lionsdev/unionflow-mobile-apps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
098894bdc114f4f46d886149a31b4fffa22ba83c
unionflow-mobile-apps/keycloak-resource-server-config.md
DahoudG f89f6167cc feat(mobile): Implement Keycloak WebView authentication with HTTP callback 
- Replace flutter_appauth with custom WebView implementation to resolve deep link issues
- Add KeycloakWebViewAuthService with integrated WebView for seamless authentication
- Configure Android manifest for HTTP cleartext traffic support
- Add network security config for development environment (192.168.1.11)
- Update Keycloak client to use HTTP callback endpoint (http://192.168.1.11:8080/auth/callback)
- Remove obsolete keycloak_auth_service.dart and temporary scripts
- Clean up dependencies and regenerate injection configuration
- Tested successfully on multiple Android devices (Xiaomi 2201116TG, SM A725F)

BREAKING CHANGE: Authentication flow now uses WebView instead of external browser
- Users will see Keycloak login page within the app instead of browser redirect
- Resolves ERR_CLEARTEXT_NOT_PERMITTED and deep link state management issues
- Maintains full OIDC compliance with PKCE flow and secure token storage

Technical improvements:
- WebView with custom navigation delegate for callback handling
- Automatic token extraction and user info parsing from JWT
- Proper error handling and user feedback
- Consistent authentication state management across app lifecycle
2025-09-15 01:44:16 +00:00

108 lines
3.2 KiB
Markdown
Raw Blame History

# Configuration Keycloak Resource Server pour UnionFlow
## Problème Identifié
Le client "unionflow-server" n'est pas configuré comme Resource Server dans Keycloak, causant des erreurs 403 avec le Policy Enforcer.
## Solution : Configuration du Resource Server
### 1. Accéder à Keycloak Admin Console
- URL: http://localhost:8180/admin
- Realm: unionflow
- Client: unionflow-server
### 2. Activer Authorization Services
1. Aller dans **Clients****unionflow-server**
2. Dans l'onglet **Settings**:
- **Authorization Enabled**: ON
- **Service Accounts Enabled**: ON
- **Standard Flow Enabled**: ON
3. Cliquer **Save**
### 3. Configurer les Resources
Dans l'onglet **Authorization****Resources**, créer:
#### Resource: evenements-api
- **Name**: evenements-api
- **Display Name**: API Événements
- **URI**: /api/evenements/*
- **Scopes**: read, write, delete
#### Resource: membres-api
- **Name**: membres-api
- **Display Name**: API Membres
- **URI**: /api/membres/*
- **Scopes**: read, write, delete
#### Resource: cotisations-api
- **Name**: cotisations-api
- **Display Name**: API Cotisations
- **URI**: /api/cotisations/*
- **Scopes**: read, write, delete
### 4. Configurer les Scopes
Dans **Authorization****Authorization Scopes**:
- **read**: Lecture des données
- **write**: Écriture des données
- **delete**: Suppression des données
### 5. Configurer les Policies
Dans **Authorization****Policies**:
#### Policy: Admin Policy
- **Type**: Role Based
- **Name**: admin-policy
- **Roles**: ADMIN, PRESIDENT
#### Policy: Member Policy
- **Type**: Role Based
- **Name**: member-policy
- **Roles**: MEMBRE, SECRETAIRE, TRESORIER
### 6. Configurer les Permissions
Dans **Authorization****Permissions**:
#### Permission: Événements Full Access
- **Name**: evenements-full-access
- **Resource**: evenements-api
- **Scopes**: read, write, delete
- **Policies**: admin-policy
#### Permission: Événements Read Access
- **Name**: evenements-read-access
- **Resource**: evenements-api
- **Scopes**: read
- **Policies**: member-policy
### 7. Vérifier la Configuration
1. Dans **Authorization****Evaluate**, tester avec différents utilisateurs
2. Vérifier que les tokens contiennent les bonnes permissions
## Configuration Application Properties
```properties
# Policy Enforcer en mode PERMISSIVE pour développement
%dev.quarkus.keycloak.policy-enforcer.enable=true
%dev.quarkus.keycloak.policy-enforcer.lazy-load-paths=true
%dev.quarkus.keycloak.policy-enforcer.enforcement-mode=PERMISSIVE
# Une fois configuré, passer en ENFORCING
%prod.quarkus.keycloak.policy-enforcer.enforcement-mode=ENFORCING
```
## Test de Validation
```bash
# 1. Obtenir un token
curl -X POST "http://localhost:8180/realms/unionflow/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username=admin@unionflow.dev&password=admin123&client_id=unionflow-server&client_secret=unionflow-secret-2025"
# 2. Tester l'API avec le token
curl -H "Authorization: Bearer <TOKEN>" "http://localhost:8080/api/evenements/publics"
```
## Résultat Attendu
- ✅ Plus d'erreurs "invalid_clientId"
- ✅ API accessible avec authentification
- ✅ Permissions basées sur les rôles fonctionnelles
Reference in New Issue View Git Blame Copy Permalink