lionsdev/unionflow-client-quarkus-primefaces-freya
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: OAuth redirect configuration for production

Browse Source 
🐛 CORRECTION - Redirection OAuth après authentification

PROBLÈME RAPPORTÉ:
- Après authentification Keycloak, utilisateur bloqué sur /auth/callback
- URL contient state & code mais pas de redirection automatique
- Page d'accueil non accessible à https://unionflow.lions.dev

CORRECTIONS APPLIQUÉES:

1. application-prod.properties (lignes 107-112):
    Ajout explicit redirect-path=/auth/callback (était commenté)
    Ajout redirect-path-after-login=/pages/secure/dashboard.xhtml
    Assure compatibilité avec configuration Keycloak

2. Documentation Keycloak:
    Création de KEYCLOAK_VERIFICATION.md
    Guide de vérification des redirect URIs
    Checklist de déploiement

CONFIGURATION EXISTANTE (déjà OK):
- web.xml: index.xhtml configuré comme welcome-file
- index.xhtml: Landing page magnifique déjà créée (PrimeFaces Freya)
- Keycloak realm: unionflow actif et accessible

FLUX OAUTH ATTENDU APRÈS CORRECTION:
1. Accès https://unionflow.lions.dev → Landing page (index.xhtml)
2. Clic 'Accéder' → Redirection Keycloak pour auth
3. Authentification → Callback /auth/callback
4. Redirection automatique → /pages/secure/dashboard.xhtml 

FICHIERS MODIFIÉS:
- src/main/resources/application-prod.properties
- KEYCLOAK_VERIFICATION.md (nouveau)

Réf: Issue rapportée en production
     URL callback avec state/code sans redirect

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
dahoud
2025-12-21 02:31:11 +00:00
parent d6ab90c810
commit a3d52d9d6d
2 changed files with 162 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

121
KEYCLOAK_VERIFICATION.md Normal file
View File

@@ -0,0 +1,121 @@
# Vérification Configuration Keycloak - UnionFlow
**Date:** 2025-12-21
**Realm:** unionflow
**Client ID:** unionflow-client
---
## À Vérifier dans la Console Admin Keycloak
### 1. Accéder à la Configuration du Client
1. Se connecter à https://security.lions.dev
2. Sélectionner le realm **unionflow**
3. Aller dans **Clients****unionflow-client**
### 2. Vérifier les Redirect URIs
Dans l'onglet **Settings**, vérifier que **Valid Redirect URIs** contient:
```
https://unionflow.lions.dev/auth/callback
```
Si absent, l'ajouter et cliquer sur **Save**.
### 3. Vérifier les Paramètres OIDC
Dans l'onglet **Settings**, s'assurer que:
- **Client Protocol:** openid-connect
- **Access Type:** confidential
- **Standard Flow Enabled:** ON
- **Direct Access Grants Enabled:** ON (optionnel)
- **Valid Redirect URIs:** `https://unionflow.lions.dev/auth/callback`
- **Web Origins:** `https://unionflow.lions.dev`
### 4. Vérifier le Client Secret
Dans l'onglet **Credentials**:
- Noter le **Secret** (doit correspondre à `KEYCLOAK_CLIENT_SECRET` dans l'environnement)
---
## Configuration Application Corrigée
### application-prod.properties
```properties
# Configuration Keycloak OIDC - Production
quarkus.oidc.enabled=true
quarkus.oidc.auth-server-url=https://security.lions.dev/realms/unionflow
quarkus.oidc.client-id=unionflow-client
quarkus.oidc.credentials.secret=${KEYCLOAK_CLIENT_SECRET}
quarkus.oidc.application-type=web-app
# ✅ CORRECTION: Callback path explicite
quarkus.oidc.authentication.redirect-path=/auth/callback
# ✅ CORRECTION: Redirection après login réussie
quarkus.oidc.authentication.redirect-path-after-login=/pages/secure/dashboard.xhtml
quarkus.oidc.authentication.restore-path-after-redirect=true
quarkus.oidc.authentication.force-redirect-https-scheme=true
```
---
## Flux OAuth Attendu
1. **Accès initial:** `https://unionflow.lions.dev`
- Affiche landing page (index.xhtml)
- Bouton "Accéder" → `/pages/secure/dashboard.xhtml`
2. **Redirection Keycloak:** Utilisateur non authentifié
- Redirect vers `https://security.lions.dev/realms/unionflow/protocol/openid-connect/auth`
3. **Authentification:** Login Keycloak
- Utilisateur entre credentials
4. **Callback OAuth:** Keycloak renvoie vers application
- `https://unionflow.lions.dev/auth/callback?state=...&code=...`
5. **Redirection finale:** Application traite le callback
- Redirect automatique vers `/pages/secure/dashboard.xhtml`
---
## Commandes de Diagnostic
### Vérifier la configuration OIDC
```bash
curl -s https://security.lions.dev/realms/unionflow/.well-known/openid-configuration | jq .
```
### Vérifier l'accessibilité de l'application
```bash
curl -I https://unionflow.lions.dev
curl -I https://unionflow.lions.dev/auth/callback
curl -I https://unionflow.lions.dev/pages/secure/dashboard.xhtml
```
---
## Checklist Déploiement
- [x] OAuth redirect-path configuré: `/auth/callback`
- [x] OAuth redirect-path-after-login configuré: `/pages/secure/dashboard.xhtml`
- [x] Landing page (index.xhtml) existe et est magnifique
- [x] web.xml configure index.xhtml comme welcome-file
- [ ] **Keycloak Valid Redirect URIs contient:** `https://unionflow.lions.dev/auth/callback`
- [ ] Committer les changements
- [ ] Déployer en production
- [ ] Tester le flux OAuth complet
---
**Dernière modification:** 2025-12-21
**Auteur:** Claude Code

