implement frontend auth

Author: felixevers

backend/.env.example

@@ -1,3 +1,5 @@
+ENV="development"
+
 DATABASE_HOSTNAME="postgres"
 DATABASE_NAME="postgres"
 DATABASE_USERNAME="postgres"
@@ -8,7 +10,5 @@ REDIS_PASSWORD="password"
 
 ISSUER_URI="http://keycloak:8080/realms/tasks"
 PUBLIC_ISSUER_URI="http://localhost:8080/realms/tasks"
-CLIENT_ID="tasks"
+CLIENT_ID="tasks-backend"
 CLIENT_SECRET="tasks-secret"
-
-ENV="development"

backend/config.py

@@ -36,5 +36,5 @@
     "PUBLIC_ISSUER_URI",
     ISSUER_URI,
 )
-CLIENT_ID = os.getenv("CLIENT_ID", "tasks")
+CLIENT_ID = os.getenv("CLIENT_ID", "tasks-backend")
 CLIENT_SECRET = os.getenv("CLIENT_SECRET", "tasks-secret")

docker-compose.dev.yml

@@ -1,7 +1,21 @@
 services:
+  keycloak-postgres:
+    image: postgres:15.15
+    volumes:
+      - "keycloak-data:/var/lib/postgresql"
+    environment:
+      POSTGRES_DB: "keycloak"
+      POSTGRES_USER: "keycloak"
+      POSTGRES_PASSWORD: "password"
+
   keycloak:
-    image: quay.io/keycloak/keycloak
+    image: quay.io/keycloak/keycloak:26.4
     environment:
+      KC_DB: "postgres"
+      KC_DB_URL: "jdbc:postgresql://keycloak-postgres:5432/keycloak"
+      KC_DB_USERNAME: "keycloak"
+      KC_DB_PASSWORD: "password"
+
       KC_HOSTNAME: "localhost"
       KC_HOSTNAME_PORT: 8080
       KC_HOSTNAME_STRICT: false
@@ -11,12 +25,11 @@ services:
     command: start-dev --import-realm
     volumes:
       - "./keycloak:/opt/keycloak/data/import:ro"
-      - "keycloak-data:/opt/keycloak/data"
     ports:
       - "8080:8080"
 
   postgres:
-    image: postgres
+    image: postgres:15.15
     environment:
       POSTGRES_DB: "postgres"
       POSTGRES_USER: "postgres"
@@ -49,7 +62,7 @@ services:
 
       ISSUER_URI: "http://keycloak:8080/realms/tasks"
       PUBLIC_ISSUER_URI: "http://localhost:8080/realms/tasks"
-      CLIENT_ID: "tasks"
+      CLIENT_ID: "tasks-backend"
       CLIENT_SECRET: "tasks-secret"
     depends_on:
       - postgres
@@ -61,7 +74,7 @@ services:
       - "3000:80"
     environment:
       ISSUER_URI: "http://localhost:8080/realms/tasks"
-      CLIENT_ID: "tasks"
+      CLIENT_ID: "tasks-web"
     depends_on:
       - backend
 

docker-compose.yml

@@ -1,7 +1,21 @@
 services:
+  keycloak-postgres:
+    image: postgres:15.15
+    volumes:
+      - "keycloak-data:/var/lib/postgresql"
+    environment:
+      POSTGRES_DB: "keycloak"
+      POSTGRES_USER: "keycloak"
+      POSTGRES_PASSWORD: "password"
+
   keycloak:
     image: quay.io/keycloak/keycloak:26.4
     environment:
+      KC_DB: "postgres"
+      KC_DB_URL: "jdbc:postgresql://keycloak-postgres:5432/keycloak"
+      KC_DB_USERNAME: "keycloak"
+      KC_DB_PASSWORD: "password"
+
       KC_HOSTNAME: "localhost"
       KC_HOSTNAME_PORT: 8080
       KC_HOSTNAME_STRICT: false
@@ -11,7 +25,6 @@ services:
     command: start-dev --import-realm
     volumes:
       - "./keycloak:/opt/keycloak/data/import:ro"
-      - "keycloak-data:/opt/keycloak/data"
     ports:
       - "8080:8080"
 
