Keycloak realm with groups

[jasquat]

Supports #1983

Some updates to help demonstrate using keycloak for groups.

Also adds a config so the uri that backend uses for the openid server can be different from what the browser uses. This is to help support running in a docker environment better.

Summary by CodeRabbit

• New Features

  • Updated the CI/CD workflow to trigger on the keycloak-realm-with-groups branch.
  • Introduced a new group in Keycloak for enhanced group management.
  • Added support for an additional OTP application in Keycloak settings.
  • Expanded service account management capabilities with new user entries.

• Improvements

  • Enhanced clarity in configuration settings for the OpenID server and authentication options.
  • Improved handling of internal URIs in authentication processes.

• Version Updates

  • Keycloak version upgraded from 20.0.1 to 22.0.4, incorporating new features and security enhancements.

[coderabbitai]

Walkthrough

Walkthrough

The recent changes involve updates to a GitHub Actions workflow, enhancements in Keycloak configurations, and modifications to backend service settings. Key updates include changing the branch trigger for the CI/CD pipeline, introducing new user and group management capabilities in Keycloak, and improving the structure of authentication service configurations. These adjustments enhance clarity, organization, and functionality, contributing to smoother workflows and stronger security measures throughout the project.

Changes

Files	Change Summary
.github/workflows/build_docker_images.yml	Changed branch trigger from spiffui/newui to keycloak-realm-with-groups, affecting CI/CD pipeline control flow.
spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-local-realm.json	Added a new group and user entries, modified OTP application support, updated security configurations, and removed outdated flows. Updated Keycloak version from 20.0.1 to 22.0.4.
spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py, spiffworkflow-backend/src/spiffworkflow_backend/config/default.py	Restructured authentication configurations and introduced internal URL settings for enhanced flexibility in accessing services.
spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py	Added internal_uri in AuthenticationOptionForApi and updated server URL methods to support context-based retrieval in the authentication flow.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Client
    participant AuthService
    participant Keycloak

    User->>Client: Request authentication
    Client->>AuthService: Send auth request
    AuthService->>Keycloak: Retrieve internal URI
    Keycloak-->>AuthService: Return internal URI
    AuthService-->>Client: Provide authentication response

Loading

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

Commits

Files that changed from the base of the PR and between b8c7aa9 and e77a1f2.

Files selected for processing (6)

• .github/workflows/build_docker_images.yml (1 hunks)
• spiffworkflow-backend/keycloak/bin/export_keycloak_realms (2 hunks)
• spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-local-realm.json (15 hunks)
• spiffworkflow-backend/src/spiffworkflow_backend/config/init.py (2 hunks)
• spiffworkflow-backend/src/spiffworkflow_backend/config/default.py (2 hunks)
• spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py (6 hunks)

Files skipped from review due to trivial changes (1)

• spiffworkflow-backend/src/spiffworkflow_backend/config/init.py

Additional comments not posted (16)

spiffworkflow-backend/keycloak/bin/export_keycloak_realms (3)

4-4: Improved readability in error handling.

The change to place the redirection operator after the string improves readability and follows best practices for bash scripting.

---

10-13: Improved readability in script directory assignment.

The formatting change enhances readability without affecting functionality.

---

17-17: Default realm name changed.

The default realm name has been changed from "spiffworkflow-realm" to "spiffworkflow-local-realm". Ensure that this change aligns with the intended functionality.

.github/workflows/build_docker_images.yml (1)

33-33: Branch trigger updated.

The branch spiffui/newui has been replaced with keycloak-realm-with-groups, impacting the control flow of the CI/CD pipeline. Ensure the new branch is correctly configured.

spiffworkflow-backend/src/spiffworkflow_backend/config/default.py (2)

137-137: New configuration parameter added.

The call to config_from_env for SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_INTERNAL_URL enhances the flexibility of the configuration by allowing the internal server URL to be specified and accessed.

---

152-152: New key internal_uri added to configuration.

The addition of the internal_uri key improves the overall functionality related to OpenID server configurations.

spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py (5)

126-133: LGTM!

The changes to the method server_url enhance its flexibility by allowing it to conditionally select the URI based on the internal flag.

---

143-145: LGTM!

The changes to the method open_id_endpoint_for_name ensure that the correct endpoint is selected based on the internal flag.

---

175-175: LGTM!

The changes to the method jwks_public_key_for_key_id ensure that it consistently uses the internal endpoint when necessary.

---

312-314: LGTM!

The changes to the method get_auth_token_object ensure that it consistently uses the internal endpoint when necessary.

---

443-445: LGTM!