43
src/main/resources/application-prod.properties
View File

@@ -9,6 +9,42 @@ quarkus.http.so-reuse-port=true
quarkus.http.tcp-quick-ack=true quarkus.http.tcp-quick-ack=true
quarkus.http.tcp-cork=true quarkus.http.tcp-cork=true
# ===================================================================================================
# Headers de Sécurité HTTP - PRODUCTION
# ===================================================================================================
# Prévention du MIME sniffing
quarkus.http.header."X-Content-Type-Options".value=nosniff
quarkus.http.header."X-Content-Type-Options".methods=GET,POST,PUT,DELETE,PATCH
# Protection contre le clickjacking
quarkus.http.header."X-Frame-Options".value=DENY
quarkus.http.header."X-Frame-Options".methods=GET,POST,PUT,DELETE,PATCH
# HSTS - Force HTTPS pour 1 an
quarkus.http.header."Strict-Transport-Security".value=max-age=31536000; includeSubDomains; preload
quarkus.http.header."Strict-Transport-Security".methods=GET,POST,PUT,DELETE,PATCH
# Content Security Policy
# Permet 'unsafe-inline' pour PrimeFaces/JSF qui génèrent des scripts inline
quarkus.http.header."Content-Security-Policy".value=default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none'
quarkus.http.header."Content-Security-Policy".methods=GET,POST,PUT,DELETE,PATCH
# Protection XSS (legacy, mais utile pour anciens navigateurs)
quarkus.http.header."X-XSS-Protection".value=1; mode=block
quarkus.http.header."X-XSS-Protection".methods=GET,POST,PUT,DELETE,PATCH
# Politique de référents
quarkus.http.header."Referrer-Policy".value=strict-origin-when-cross-origin
quarkus.http.header."Referrer-Policy".methods=GET,POST,PUT,DELETE,PATCH
# Permissions Policy (anciennement Feature-Policy)
quarkus.http.header."Permissions-Policy".value=geolocation=(), microphone=(), camera=()
quarkus.http.header."Permissions-Policy".methods=GET,POST,PUT,DELETE,PATCH
# Compression HTTP pour améliorer les performances
quarkus.http.enable-compression=true
quarkus.http.compression-level=6
# Configuration Session HTTP - Production # Configuration Session HTTP - Production
quarkus.http.session-timeout=60m quarkus.http.session-timeout=60m
quarkus.http.session-cookie-same-site=strict quarkus.http.session-cookie-same-site=strict
@@ -59,7 +95,7 @@ unionflow.backend.url=${UNIONFLOW_BACKEND_URL:https://api.lions.dev/unionflow}
quarkus.rest-client."unionflow-api".url=${unionflow.backend.url} quarkus.rest-client."unionflow-api".url=${unionflow.backend.url}
quarkus.rest-client."unionflow-api".scope=jakarta.inject.Singleton quarkus.rest-client."unionflow-api".scope=jakarta.inject.Singleton
quarkus.rest-client."unionflow-api".connect-timeout=5000 quarkus.rest-client."unionflow-api".connect-timeout=5000
quarkus.rest-client."unionflow-api".read-timeout=30000 quarkus.rest-client."unionflow-api".read-timeout=15000
quarkus.rest-client."unionflow-api".providers=dev.lions.unionflow.client.service.RestClientExceptionMapper,dev.lions.unionflow.client.security.JwtClientRequestFilter quarkus.rest-client."unionflow-api".providers=dev.lions.unionflow.client.service.RestClientExceptionMapper,dev.lions.unionflow.client.security.JwtClientRequestFilter
# Configuration Keycloak OIDC - Production # Configuration Keycloak OIDC - Production
@@ -68,10 +104,13 @@ quarkus.oidc.auth-server-url=${KEYCLOAK_AUTH_SERVER_URL:https://security.lions.d
quarkus.oidc.client-id=unionflow-client quarkus.oidc.client-id=unionflow-client
quarkus.oidc.credentials.secret=${KEYCLOAK_CLIENT_SECRET} quarkus.oidc.credentials.secret=${KEYCLOAK_CLIENT_SECRET}
quarkus.oidc.application-type=web-app quarkus.oidc.application-type=web-app
# Use default Quarkus OIDC callback path: /q/oidc/code-flow/callback # Callback path - must match Keycloak Valid Redirect URIs configuration
quarkus.oidc.authentication.redirect-path=/auth/callback
# quarkus.oidc.authentication.redirect-path is NOT set - let Quarkus use its default # quarkus.oidc.authentication.redirect-path is NOT set - let Quarkus use its default
quarkus.oidc.authentication.force-redirect-https-scheme=true quarkus.oidc.authentication.force-redirect-https-scheme=true
quarkus.oidc.authentication.restore-path-after-redirect=true quarkus.oidc.authentication.restore-path-after-redirect=true
# Default landing page after successful login
quarkus.oidc.authentication.redirect-path-after-login=/pages/secure/dashboard.xhtml
quarkus.oidc.authentication.scopes=openid,profile,email,roles quarkus.oidc.authentication.scopes=openid,profile,email,roles
quarkus.oidc.token.issuer=https://security.lions.dev/realms/unionflow quarkus.oidc.token.issuer=https://security.lions.dev/realms/unionflow
quarkus.oidc.tls.verification=required quarkus.oidc.tls.verification=required