feat: improve Keycloak device auth page to include SSO options#2100
Conversation
WalkthroughAdds optional AUTH_SSO_COOKIE_DOMAIN env var wired into config and AuthUtils; introduces a Keycloak SSO-cookie authenticator and factory with theme/template/localization and service registration; updates Keycloak realm, version, Dockerfile, setup script, Maven and package dependency versions. Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches
📜 Recent review detailsConfiguration used: CodeRabbit UI Review profile: CHILL Plan: Pro ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (4)
🚧 Files skipped from review as they are similar to previous changes (4)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)
Tip 👮 Agentic pre-merge checks are now available in preview!Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.
Please see the documentation for more information. Example: reviews:
pre_merge_checks:
custom_checks:
- name: "Undocumented Breaking Changes"
mode: "warning"
instructions: |
Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).Please share your feedback with us on this Discord post. Comment |
Dependency ReviewThe following issues were found:
Vulnerabilitieskeycloak/theme/pom.xml
Only included vulnerabilities with severity high or higher. OpenSSF Scorecard
Scanned Files
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (4)
controlplane/.env.example (1)
17-20: Provide an illustrative value forAUTH_SSO_COOKIE_DOMAINLeaving the variable blank encourages the empty-string issue mentioned earlier. Supplying a commented example helps users configure it correctly:
-AUTH_SSO_COOKIE_DOMAIN= +# AUTH_SSO_COOKIE_DOMAIN=".example.com" # optional – leading dot recommendedkeycloak/theme/src/main/resources/theme/cosmo/login/messages/messages_en.properties (1)
6-7: Remember to update other localesThe new
signInWithSSOkey is only inmessages_en.properties. Add it to the other language files to avoid missing-key fall-backs in non-English UIs.keycloak/theme/src/main/java/com/wundergraph/authentication/SSOCookieAuthenticatorFactory.java (1)
71-75: Consider supporting additional authentication requirements.Currently, only
REQUIREDis supported. Most Keycloak authenticators also supportALTERNATIVEandDISABLEDto provide more flexibility in authentication flow configuration.@Override public AuthenticationExecutionModel.Requirement[] getRequirementChoices() { return new AuthenticationExecutionModel.Requirement[]{ AuthenticationExecutionModel.Requirement.REQUIRED, + AuthenticationExecutionModel.Requirement.ALTERNATIVE, + AuthenticationExecutionModel.Requirement.DISABLED }; }keycloak/theme/src/main/java/com/wundergraph/authentication/SSOCookieAuthenticator.java (1)
14-45: Add debug logging for troubleshooting.Consider adding debug logging to help troubleshoot SSO cookie authentication issues in production environments.
Add logging at key points:
import org.jboss.logging.Logger; public class SSOCookieAuthenticator implements Authenticator { private static final Logger logger = Logger.getLogger(SSOCookieAuthenticator.class); @Override public void authenticate(AuthenticationFlowContext authenticationFlowContext) { String ssoCookieName = getSSOCookieName(authenticationFlowContext); logger.debugf("Looking for SSO cookie: %s", ssoCookieName); // ... existing code ... if (idpModel != null && idpModel.isEnabled()) { logger.debugf("Found enabled IDP for cookie value: %s", ssoCookieValue); // ... existing code ... } else if (idpModel != null) { logger.debugf("IDP %s is disabled", ssoCookieValue); } else { logger.debugf("No IDP found for cookie value: %s", ssoCookieValue); } } }
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (14)
controlplane/.env.example(1 hunks)controlplane/src/core/auth-utils.ts(2 hunks)controlplane/src/core/build-server.ts(2 hunks)controlplane/src/core/env.schema.ts(1 hunks)controlplane/src/index.ts(2 hunks)docker/keycloak/realm.json(59 hunks)keycloak/Dockerfile(1 hunks)keycloak/theme/pom.xml(1 hunks)keycloak/theme/src/main/java/com/wundergraph/authentication/SSOCookieAuthenticator.java(1 hunks)keycloak/theme/src/main/java/com/wundergraph/authentication/SSOCookieAuthenticatorFactory.java(1 hunks)keycloak/theme/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory(1 hunks)keycloak/theme/src/main/resources/theme/cosmo/login/login.ftl(2 hunks)keycloak/theme/src/main/resources/theme/cosmo/login/messages/messages_en.properties(1 hunks)keycloak/theme/src/main/resources/theme/cosmo/login/theme.properties(1 hunks)
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: in the cosmo router project, when extending json schema validation for security-sensitive fields lik...
Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.
Applied to files:
docker/keycloak/realm.json
📚 Learning: oci (open container initiative) registry urls in the cosmo router project should not include http/ht...
Learnt from: endigma
PR: wundergraph/cosmo#2079
File: router/pkg/config/config.schema.json:2942-2954
Timestamp: 2025-07-30T15:23:03.295Z
Learning: OCI (Open Container Initiative) registry URLs in the Cosmo router project should not include HTTP/HTTPS schemas. They are specified as hostnames only (e.g., "registry.example.com" or "registry.example.com/namespace"). The JSON schema validation should use plain "string" type without "http-url" format for plugin registry URLs.
Applied to files:
docker/keycloak/realm.json
🪛 GitHub Actions: Dependency Review
keycloak/theme/pom.xml
[error] 1-1: Dependency review detected vulnerable package: Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination (high severity). See GHSA-93ww-43rr-79v3
🔇 Additional comments (15)
controlplane/src/index.ts (1)
100-105: Guard against empty string when forwardingssoCookieDomainIf
AUTH_SSO_COOKIE_DOMAINis left blank in the environment file,env.schemacurrently passes''down, sossoCookieDomain: ''. Most cookie helpers interpret an emptydomainas “set nothing” and drop the attribute, but some libraries treat the empty string literally and will emitDomain="", again breaking browser compatibility.After tightening validation in
env.schema.ts, this problem vanishes, but until then you can add a short-term guard:- ssoCookieDomain: AUTH_SSO_COOKIE_DOMAIN, + ssoCookieDomain: AUTH_SSO_COOKIE_DOMAIN || undefined,(Not required if you adopt the schema fix.)
keycloak/Dockerfile (1)
1-1: Java 17 upgrade looks good; double-check Maven compatibilityKeycloak 25 requires Java 17, so switching the build stage image to
java-node:17-jdk-18is the right call.
No further issues spotted, but please ensure the Maven version pulled fromaptstill builds the theme without warnings under JDK 17.keycloak/theme/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory (1)
1-1: LGTM! Service provider configuration is correct.This properly registers the
SSOCookieAuthenticatorFactoryfor Keycloak's ServiceLoader mechanism, enabling automatic discovery of the custom authenticator.controlplane/src/core/build-server.ts (2)
85-85: LGTM! Clean addition of SSO cookie domain configuration.The optional
ssoCookieDomainproperty is properly typed and placed in the appropriateauthconfiguration section.
239-239: LGTM! Proper propagation of SSO cookie domain to AuthUtils.The new configuration option is correctly passed to the
AuthUtilsconstructor, maintaining consistency with the existing configuration pattern.controlplane/src/core/auth-utils.ts (2)
24-24: LGTM! Proper type extension for SSO cookie domain.The optional
ssoCookieDomainproperty is correctly typed and maintains backward compatibility.
116-116: LGTM! Excellent fallback implementation for SSO cookie domain.The use of nullish coalescing (
??) provides proper fallback towebDomainwhenssoCookieDomainis undefined, maintaining backward compatibility while enabling flexible domain configuration.keycloak/theme/pom.xml (1)
13-44: Maven configuration structure is well-organized.The properties and dependencies sections are properly structured with appropriate scoping. The Java 11 compiler settings and UTF-8 encoding are correctly configured. However, address the Keycloak version security issue before merging.
keycloak/theme/src/main/resources/theme/cosmo/login/login.ftl (3)
7-7: LGTM! Proper client-specific social provider filtering.The condition correctly excludes social providers when the client ID is "studio", providing appropriate UI customization.
10-10: LGTM! Consistent CSS class application.The addition of
kcFormSocialAccountLinkClassmaintains consistency with the theme property system.
20-25: LGTM! Well-integrated SSO login option.The conditional SSO login block is properly implemented with:
- Appropriate conditional check for
ssoLoginUrl- Consistent styling and icon usage
- Proper localization with
signInWithSSOmessage key- Maintains visual consistency with existing social providers
keycloak/theme/src/main/resources/theme/cosmo/login/theme.properties (1)
41-41: Consider preserving minimal styling for social account links.Setting
kcFormSocialAccountLinkClassto an empty string removes all styling from social account links. This might cause the SSO login link to appear unstyled or inherit unwanted styles from parent elements.Consider keeping essential classes like
pf-v5-u-text-decoration-noneto maintain consistent link appearance across the login form.docker/keycloak/realm.json (3)
1143-1156: Verify SMTP configuration for production use.The SMTP server configuration has been changed to use a local Mailpit server (
mailpit.hub-dev.orb.local). Ensure this is intentional and that proper SMTP configuration is used in production environments.This appears to be a development configuration. Consider using environment-specific configuration for SMTP settings to avoid accidentally deploying with a local mail server.
