lionsdev/btpxpress-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
39b7cff4ed6fb4be3fb3fe6575c10a137666feb0
btpxpress-backend/src/main/resources/application-prod.properties
DahoudG 7df5f346f1 Refactor: Backend Frontend-Centric Auth - Suppression OIDC, validation JWT 
Architecture modifiée pour Frontend-Centric Authentication:

1. **Suppression des dépendances OIDC**
   - quarkus-oidc → quarkus-smallrye-jwt
   - quarkus-keycloak-authorization → quarkus-smallrye-jwt-build
   - Le backend ne gère plus l'authentification OAuth

2. **Configuration JWT simple**
   - Validation des tokens JWT envoyés par le frontend
   - mp.jwt.verify.publickey.location (JWKS de Keycloak)
   - mp.jwt.verify.issuer (Keycloak realm)
   - Authentification via Authorization: Bearer header

3. **Suppression configurations OIDC**
   - application.properties: Suppression %dev.quarkus.oidc.*
   - application.properties: Suppression %prod.quarkus.oidc.*
   - application-prod.properties: Remplacement par mp.jwt.*
   - Logging: io.quarkus.oidc → io.quarkus.smallrye.jwt

4. **Sécurité simplifiée**
   - quarkus.security.auth.proactive=false
   - @Authenticated sur les endpoints
   - CORS configuré pour le frontend
   - Endpoints publics: /q/*, /openapi, /swagger-ui/*

Flux d'authentification:
1️⃣ Frontend → Keycloak (OAuth login)
2️⃣ Frontend ← Keycloak (access_token)
3️⃣ Frontend → Backend (Authorization: Bearer token)
4️⃣ Backend valide le token JWT (signature + issuer)
5️⃣ Backend → Frontend (données API)

Avantages:
 Pas de secret backend à gérer
 Pas de client btpxpress-backend dans Keycloak
 Séparation claire frontend/backend
 Backend devient une API REST stateless
 Tokens gérés par le frontend (localStorage/sessionStorage)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-31 17:05:11 +00:00

84 lines
3.4 KiB
Properties
Raw Blame History

# Configuration de production pour BTP Xpress - Frontend-Centric Auth
# Variables d'environnement requises :
# - DB_URL : URL de la base de données PostgreSQL
# - DB_USERNAME : Nom d'utilisateur de la base de données
# - DB_PASSWORD : Mot de passe de la base de données
# Le frontend gère l'authentification OAuth avec Keycloak
# Le backend valide simplement les tokens JWT envoyés par le frontend
# Base de données
quarkus.datasource.jdbc.url=${DB_URL:jdbc:postgresql://postgres:5432/btpxpress}
quarkus.datasource.username=${DB_USERNAME:btpxpress_user}
quarkus.datasource.password=${DB_PASSWORD}
quarkus.hibernate-orm.database.generation=validate
quarkus.hibernate-orm.log.sql=false
quarkus.hibernate-orm.log.bind-parameters=false
# Serveur HTTP
quarkus.http.port=${SERVER_PORT:8080}
quarkus.http.host=0.0.0.0
# Note: Ingress nginx uses rewrite-target to strip /btpxpress prefix before forwarding
# Backend serves endpoints directly without context path (e.g., /api/v1/users, /q/health)
# External URL: https://api.lions.dev/btpxpress/... → Backend receives: /...
# CORS Configuration pour production
quarkus.http.cors=true
quarkus.http.cors.origins=https://btpxpress.lions.dev
quarkus.http.cors.methods=GET,POST,PUT,DELETE,OPTIONS
quarkus.http.cors.headers=Content-Type,Authorization,X-Requested-With
quarkus.http.cors.exposed-headers=Content-Disposition
quarkus.http.cors.access-control-max-age=24H
quarkus.http.cors.access-control-allow-credentials=true
# JWT validation - Tokens envoyés par le frontend
mp.jwt.verify.publickey.location=https://security.lions.dev/realms/btpxpress/protocol/openid-connect/certs
mp.jwt.verify.issuer=https://security.lions.dev/realms/btpxpress
quarkus.smallrye-jwt.enabled=true
quarkus.smallrye-jwt.auth-mechanism=MP-JWT
quarkus.smallrye-jwt.require-named-principal=false
# Sécurité
quarkus.security.auth.enabled=true
quarkus.security.auth.proactive=false
# Permissions pour accès public aux endpoints de documentation et santé
quarkus.http.auth.permission.public.paths=/q/*,/openapi,/swagger-ui/*
quarkus.http.auth.permission.public.policy=permit
# Authentification JWT requise pour tous les autres endpoints
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
# Logging
quarkus.log.level=INFO
quarkus.log.category."dev.lions.btpxpress".level=INFO
quarkus.log.category."org.hibernate".level=WARN
quarkus.log.category."io.quarkus".level=INFO
quarkus.log.category."io.quarkus.smallrye.jwt".level=INFO
# Métriques et monitoring
quarkus.micrometer.export.prometheus.enabled=true
quarkus.micrometer.export.prometheus.path=/metrics
quarkus.smallrye-health.ui.enable=true
# Cache
quarkus.cache.caffeine.default.initial-capacity=100
quarkus.cache.caffeine.default.maximum-size=1000
quarkus.cache.caffeine.default.expire-after-write=PT30M
# Pool de connexions optimisé pour production
quarkus.datasource.jdbc.initial-size=10
quarkus.datasource.jdbc.min-size=10
quarkus.datasource.jdbc.max-size=50
quarkus.datasource.jdbc.acquisition-timeout=PT30S
quarkus.datasource.jdbc.leak-detection-interval=PT10M
# OpenAPI/Swagger
quarkus.swagger-ui.always-include=true
quarkus.swagger-ui.path=/swagger-ui
quarkus.swagger-ui.urls.default=/btpxpress/openapi
quarkus.smallrye-openapi.path=/openapi
quarkus.smallrye-openapi.info-title=BTP Xpress API
quarkus.smallrye-openapi.info-version=1.0.0
quarkus.smallrye-openapi.info-description=Backend REST API for BTP Xpress application
Reference in New Issue View Git Blame Copy Permalink