lionsdev/unionflow-server-impl-quarkus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f89f6167cccae1da0c789a4603505aaf1c3a1d4f
unionflow-server-impl-quarkus/keycloak-resource-server-config.md
DahoudG f89f6167cc feat(mobile): Implement Keycloak WebView authentication with HTTP callback 
- Replace flutter_appauth with custom WebView implementation to resolve deep link issues
- Add KeycloakWebViewAuthService with integrated WebView for seamless authentication
- Configure Android manifest for HTTP cleartext traffic support
- Add network security config for development environment (192.168.1.11)
- Update Keycloak client to use HTTP callback endpoint (http://192.168.1.11:8080/auth/callback)
- Remove obsolete keycloak_auth_service.dart and temporary scripts
- Clean up dependencies and regenerate injection configuration
- Tested successfully on multiple Android devices (Xiaomi 2201116TG, SM A725F)

BREAKING CHANGE: Authentication flow now uses WebView instead of external browser
- Users will see Keycloak login page within the app instead of browser redirect
- Resolves ERR_CLEARTEXT_NOT_PERMITTED and deep link state management issues
- Maintains full OIDC compliance with PKCE flow and secure token storage

Technical improvements:
- WebView with custom navigation delegate for callback handling
- Automatic token extraction and user info parsing from JWT
- Proper error handling and user feedback
- Consistent authentication state management across app lifecycle
2025-09-15 01:44:16 +00:00

3.2 KiB
Raw Blame History

Configuration Keycloak Resource Server pour UnionFlow

Problème Identifié

Le client "unionflow-server" n'est pas configuré comme Resource Server dans Keycloak, causant des erreurs 403 avec le Policy Enforcer.

Solution : Configuration du Resource Server

1. Accéder à Keycloak Admin Console

2. Activer Authorization Services

  1. Aller dans Clientsunionflow-server
  2. Dans l'onglet Settings:
    • Authorization Enabled: ON
    • Service Accounts Enabled: ON
    • Standard Flow Enabled: ON
  3. Cliquer Save

3. Configurer les Resources

Dans l'onglet AuthorizationResources, créer:

Resource: evenements-api

  • Name: evenements-api
  • Display Name: API Événements
  • URI: /api/evenements/*
  • Scopes: read, write, delete

Resource: membres-api

  • Name: membres-api
  • Display Name: API Membres
  • URI: /api/membres/*
  • Scopes: read, write, delete

Resource: cotisations-api

  • Name: cotisations-api
  • Display Name: API Cotisations
  • URI: /api/cotisations/*
  • Scopes: read, write, delete

4. Configurer les Scopes

Dans AuthorizationAuthorization Scopes:

  • read: Lecture des données
  • write: Écriture des données
  • delete: Suppression des données

5. Configurer les Policies

Dans AuthorizationPolicies:

Policy: Admin Policy

  • Type: Role Based
  • Name: admin-policy
  • Roles: ADMIN, PRESIDENT

Policy: Member Policy

  • Type: Role Based
  • Name: member-policy
  • Roles: MEMBRE, SECRETAIRE, TRESORIER

6. Configurer les Permissions

Dans AuthorizationPermissions:

Permission: Événements Full Access

  • Name: evenements-full-access
  • Resource: evenements-api
  • Scopes: read, write, delete
  • Policies: admin-policy

Permission: Événements Read Access

  • Name: evenements-read-access
  • Resource: evenements-api
  • Scopes: read
  • Policies: member-policy

7. Vérifier la Configuration

  1. Dans AuthorizationEvaluate, tester avec différents utilisateurs
  2. Vérifier que les tokens contiennent les bonnes permissions

Configuration Application Properties

# Policy Enforcer en mode PERMISSIVE pour développement
%dev.quarkus.keycloak.policy-enforcer.enable=true
%dev.quarkus.keycloak.policy-enforcer.lazy-load-paths=true
%dev.quarkus.keycloak.policy-enforcer.enforcement-mode=PERMISSIVE

# Une fois configuré, passer en ENFORCING
%prod.quarkus.keycloak.policy-enforcer.enforcement-mode=ENFORCING

Test de Validation

# 1. Obtenir un token
curl -X POST "http://localhost:8180/realms/unionflow/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password&username=admin@unionflow.dev&password=admin123&client_id=unionflow-server&client_secret=unionflow-secret-2025"

# 2. Tester l'API avec le token
curl -H "Authorization: Bearer <TOKEN>" "http://localhost:8080/api/evenements/publics"

Résultat Attendu

  • Plus d'erreurs "invalid_clientId"
  • API accessible avec authentification
  • Permissions basées sur les rôles fonctionnelles