1341-1354: New HMAC key provider with HS512 algorithm added.A new HMAC key provider using HS512 algorithm has been added. This is good for supporting JWT signing with symmetric keys, but ensure this aligns with your security requirements and that the keys are properly managed.
2110-2110: Double-check custom authenticators & themes after upgrading Keycloak to 25.0.2Updating from 22.0.3 → 25.0.2 includes several breaking changes that can impact your custom SPIs and theme overrides. Please audit the following before merging:
• File to review:
- docker/keycloak/realm.json (line 2110):
"keycloakVersion": "25.0.2",• Custom authenticators:
- Verify any session-state logic for updated error handling and session expiry propagation.
- Ensure your SPI implementations account for claim changes (e.g.,
sub,auth_time,noncenow require explicit mappers).- Test flows that integrate passkeys or browser SSO to catch protocol adjustments.
• Custom themes:- If you extended the legacy account-v1 or Angular admin console themes, migrate to the new React-based structures or use a compatibility extension.
- Update theme.properties parent references to the current account/admin themes.
- Compare all overridden FTL/CSS/JS against the Keycloak 25 defaults for removed resources or renamed template functions.
• Configuration & protocol mappers:- Review hostname v2 settings if your flows reference frontend/backchannel URLs.
- Audit custom protocol/token mappers against the new default client scopes and claim inclusion strategy.
Run a full smoke test of your authentication flows and theming in a staging environment, referring to the Keycloak Upgrade Guide and Release Notes for v23→25 to catch any additional issues.
…ould-show-sso-options
Router image scan passed✅ No security vulnerabilities found in image: |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
docker/keycloak/realm.json (1)
1735-1758: Tidy up the flow alias naming
"alias": "browser with sso Browser - Conditional OTP"mixes two concepts and repeats the word Browser.
Consider a clearer alias such as"browser-with-sso-conditional-otp"(and update the single reference at Line 1788) to improve maintainability and avoid confusion when debugging flows.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (7)
.github/scripts/setup-keycloak.sh(1 hunks)controlplane/package.json(1 hunks)docker/keycloak/realm.json(62 hunks)keycloak/Dockerfile(2 hunks)keycloak/theme/pom.xml(1 hunks)keycloak/theme/src/main/java/com/wundergraph/authentication/SSOCookieAuthenticator.java(1 hunks)keycloak/theme/src/main/resources/theme/cosmo/login/theme.properties(2 hunks)
✅ Files skipped from review due to trivial changes (4)
- controlplane/package.json
- keycloak/Dockerfile
- .github/scripts/setup-keycloak.sh
- keycloak/theme/src/main/resources/theme/cosmo/login/theme.properties
🚧 Files skipped from review as they are similar to previous changes (2)
- keycloak/theme/pom.xml
- keycloak/theme/src/main/java/com/wundergraph/authentication/SSOCookieAuthenticator.java
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: in the cosmo router project, when extending json schema validation for security-sensitive fields lik...
Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.
Applied to files:
docker/keycloak/realm.json
📚 Learning: oci (open container initiative) registry urls in the cosmo router project should not include http/ht...
Learnt from: endigma
PR: wundergraph/cosmo#2079
File: router/pkg/config/config.schema.json:2942-2954
Timestamp: 2025-07-30T15:23:03.295Z
Learning: OCI (Open Container Initiative) registry URLs in the Cosmo router project should not include HTTP/HTTPS schemas. They are specified as hostnames only (e.g., "registry.example.com" or "registry.example.com/namespace"). The JSON schema validation should use plain "string" type without "http-url" format for plugin registry URLs.
Applied to files:
docker/keycloak/realm.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)
- GitHub Check: integration_test (./telemetry)
- GitHub Check: build_test
- GitHub Check: integration_test (./events)
- GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
- GitHub Check: build_push_image
- GitHub Check: build_test
- GitHub Check: build_test
- GitHub Check: Analyze (go)
There was a problem hiding this comment.