@@ -41,7 +54,7 @@ services:
 
       ISSUER_URI: "http://keycloak:8080/realms/tasks"
       PUBLIC_ISSUER_URI: "http://localhost:8080/realms/tasks"
-      CLIENT_ID: "tasks"
+      CLIENT_ID: "tasks-backend"
       CLIENT_SECRET: "tasks-secret"
 
       ENV: "development"
@@ -53,7 +66,7 @@ services:
     image: ghcr.io/helpwave/tasks-web:latest
     environment:
       ISSUER_URI: "http://localhost:8080/realms/tasks"
-      CLIENT_ID: "tasks"
+      CLIENT_ID: "tasks-web"
     depends_on:
       - backend
 

keycloak/README.md

@@ -1,5 +1,5 @@
 # Disclaimer
 
-`tasks.json` is a realm file.
-You can import it into your *development* keycloak.
-This configuration has preset credentials in it. Make sure to *not use it in production*.
+`tasks.json` is a realm file.  
+You can import it into your **development** keycloak.  
+This configuration has preset credentials in it. Make sure to **not use it in production**.

keycloak/tasks.json

@@ -154,7 +154,7 @@
         "composite" : true,
         "composites" : {
           "client" : {
-            "realm-management" : [ "view-events", "query-realms", "view-users", "manage-identity-providers", "query-groups", "manage-events", "query-users", "manage-authorization", "impersonation", "create-client", "view-clients", "manage-clients", "view-identity-providers", "view-authorization", "query-clients", "view-realm", "manage-realm", "manage-users" ]
+            "realm-management" : [ "query-realms", "view-events", "view-users", "manage-identity-providers", "query-groups", "manage-events", "query-users", "manage-authorization", "impersonation", "create-client", "view-clients", "manage-clients", "view-authorization", "view-identity-providers", "query-clients", "manage-realm", "view-realm", "manage-users" ]
           }
         },
         "clientRole" : true,
@@ -247,6 +247,8 @@
         "attributes" : { }
       } ],
       "security-admin-console" : [ ],
+      "tasks-web" : [ ],
+      "tasks-backend" : [ ],
       "admin-cli" : [ ],
       "account-console" : [ ],
       "broker" : [ {
@@ -332,8 +334,7 @@
         "clientRole" : true,
         "containerId" : "1343d64d-58b3-494e-af8d-dc951ab7227e",
         "attributes" : { }
-      } ],
-      "tasks" : [ ]
+      } ]
     }
   },
   "groups" : [ ],
@@ -504,7 +505,8 @@
     "protocol" : "openid-connect",
     "attributes" : {
       "realm_client" : "false",
-      "client.use.lightweight.access.token.enabled" : "true"
+      "client.use.lightweight.access.token.enabled" : "true",
+      "post.logout.redirect.uris" : "+"
     },
     "authenticationFlowBindingOverrides" : { },
     "fullScopeAllowed" : true,
@@ -532,7 +534,8 @@
     "frontchannelLogout" : false,
     "protocol" : "openid-connect",
     "attributes" : {
-      "realm_client" : "true"
+      "realm_client" : "true",
+      "post.logout.redirect.uris" : "+"
     },
     "authenticationFlowBindingOverrides" : { },
     "fullScopeAllowed" : false,
@@ -560,7 +563,8 @@
     "frontchannelLogout" : false,
     "protocol" : "openid-connect",
     "attributes" : {
-      "realm_client" : "true"
+      "realm_client" : "true",
+      "post.logout.redirect.uris" : "+"
     },
     "authenticationFlowBindingOverrides" : { },
     "fullScopeAllowed" : false,
@@ -618,8 +622,8 @@
     "optionalClientScopes" : [ "address", "phone", "organization", "offline_access", "microprofile-jwt" ]
   }, {
     "id" : "e43b587c-07db-445d-b6d9-e9b4b7cd03ac",
-    "clientId" : "tasks",
-    "name" : "helpwave tasks",
+    "clientId" : "tasks-backend",
+    "name" : "helpwave tasks backend",
     "description" : "",
