Skip to content

feat: improve Keycloak device auth page to include SSO options #2100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wilsonrivera merged 24 commits into from
Sep 23, 2025
Merged

feat: improve Keycloak device auth page to include SSO options #2100

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
a70eb28
feat: improve Keycloak device auth page to include SSO options
wilsonrivera Aug 2, 2025
faf540b
chore: improve extension help text
wilsonrivera Aug 2, 2025
b772d19
chore: apply coderabbit suggestions
wilsonrivera Aug 3, 2025
d0938aa
chore: linting
wilsonrivera Aug 3, 2025
baf609c
chore: update Keycloak to `26.3.2`
wilsonrivera Aug 4, 2025
4f2b6ea
Merge branch 'main' into wilson/eng-5025-keycloak-device-auth-page-sh…
wilsonrivera Aug 4, 2025
e105b55
chore: downgrade Keycloak to `26.2.5`
wilsonrivera Aug 5, 2025
a837a9d
chore: update `realm.json`
wilsonrivera Aug 5, 2025
1ef9b71
Merge branch 'main' into wilson/eng-5025-keycloak-device-auth-page-sh…
wilsonrivera Aug 5, 2025
8356c0d
Merge branch 'main' into wilson/eng-5025-keycloak-device-auth-page-sh…
wilsonrivera Aug 11, 2025
c9783e1
Merge branch 'main' into wilson/eng-5025-keycloak-device-auth-page-sh…
wilsonrivera Aug 15, 2025
e31b273
Merge remote-tracking branch 'origin/wilson/eng-5025-keycloak-device-…
wilsonrivera Aug 15, 2025
51d2067
chore: update with suggestions
wilsonrivera Aug 15, 2025
c026315
Merge branch 'main' into wilson/eng-5025-keycloak-device-auth-page-sh…
wilsonrivera Aug 19, 2025
7d422ab
Merge branch 'main' into wilson/eng-5025-keycloak-device-auth-page-sh…
wilsonrivera Aug 21, 2025
6af9d90
Merge branch 'main' into wilson/eng-5025-keycloak-device-auth-page-sh…
wilsonrivera Aug 23, 2025
87071e2
Merge branch 'main' into wilson/eng-5025-keycloak-device-auth-page-sh…
wilsonrivera Aug 25, 2025
6c80145
Merge branch 'main' into wilson/eng-5025-keycloak-device-auth-page-sh…
wilsonrivera Aug 27, 2025
9fe6f93
Merge branch 'main' into wilson/eng-5025-keycloak-device-auth-page-sh…
wilsonrivera Aug 28, 2025
4f3e79b
Merge branch 'main' into wilson/eng-5025-keycloak-device-auth-page-sh…
wilsonrivera Sep 3, 2025
f0c5527
Merge branch 'main' into wilson/eng-5025-keycloak-device-auth-page-sh…
wilsonrivera Sep 3, 2025
313672c
Merge branch 'main' into wilson/eng-5025-keycloak-device-auth-page-sh…
wilsonrivera Sep 8, 2025
6def13a
Merge branch 'main' into wilson/eng-5025-keycloak-device-auth-page-sh…
wilsonrivera Sep 10, 2025
9a9567d
Merge branch 'main' into wilson/eng-5025-keycloak-device-auth-page-sh…
wilsonrivera Sep 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/scripts/setup-keycloak.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/bin/bash

export KC_VERSION=25.0.1
export KC_VERSION=26.2.5
curl -LO https://github.com/keycloak/keycloak/releases/download/"${KC_VERSION}"/keycloak-"${KC_VERSION}".zip

unzip -q keycloak-${KC_VERSION}.zip
Expand Down
1 change: 1 addition & 0 deletions controlplane/.env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ CLICKHOUSE_MIGRATION_DSN="clickhouse://default:changeme@localhost:9000?database=

# Security
AUTH_JWT_SECRET="fkczyomvdprgvtmvkuhvprxuggkbgwld"
AUTH_SSO_COOKIE_DOMAIN=

# Keycloak
KC_REALM="cosmo"
Expand Down
2 changes: 1 addition & 1 deletion controlplane/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
"@graphql-eslint/eslint-plugin": "^3.20.1",
"@graphql-inspector/core": "^6.2.1",
"@graphql-tools/utils": "^10.1.2",
"@keycloak/keycloak-admin-client": "^25.0.2",
"@keycloak/keycloak-admin-client": "26.2.5",
"@octokit/webhooks-types": "^7.6.1",
"@sentry/node": "^10.11.0",
"@sentry/node-native": "^10.11.0",
Expand Down
3 changes: 2 additions & 1 deletion controlplane/src/core/auth-utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import { AuthenticationError } from './errors/errors.js';
export type AuthUtilsOptions = {
webBaseUrl: string;
webErrorPath: string;
ssoCookieDomain: string | undefined;
jwtSecret: string;
oauth: {
clientID: string;
Expand Down Expand Up @@ -113,7 +114,7 @@ export default class AuthUtils {
createSsoCookie(res: FastifyReply, ssoSlug: string) {
const currentDate = new Date();
const userSsoCookie = cookie.serialize(cosmoIdpHintCookieName, ssoSlug, {
domain: this.webDomain,
domain: this.opts.ssoCookieDomain ?? this.webDomain,
sameSite: 'lax',
expires: new Date(currentDate.setFullYear(currentDate.getFullYear() + 1)),
path: '/',
Expand Down
2 changes: 2 additions & 0 deletions controlplane/src/core/build-server.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ export interface BuildConfig {
auth: {
webBaseUrl: string;
secureCookie?: boolean;
ssoCookieDomain?: string;
webErrorPath: string;
secret: string;
redirectUri: string;
Expand Down Expand Up @@ -236,6 +237,7 @@ export default async function build(opts: BuildConfig) {
cookieName: pkceCodeVerifierCookieName,
},
webBaseUrl: opts.auth.webBaseUrl,
ssoCookieDomain: opts.auth.ssoCookieDomain,
webErrorPath: opts.auth.webErrorPath,
});

Expand Down
8 changes: 8 additions & 0 deletions controlplane/src/core/env.schema.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,14 @@ export const envVariables = z
* Auth
*/
AUTH_JWT_SECRET: z.string().min(32).max(32),
AUTH_SSO_COOKIE_DOMAIN: z
.string()
.transform((val) => (val?.trim() === '' ? undefined : val))
.optional()
.refine(
(val) => !val || /^[\d.a-z-]+$/i.test(val),
'AUTH_SSO_COOKIE_DOMAIN must be a valid domain (e.g. ".example.com")',
),
AUTH_REDIRECT_URI: z.string().url(),
/**
* Database
Expand Down
2 changes: 2 additions & 0 deletions controlplane/src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ const {
AUTH_REDIRECT_URI,
WEB_BASE_URL,
AUTH_JWT_SECRET,
AUTH_SSO_COOKIE_DOMAIN,
KC_REALM,
KC_LOGIN_REALM,
KC_CLIENT_ID,
Expand Down Expand Up @@ -108,6 +109,7 @@ const options: BuildConfig = {
secret: AUTH_JWT_SECRET,
webBaseUrl: WEB_BASE_URL,
webErrorPath: '/auth/error',
ssoCookieDomain: AUTH_SSO_COOKIE_DOMAIN,
},
webhook: {
url: WEBHOOK_URL,
Expand Down
Loading
Loading