Actionable comments posted: 0
♻️ Duplicate comments (1)
docker/keycloak/realm.json (1)
642-651: Duplicatesubclaim mapper still presentKeycloak injects the mandatory
subclaim automatically; leaving this customoidc-sub-mapperin place will create twosubentries in every token and break strict JWT validators.The exact same issue was flagged earlier and hasn’t been addressed.
Please delete the entire mapper block.
🧹 Nitpick comments (1)
docker/keycloak/realm.json (1)
1788-1811: Inconsistent flow alias naming
"browser with sso Browser - Conditional OTP"mixes two concepts in one alias and differs in style from the existingBrowser - Conditional OTPflows.
Keeping flow aliases short and consistent (e.g.,browser-with-sso-otp) eases maintenance and scripting.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (5)
.github/scripts/setup-keycloak.sh(1 hunks)controlplane/package.json(1 hunks)docker/keycloak/realm.json(62 hunks)keycloak/Dockerfile(2 hunks)keycloak/theme/pom.xml(1 hunks)
✅ Files skipped from review due to trivial changes (1)
- controlplane/package.json
🚧 Files skipped from review as they are similar to previous changes (3)
- keycloak/Dockerfile
- keycloak/theme/pom.xml
- .github/scripts/setup-keycloak.sh
🧰 Additional context used
🧠 Learnings (4)
📓 Common learnings
Learnt from: wilsonrivera
PR: wundergraph/cosmo#2100
File: docker/keycloak/realm.json:1768-1774
Timestamp: 2025-08-04T17:50:30.553Z
Learning: The sso-cookie-authenticator in Keycloak authentication flows must use "REQUIRED" as the requirement setting, not "ALTERNATIVE". This is due to implementation constraints of the custom SSOCookieAuthenticator class.
📚 Learning: in the cosmo router project, when extending json schema validation for security-sensitive fields lik...
Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.
Applied to files:
docker/keycloak/realm.json
📚 Learning: the sso-cookie-authenticator in keycloak authentication flows must use "required" as the requirement...
Learnt from: wilsonrivera
PR: wundergraph/cosmo#2100
File: docker/keycloak/realm.json:1768-1774
Timestamp: 2025-08-04T17:50:30.553Z
Learning: The sso-cookie-authenticator in Keycloak authentication flows must use "REQUIRED" as the requirement setting, not "ALTERNATIVE". This is due to implementation constraints of the custom SSOCookieAuthenticator class.
Applied to files:
docker/keycloak/realm.json
📚 Learning: oci (open container initiative) registry urls in the cosmo router project should not include http/ht...
Learnt from: endigma
PR: wundergraph/cosmo#2079
File: router/pkg/config/config.schema.json:2942-2954
Timestamp: 2025-07-30T15:23:03.295Z
Learning: OCI (Open Container Initiative) registry URLs in the Cosmo router project should not include HTTP/HTTPS schemas. They are specified as hostnames only (e.g., "registry.example.com" or "registry.example.com/namespace"). The JSON schema validation should use plain "string" type without "http-url" format for plugin registry URLs.
Applied to files:
docker/keycloak/realm.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)
- GitHub Check: build_test
- GitHub Check: image_scan (nonroot)
- GitHub Check: Analyze (go)
- GitHub Check: integration_test (./events)
- GitHub Check: image_scan
- GitHub Check: build_push_image
- GitHub Check: build_test
- GitHub Check: build_push_image (nonroot)
- GitHub Check: build_push_image
- GitHub Check: build_test
- GitHub Check: Analyze (javascript-typescript)
- GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
- GitHub Check: integration_test (./telemetry)
- GitHub Check: build_test
- GitHub Check: build_push_image
- GitHub Check: build_test
🔇 Additional comments (3)
docker/keycloak/realm.json (3)
1821-1826:sso-cookie-authenticatorcorrectly set toREQUIRED– looks goodMatches the implementation constraint captured in project learnings; no action needed.
354-356: Verify that onlycosmo-cliuses the newbrowser altbindingOther public clients (e.g.,
studio,account) still rely on the defaultbrowserflow.
Double-check that this split is intentional and that UX remains uniform across entry points.
1476-1487: Multiple HMAC key providers share the same priorityBoth
hmac-generated(HS256) and the newhmac-generated-hs512(HS512) use priority100.
Keycloak picks the first matching provider, which may lead to unpredictable behaviour when HS* algorithms are requested.
Consider lowering the priority of the legacy HS256 provider—or removing it entirely—if HS512 is the intended algorithm.
There was a problem hiding this comment.
