheader, so the current cookie-based auth no longer works for protected APIs.How to start
.env-keycloak.exampleadd your configuration to
.env-keycloakgenerate the realm file