The changes to the method get_auth_token_from_refresh_token ensure that it consistently uses the internal endpoint when necessary.

spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-local-realm.json (5)

444-454: Addition of new group object looks good.

The new group object follows the expected structure for Keycloak groups.

---

471-475: Modification of OTP supported applications looks good.

The addition of totpAppMicrosoftAuthenticatorName enhances the OTP functionality by supporting an additional application.

---

669-703: Addition of new user entries looks good.

The new user entries enhance the realm's capabilities for service account management. Ensure that the new users are correctly configured and integrated.

---

510-510: Update to user credentials looks good but verify correctness.

The secretData field for the user has been updated. Ensure that the new secret data is correctly encrypted and stored.

---

2948-2948: Update to Keycloak version looks good but verify compatibility.

The Keycloak version is updated from 20.0.1 to 22.0.4. Ensure that the update does not introduce any compatibility issues.

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

Commits

Files that changed from the base of the PR and between e77a1f2 and 066bff3.

Files selected for processing (3)

• spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-local-realm.json (14 hunks)
• spiffworkflow-backend/src/spiffworkflow_backend/config/init.py (1 hunks)
• spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py (6 hunks)

Files skipped from review as they are similar to previous changes (1)

• spiffworkflow-backend/src/spiffworkflow_backend/config/init.py

Additional comments not posted (11)

spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py (5)

143-145: LGTM!

The changes to the open_id_endpoint_for_name method are correct and improve the flexibility of the authentication service.

---

175-175: LGTM!

The changes to the jwks_public_key_for_key_id method are correct and ensure the use of the internal endpoint when necessary.

---

312-314: LGTM!

The changes to the get_auth_token_object method are correct and ensure the use of the internal endpoint when necessary.

---

443-445: LGTM!

The changes to the get_auth_token_from_refresh_token method are correct and ensure the use of the internal endpoint when necessary.

---

126-133: Update the type hint for the config variable.

The type hint for the config variable should be updated to match the expected type of str.

-  config: str = auth_config[uri_key]  # type: ignore
+  config: str = auth_config[uri_key]

Likely invalid or redundant comment.

spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-local-realm.json (6)

444-454: Addition of new group object looks good.

The new group object is correctly structured and follows the expected schema for Keycloak groups.

---

471-475: Modification to otpSupportedApplications looks good.

Adding support for Microsoft Authenticator enhances OTP functionality.

---

510-510: Verify update to secretData.

Ensure that the update to the secretData field is intentional and follows security best practices.

---

669-703: Addition of new user entries looks good.

The new user entries enhance the realm's capabilities for service account management, allowing for more granular control over roles and access permissions.

---

2948-2948: Update to keycloakVersion looks good.

Updating the Keycloak version incorporates new features and security improvements.

---

2138-2138: Addition of referrerPolicy looks good.

Adding a referrerPolicy enhances security by controlling the amount of referrer information sent with requests.

[coderabbitai]

Actionable comments posted: 0

Outside diff range, codebase verification and nitpick comments (1)

spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py (1)

150-153: Ensure correct usage of the internal parameter in open_id_endpoint_for_name calls.

The open_id_endpoint_for_name method now propagates the internal parameter to the server_url method. However, the current function calls do not pass the internal parameter. Please review and update the following calls to correctly set the internal parameter as needed:

• spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py: jwks_uri = cls.open_id_endpoint_for_name("jwks_uri", authentication_identifier)
• spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py: self.__class__.open_id_endpoint_for_name("end_session_endpoint", authentication_identifier=authentication_identifier)
• spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py: self.open_id_endpoint_for_name("authorization_endpoint", authentication_identifier=authentication_identifier)
• spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py: request_url = self.open_id_endpoint_for_name("token_endpoint", authentication_identifier=authentication_identifier)
• spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py: request_url = cls.open_id_endpoint_for_name("token_endpoint", authentication_identifier=authentication_identifier)

Analysis chain

Verify function usage and correctness of internal parameter propagation.

The open_id_endpoint_for_name method now propagates the internal parameter to the server_url method. Ensure that all calls to this method correctly set the internal parameter as needed.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify all function calls to `open_id_endpoint_for_name` match the new signature.

# Test: Search for the function usage. Expect: Only occurrences of the new signature.
rg --type python -A 5 $'open_id_endpoint_for_name'

Length of output: 80

---

Script:

#!/bin/bash
# Description: Verify all function calls to `open_id_endpoint_for_name` match the new signature.

# Test: Search for the function usage. Expect: Only occurrences of the new signature.
rg --type py -A 5 $'open_id_endpoint_for_name'

Length of output: 5993

Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 066bff3 and 5f772b4.

