f89f6167cc
- Replace flutter_appauth with custom WebView implementation to resolve deep link issues - Add KeycloakWebViewAuthService with integrated WebView for seamless authentication - Configure Android manifest for HTTP cleartext traffic support - Add network security config for development environment (192.168.1.11) - Update Keycloak client to use HTTP callback endpoint (http://192.168.1.11:8080/auth/callback) - Remove obsolete keycloak_auth_service.dart and temporary scripts - Clean up dependencies and regenerate injection configuration - Tested successfully on multiple Android devices (Xiaomi 2201116TG, SM A725F) BREAKING CHANGE: Authentication flow now uses WebView instead of external browser - Users will see Keycloak login page within the app instead of browser redirect - Resolves ERR_CLEARTEXT_NOT_PERMITTED and deep link state management issues - Maintains full OIDC compliance with PKCE flow and secure token storage Technical improvements: - WebView with custom navigation delegate for callback handling - Automatic token extraction and user info parsing from JWT - Proper error handling and user feedback - Consistent authentication state management across app lifecycle
3.2 KiB
3.2 KiB
Configuration Keycloak Resource Server pour UnionFlow
Problème Identifié
Le client "unionflow-server" n'est pas configuré comme Resource Server dans Keycloak, causant des erreurs 403 avec le Policy Enforcer.
Solution : Configuration du Resource Server
1. Accéder à Keycloak Admin Console
- URL: http://localhost:8180/admin
- Realm: unionflow
- Client: unionflow-server
2. Activer Authorization Services
- Aller dans Clients → unionflow-server
- Dans l'onglet Settings:
- Authorization Enabled: ON
- Service Accounts Enabled: ON
- Standard Flow Enabled: ON
- Cliquer Save
3. Configurer les Resources
Dans l'onglet Authorization → Resources, créer:
Resource: evenements-api
- Name: evenements-api
- Display Name: API Événements
- URI: /api/evenements/*
- Scopes: read, write, delete
Resource: membres-api
- Name: membres-api
- Display Name: API Membres
- URI: /api/membres/*
- Scopes: read, write, delete
Resource: cotisations-api
- Name: cotisations-api
- Display Name: API Cotisations
- URI: /api/cotisations/*
- Scopes: read, write, delete
4. Configurer les Scopes
Dans Authorization → Authorization Scopes:
- read: Lecture des données
- write: Écriture des données
- delete: Suppression des données
5. Configurer les Policies
Dans Authorization → Policies:
Policy: Admin Policy
- Type: Role Based
- Name: admin-policy
- Roles: ADMIN, PRESIDENT
Policy: Member Policy
- Type: Role Based
- Name: member-policy
- Roles: MEMBRE, SECRETAIRE, TRESORIER
6. Configurer les Permissions
Dans Authorization → Permissions:
Permission: Événements Full Access
- Name: evenements-full-access
- Resource: evenements-api
- Scopes: read, write, delete
- Policies: admin-policy
Permission: Événements Read Access
- Name: evenements-read-access
- Resource: evenements-api
- Scopes: read
- Policies: member-policy
7. Vérifier la Configuration
- Dans Authorization → Evaluate, tester avec différents utilisateurs
- Vérifier que les tokens contiennent les bonnes permissions
Configuration Application Properties
# Policy Enforcer en mode PERMISSIVE pour développement
%dev.quarkus.keycloak.policy-enforcer.enable=true
%dev.quarkus.keycloak.policy-enforcer.lazy-load-paths=true
%dev.quarkus.keycloak.policy-enforcer.enforcement-mode=PERMISSIVE
# Une fois configuré, passer en ENFORCING
%prod.quarkus.keycloak.policy-enforcer.enforcement-mode=ENFORCING
Test de Validation
# 1. Obtenir un token
curl -X POST "http://localhost:8180/realms/unionflow/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username=admin@unionflow.dev&password=admin123&client_id=unionflow-server&client_secret=unionflow-secret-2025"
# 2. Tester l'API avec le token
curl -H "Authorization: Bearer <TOKEN>" "http://localhost:8080/api/evenements/publics"
Résultat Attendu
- ✅ Plus d'erreurs "invalid_clientId"
- ✅ API accessible avec authentification
- ✅ Permissions basées sur les rôles fonctionnelles