     "rootUrl" : "",
     "adminUrl" : "",
@@ -647,6 +651,47 @@
       "client.secret.creation.time" : "1764546967",
       "backchannel.logout.session.required" : "true",
       "standard.token.exchange.enabled" : "false",
+      "frontchannel.logout.session.required" : "true",
+      "post.logout.redirect.uris" : "+",
+      "display.on.consent.screen" : "false",
+      "oauth2.device.authorization.grant.enabled" : "false",
+      "backchannel.logout.revoke.offline.tokens" : "false",
+      "dpop.bound.access.tokens" : "false"
+    },
+    "authenticationFlowBindingOverrides" : { },
+    "fullScopeAllowed" : true,
+    "nodeReRegistrationTimeout" : -1,
+    "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "basic", "email" ],
+    "optionalClientScopes" : [ "address", "phone", "organization", "offline_access", "microprofile-jwt" ]
+  }, {
+    "id" : "1c76a254-0a04-4dc1-b287-4e642ae3e9be",
+    "clientId" : "tasks-web",
+    "name" : "helpwave tasks web",
+    "description" : "",
+    "rootUrl" : "",
+    "adminUrl" : "",
+    "baseUrl" : "",
+    "surrogateAuthRequired" : false,
+    "enabled" : true,
+    "alwaysDisplayInConsole" : false,
+    "clientAuthenticatorType" : "client-secret",
+    "redirectUris" : [ "*" ],
+    "webOrigins" : [ "*" ],
+    "notBefore" : 0,
+    "bearerOnly" : false,
+    "consentRequired" : false,
+    "standardFlowEnabled" : true,
+    "implicitFlowEnabled" : false,
+    "directAccessGrantsEnabled" : false,
+    "serviceAccountsEnabled" : false,
+    "publicClient" : true,
+    "frontchannelLogout" : true,
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "realm_client" : "false",
+      "oidc.ciba.grant.enabled" : "false",
+      "backchannel.logout.session.required" : "true",
+      "standard.token.exchange.enabled" : "false",
       "oauth2.device.authorization.grant.enabled" : "false",
       "backchannel.logout.revoke.offline.tokens" : "false",
       "dpop.bound.access.tokens" : "false"
@@ -695,8 +740,9 @@
       "consentRequired" : false,
       "config" : {
         "user.session.note" : "AUTH_TIME",
-        "id.token.claim" : "true",
         "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "id.token.claim" : "true",
         "access.token.claim" : "true",
         "claim.name" : "auth_time",
         "jsonType.label" : "long"
@@ -1067,6 +1113,7 @@
       "config" : {
         "introspection.token.claim" : "true",
         "multivalued" : "true",
+        "userinfo.token.claim" : "true",
         "user.attribute" : "foo",
         "id.token.claim" : "true",
         "access.token.claim" : "true",
@@ -1168,8 +1215,9 @@
       "consentRequired" : false,
       "config" : {
         "user.session.note" : "clientAddress",
-        "id.token.claim" : "true",
         "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "id.token.claim" : "true",
         "access.token.claim" : "true",
         "claim.name" : "clientAddress",
         "jsonType.label" : "String"
@@ -1182,8 +1230,9 @@
       "consentRequired" : false,
       "config" : {
         "user.session.note" : "client_id",
-        "id.token.claim" : "true",
         "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "id.token.claim" : "true",
         "access.token.claim" : "true",
         "claim.name" : "client_id",
         "jsonType.label" : "String"
@@ -1196,8 +1245,9 @@
       "consentRequired" : false,
       "config" : {
         "user.session.note" : "clientHost",
-        "id.token.claim" : "true",
         "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "id.token.claim" : "true",
         "access.token.claim" : "true",