Files selected for processing (1)

• spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py (5 hunks)

Additional comments not posted (4)

spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py (4)

75-75: Verify the consistency and correctness of the new field addition.

The internal_uri field has been added to the AuthenticationOptionForApi class. Ensure that this new field is consistently used and correctly handled throughout the codebase.

Verification successful

---

The internal_uri field is consistently and correctly handled throughout the codebase.

The internal_uri field is defined, checked, and used appropriately in the codebase. It is also included in the configuration files, indicating its proper integration.

• authentication_service.py: Defined and used in conditional statements.
• default.py: Configured with a default value.
• __init__.py: Configured with application settings.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of the new `internal_uri` field in the codebase.

# Test: Search for the usage of the `internal_uri` field. Expect: Consistent and correct handling.
rg --type python -A 5 $'internal_uri'

Length of output: 67

---

Script:

#!/bin/bash
# Description: Verify the usage of the new `internal_uri` field in the codebase.

# Test: Search for the usage of the `internal_uri` field. Expect: Consistent and correct handling.
rg --type py -A 5 $'internal_uri'

Length of output: 2962

---

126-133: Verify function usage and correctness of internal parameter handling.

The server_url method now includes an internal parameter to return either the uri or internal_uri from the configuration. Ensure that all calls to this method correctly set the internal parameter as needed.

Verification successful

---

Verification successful.

The server_url method calls correctly handle the internal parameter as per the updated method signature.

• spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py: appropriate_server_url = cls.server_url(authentication_identifier, internal=True)
• spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py: if iss not in [cls.server_url(authentication_identifier), UserModel.spiff_generated_jwt_issuer()]
• spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py: f"SERVER_URL: {cls.server_url(authentication_identifier)}"

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify all function calls to `server_url` match the new signature.

# Test: Search for the function usage. Expect: Only occurrences of the new signature.
rg --type python -A 5 $'server_url'

Length of output: 65

---

Script:

#!/bin/bash
# Description: Verify all function calls to `server_url` match the new signature.

# Test: Search for the function usage. Expect: Only occurrences of the new signature.
rg --type py -A 5 $'server_url'

Length of output: 3880

---

444-446: Verify function usage and correctness of internal parameter handling.

The get_auth_token_from_refresh_token method now calls open_id_endpoint_for_name with the internal parameter set to True. Ensure that this change is consistent with the intended usage of the internal endpoint.

---

313-315: Verify function usage and correctness of internal parameter handling.

The get_auth_token_object method now calls open_id_endpoint_for_name with the internal parameter set to True. Ensure that this change is consistent with the intended usage of the internal endpoint.

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 5f772b4 and bb1cc52.

Files selected for processing (1)

• spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py (4 hunks)

Files skipped from review as they are similar to previous changes (1)

• spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

Commits

Files that changed from the base of the PR and between bb1cc52 and 7fe1f77.

Files selected for processing (2)

• spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-local-realm.json (16 hunks)
• spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py (7 hunks)

Files skipped from review as they are similar to previous changes (1)

• spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py

Additional comments not posted (6)

spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-local-realm.json (6)

444-454: New Group Object Added

A new group object with ID a14e6081-ffd4-4925-9364-4916bcf74931 has been added. Ensure that this group is correctly integrated and utilized within the realm.

---

471-475: Support for Microsoft Authenticator Added

The otpSupportedApplications array now includes totpAppMicrosoftAuthenticatorName, indicating support for Microsoft Authenticator for OTP functionalities.

---

510-510: User Secret Data Updated

The secretData field for the user with ID 644ff652-31d1-4349-9340-ce3b5fb76b5c has been updated. Ensure that this update is intentional and the new secret is securely managed.

---

668-703: New User Entries Added

Two new user entries have been added:

1. User with ID d2a86264-e3ca-4a82-99b8-0a6cd714ded4 (service-account-spiffworkflow-backend)
2. User with ID bae51d14-9d82-468f-9e9d-1cd2cb507f15 (service-account-withauth)

Ensure that these service accounts are correctly configured and utilized within the realm.

---

2942-2942: Keycloak Version Updated

The Keycloak version has been updated from 20.0.1 to 22.0.4. Ensure that all new features and security improvements from this version are correctly integrated and utilized.

---

2132-2132: Referrer Policy Added

The referrerPolicy has been added to the browserSecurityHeaders, enhancing security and data handling practices.

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 7fe1f77 and 8edff6c.

Files selected for processing (1)

• spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-local-realm.json (17 hunks)

Files skipped from review as they are similar to previous changes (1)

• spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-local-realm.json