Actionable comments posted: 0
♻️ Duplicate comments (1)
docker/keycloak/realm.json (1)
642-651: Duplicatesubprotocol-mapper still present – remove to avoid doublesubclaimsKeycloak already injects the mandatory
subclaim. Keeping the custom"sub"mapper here results in duplicate claims and breaks JWT validation in some libraries.Same comment was raised in a previous review and still applies.
Delete the whole object at lines 642-651.
🧹 Nitpick comments (2)
docker/keycloak/realm.json (2)
1735-1759: Alias naming is confusing
"alias": "browser alt Browser - Conditional OTP"is hard to scan and easy to mistype.
Consider renaming to something concise like"browser alt - Conditional OTP".
1199-1207:basicscope added to default scopes but excluded fromtoken.scope
"include.in.token.scope": "false"means thebasicscope name itself will not be listed in thescopeparameter, yet it is indefaultDefaultClientScopes.
That is valid but a little counter-intuitive—double-check this is intentional.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
docker/keycloak/realm.json(62 hunks)
🧰 Additional context used
🧠 Learnings (4)
📓 Common learnings
Learnt from: wilsonrivera
PR: wundergraph/cosmo#2100
File: docker/keycloak/realm.json:1768-1774
Timestamp: 2025-08-04T17:50:30.553Z
Learning: The sso-cookie-authenticator in Keycloak authentication flows must use "REQUIRED" as the requirement setting, not "ALTERNATIVE". This is due to implementation constraints of the custom SSOCookieAuthenticator class.
📚 Learning: in the cosmo router project, when extending json schema validation for security-sensitive fields lik...
Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.
Applied to files:
docker/keycloak/realm.json
📚 Learning: the sso-cookie-authenticator in keycloak authentication flows must use "required" as the requirement...
Learnt from: wilsonrivera
PR: wundergraph/cosmo#2100
File: docker/keycloak/realm.json:1768-1774
Timestamp: 2025-08-04T17:50:30.553Z
Learning: The sso-cookie-authenticator in Keycloak authentication flows must use "REQUIRED" as the requirement setting, not "ALTERNATIVE". This is due to implementation constraints of the custom SSOCookieAuthenticator class.
Applied to files:
docker/keycloak/realm.json
📚 Learning: oci (open container initiative) registry urls in the cosmo router project should not include http/ht...
Learnt from: endigma
PR: wundergraph/cosmo#2079
File: router/pkg/config/config.schema.json:2942-2954
Timestamp: 2025-07-30T15:23:03.295Z
Learning: OCI (Open Container Initiative) registry URLs in the Cosmo router project should not include HTTP/HTTPS schemas. They are specified as hostnames only (e.g., "registry.example.com" or "registry.example.com/namespace"). The JSON schema validation should use plain "string" type without "http-url" format for plugin registry URLs.
Applied to files:
docker/keycloak/realm.json
🔇 Additional comments (3)
docker/keycloak/realm.json (3)
1693-1733: New top-level flowbrowser altlooks good, but confirm binding coverageOnly
cosmo-cliis bound to this flow viaauthenticationFlowBindingOverrides.
Please verify that all device-code or browser clients expected to leverage the SSO-cookie authenticator are now bound to"browser alt"; otherwise they will silently fall back to the old flow.
1768-1775:sso-cookie-authenticatorcorrectly set toREQUIREDRequirement is
REQUIRED, matching the implementation constraints recorded in project learnings. No action needed.
1423-1434: Unused HS512 key provider?A new
hmac-generatedprovider with algorithmHS512is added, butdefaultSignatureAlgorithmremainsRS256and no client appears to request HS512.Please confirm this key is actually required; if not, drop it to keep the key set minimal.
…ould-show-sso-options
…ould-show-sso-options # Conflicts: # pnpm-lock.yaml
…auth-page-should-show-sso-options' into wilson/eng-5025-keycloak-device-auth-page-should-show-sso-options
…ould-show-sso-options
…ould-show-sso-options
…ould-show-sso-options
…ould-show-sso-options
…ould-show-sso-options
…ould-show-sso-options
…ould-show-sso-options
…ould-show-sso-options
…ould-show-sso-options
…ould-show-sso-options
…ould-show-sso-options
wilsonrivera
deleted the
wilson/eng-5025-keycloak-device-auth-page-should-show-sso-options
branch
3 participants
Summary by CodeRabbit
New Features
Enhancements
Chores
Checklist
Improve the device authentication page to include SSO options, this includes a custom Keycloak extension to read the Cosmo SSO cookie to provide the option to use organization SSO options