         "claim.name" : "clientHost",
         "jsonType.label" : "String"
@@ -1236,12 +1286,13 @@
       "protocolMapper" : "oidc-organization-membership-mapper",
       "consentRequired" : false,
       "config" : {
-        "id.token.claim" : "true",
         "introspection.token.claim" : "true",
+        "multivalued" : "true",
+        "userinfo.token.claim" : "true",
+        "id.token.claim" : "true",
         "access.token.claim" : "true",
         "claim.name" : "organization",
-        "jsonType.label" : "String",
-        "multivalued" : "true"
+        "jsonType.label" : "String"
       }
     } ]
   }, {
@@ -1271,7 +1322,8 @@
       "config" : {
         "id.token.claim" : "true",
         "introspection.token.claim" : "true",
-        "access.token.claim" : "true"
+        "access.token.claim" : "true",
+        "userinfo.token.claim" : "true"
       }
     } ]
   } ],
@@ -1316,7 +1368,7 @@
       "subType" : "anonymous",
       "subComponents" : { },
       "config" : {
-        "allowed-protocol-mapper-types" : [ "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper", "oidc-address-mapper", "oidc-usermodel-property-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper", "oidc-full-name-mapper", "oidc-usermodel-attribute-mapper" ]
+        "allowed-protocol-mapper-types" : [ "oidc-address-mapper", "oidc-usermodel-property-mapper", "saml-user-property-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-attribute-mapper", "saml-user-attribute-mapper", "oidc-full-name-mapper", "saml-role-list-mapper" ]
       }
     }, {
       "id" : "c2c89f17-9dc3-4b48-9cc0-96cf40c186aa",
@@ -1325,7 +1377,7 @@
       "subType" : "authenticated",
       "subComponents" : { },
       "config" : {
-        "allowed-protocol-mapper-types" : [ "oidc-usermodel-property-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper", "oidc-usermodel-attribute-mapper", "oidc-full-name-mapper", "saml-role-list-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-address-mapper" ]
+        "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "oidc-address-mapper", "oidc-full-name-mapper", "saml-user-property-mapper", "oidc-usermodel-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper", "saml-user-attribute-mapper" ]
       }
     }, {
       "id" : "87223906-c75c-4ea0-bfaf-2c845185de52",
@@ -2120,12 +2172,16 @@
     "cibaExpiresIn" : "120",
     "cibaAuthRequestedUserHint" : "login_hint",
     "oauth2DeviceCodeLifespan" : "600",
+    "clientOfflineSessionMaxLifespan" : "0",
     "oauth2DevicePollingInterval" : "5",
+    "clientSessionIdleTimeout" : "0",
     "parRequestUriLifespan" : "60",
+    "clientSessionMaxLifespan" : "0",
+    "clientOfflineSessionIdleTimeout" : "0",
     "cibaInterval" : "5",
     "realmReusableOtpCode" : "false"
   },
-  "keycloakVersion" : "26.4.6",
+  "keycloakVersion" : "26.4.7",
   "userManagedAccessAllowed" : false,
   "organizationsEnabled" : false,
   "verifiableCredentialsEnabled" : false,

shell.nix

@@ -50,7 +50,6 @@ pkgs.mkShell {
     export DATABASE_URL="postgresql+asyncpg://${postgresUser}:${postgresPassword}@localhost:${toString postgresPort}/${postgresDatabase}"
     export REDIS_URL="redis://:${redisPassword}@${redisHost}:${toString redisPort}"
     export ISSUER_URI="http://localhost:8080/realms/tasks"
-    export CLIENT_ID="tasks"
     export CLIENT_SECRET="tasks-secret"
 
     export LD_LIBRARY_PATH="${libPath}:$LD_LIBRARY_PATH"

web/.gitignore

@@ -11,6 +11,7 @@ yarn-error.log*
 
 # build
 build
+tsconfig.tsbuildinfo
 
 # jetbrains
 .idea
@@ -20,5 +21,6 @@ build
 .DS_Store
 *.pem
 
+
 # local env files
 .env*.local