Skip to content

bugfix(KLEF-124): Redirect mode#10

Merged
isaacwallace123 merged 2 commits intomainfrom
fix/redirect-mode
Apr 3, 2026
Merged

bugfix(KLEF-124): Redirect mode#10
isaacwallace123 merged 2 commits intomainfrom
fix/redirect-mode

Conversation

@JeremyNRoos
Copy link
Copy Markdown
Contributor

@JeremyNRoos JeremyNRoos commented Apr 3, 2026

Pull Request

Summary

  • Fixes OIDC redirect mode (Authorization Code flow) being silently blocked by the Keycloak client configuration
  • Ensures the kleff-panel client always has standardFlowEnabled, wildcard redirect URIs, and web origins set — both on first install and on updates to existing clients

Related Issues

Closes #

Changes

What's Included

  • internal/adapters/keycloak/client.goEnsureRealm now creates/updates the kleff-panel client with standardFlowEnabled: true, redirectUris: ["*"], and webOrigins: ["*"]; added PUT update path for when the client already exists (previously only CREATE was handled, leaving stale config on reinstall)

What's Not Included

  • Restricting redirect URIs to specific origins (intentionally left as * for self-hosted dev; production hardening is out of scope)
  • Headless mode is unaffected — directAccessGrantsEnabled remains true

Testing

How Was This Tested?

  • Tested locally: installed plugin with AUTH_MODE=redirect, verified Keycloak login page loads and redirect back to localhost:3000/auth/callback succeeds
  • Verified idempotency: reinstalling the plugin re-runs EnsureRealm and correctly updates the existing client

Test Coverage

  • Unit tests added or updated
  • Integration tests added or updated
  • Manually tested end-to-end

Breaking Changes

Does this PR introduce breaking changes?

  • Yes
  • No

Headless mode (directAccessGrantsEnabled) is preserved. The only change is enabling the standard flow that was previously blocked.

Security Considerations

  • This PR affects authentication or authorization logic
  • This PR touches secrets, tokens, or environment variables
  • This PR affects infrastructure, deployment pipelines, or network configuration

redirectUris: ["*"] is a wildcard. This is acceptable for a self-hosted development tool but should be tightened in a production-hardened deployment. No change to token validation logic.

Documentation

Does this PR require documentation updates?

  • Yes
  • No

UI/UX (If Applicable)

N/A — backend only.

Pre-Merge Checklist

  • PR title follows semantic format (feat:, fix:, chore:, docs:, refactor:, test:)
  • All CI checks passing
  • Code follows project style guidelines
  • No debug logs or commented-out code left in
  • Dependencies reviewed (no unnecessary additions)
  • No sensitive information included

Reviewer Notes

@JeremyNRoos JeremyNRoos self-assigned this Apr 3, 2026
@isaacwallace123 isaacwallace123 merged commit 7d96f0c into main Apr 3, 2026
1 check passed
@isaacwallace123 isaacwallace123 deleted the fix/redirect-mode branch April 3, 2026 05:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@isaacwallace123 isaacwallace123 isaacwallace123 approved these changes

Assignees

@JeremyNRoos JeremyNRoos

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JeremyNRoos @isaacwallace123