freezer/mareshq-backoffice-v1-monolith
Archived
1
0
Fork 0
Code Activity

refactor(nextauth): change provider from Google to Keycloak

Browse source 
- using self-hosted keycloak as SSO `https://sso.mareshq.com`
This commit is contained in:
Vojtěch Mareš 2023-09-02 17:37:45 +02:00
parent 083fe4565d
commit 2a7b833b2e
Signed by: vojtech.mares
GPG key ID: C6827B976F17240D
7 changed files with 40 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.env.example
View file

@ -20,6 +20,7 @@ DATABASE_URL="postgresql://username:password@localhost:5432/database"
# NEXTAUTH_SECRET=""
NEXTAUTH_URL="http://localhost:3000"
# Next Auth Google Provider
GOOGLE_CLIENT_ID=""
GOOGLE_CLIENT_SECRET=""
# Next Auth Keycloak Provider
KEYCLOAK_CLIENT_ID=""
KEYCLOAK_CLIENT_SECRET=""
KEYCLOAK_ISSUER=""

20
.gitlab-ci.yml
View file

@ -46,8 +46,9 @@ deploy to staging (dry-run):
--set dockerconfigjsonBase64=dummy \
--set backoffice.secrets.databaseURL=dummy \
--set backoffice.secrets.nextauthSecret=dummy \
--set backoffice.secrets.googleClientID=dummy \
--set backoffice.secrets.googleClientSecret=dummy \
--set backoffice.secrets.keycloakClientID=dummy \
--set backoffice.secrets.keycloakClientSecret=dummy \
--set backoffice.secrets.keycloakIssuer=dummy \
backoffice \
./charts/backoffice
rules:
@ -72,8 +73,9 @@ deploy to production (dry-run):
--set dockerconfigjsonBase64=dummy \
--set backoffice.secrets.databaseURL=dummy \
--set backoffice.secrets.nextauthSecret=dummy \
--set backoffice.secrets.googleClientID=dummy \
--set backoffice.secrets.googleClientSecret=dummy \
--set backoffice.secrets.keycloakClientID=dummy \
--set backoffice.secrets.keycloakClientSecret=dummy \
--set backoffice.secrets.keycloakIssuer=dummy \
backoffice \
./charts/backoffice
rules:
@ -97,8 +99,9 @@ deploy to staging:
--set dockerconfigjsonBase64=$DOCKERCONFIG_BASE64 \
--set backoffice.secrets.databaseURL=$DATABASE_URL \
--set backoffice.secrets.nextauthSecret=$NEXTAUTH_SECRET \
--set backoffice.secrets.googleClientID=$GOOGLE_CLIENT_ID \
--set backoffice.secrets.googleClientSecret=$GOOGLE_CLIENT_SECRET \
--set backoffice.secrets.keycloakClientID=$KEYCLOAK_CLIENT_ID \
--set backoffice.secrets.keycloakClientSecret=$KEYCLOAK_CLIENT_SECRET \
--set backoffice.secrets.keycloakIssuer=$KEYCLOAK_ISSUER \
backoffice \
./charts/backoffice
environment:
@ -125,8 +128,9 @@ deploy to production:
--set dockerconfigjsonBase64=$DOCKERCONFIG_BASE64 \
--set backoffice.secrets.databaseURL=$DATABASE_URL \
--set backoffice.secrets.nextauthSecret=$NEXTAUTH_SECRET \
--set backoffice.secrets.googleClientID=$GOOGLE_CLIENT_ID \
--set backoffice.secrets.googleClientSecret=$GOOGLE_CLIENT_SECRET \
--set backoffice.secrets.keycloakClientID=$KEYCLOAK_CLIENT_ID \
--set backoffice.secrets.keycloakClientSecret=$KEYCLOAK_CLIENT_SECRET \
--set backoffice.secrets.keycloakIssuer=$KEYCLOAK_ISSUER \
backoffice \
./charts/backoffice
environment:

5
charts/backoffice/templates/secret-nextauth.yaml
View file

@ -8,5 +8,6 @@ metadata:
"helm.sh/hook-weight": "-15"
stringData:
NEXTAUTH_SECRET: {{ .Values.backoffice.secrets.nextauthSecret | quote }}
GOOGLE_CLIENT_ID: {{ .Values.backoffice.secrets.googleClientID | quote }}
GOOGLE_CLIENT_SECRET: {{ .Values.backoffice.secrets.googleClientSecret | quote }}
KEYCLOAK_CLIENT_ID: {{ .Values.backoffice.secrets.keycloakClientID | quote }}
KEYCLOAK_CLIENT_SECRET: {{ .Values.backoffice.secrets.keycloakClientSecret | quote }}
KEYCLOAK_ISSUER: {{ .Values.backoffice.secrets.keycloakIssuer | quote }}

5
charts/backoffice/values.dummy.yaml
View file

@ -2,8 +2,9 @@ backoffice:
secretes:
databaseURL: "postgres://postgres:postgres@localhost:5432/backoffice"
nextauthSecret: "secret"
googleClientID: "secret"
googleClientSecret: "secret"
keycloakClientID: "secret"
keycloakClientSecret: "secret"
keycloakIssuer: "secret"
image:
tag: dummy

5
charts/backoffice/values.yaml
View file

@ -52,7 +52,8 @@ backoffice:
secrets:
databaseURL: null
nextauthSecret: null
googleClientID: null
googleClientSecret: null
keycloakClientID: null
keycloakClientSecret: null
keycloakIssuer: null
dockerconfigjsonBase64: null

10
src/env.mjs
View file

@ -21,8 +21,9 @@ export const env = createEnv({
process.env.VERCEL ? z.string().min(1) : z.string().url(),
),
// Add `.min(1) on ID and SECRET if you want to make sure they're not empty
GOOGLE_CLIENT_ID: z.string(),
GOOGLE_CLIENT_SECRET: z.string(),
KEYCLOAK_CLIENT_ID: z.string(),
KEYCLOAK_CLIENT_SECRET: z.string(),
KEYCLOAK_ISSUER: z.string(),
},
/**
@ -43,8 +44,9 @@ export const env = createEnv({
NODE_ENV: process.env.NODE_ENV,
NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET,
NEXTAUTH_URL: process.env.NEXTAUTH_URL,
GOOGLE_CLIENT_ID: process.env.GOOGLE_CLIENT_ID,
GOOGLE_CLIENT_SECRET: process.env.GOOGLE_CLIENT_SECRET,
KEYCLOAK_CLIENT_ID: process.env.KEYCLOAK_CLIENT_ID,
KEYCLOAK_CLIENT_SECRET: process.env.KEYCLOAK_CLIENT_SECRET,
KEYCLOAK_ISSUER: process.env.KEYCLOAK_ISSUER,
},
/**
* Run `build` or `dev` with `SKIP_ENV_VALIDATION` to skip env validation.

13
src/server/auth.ts
View file

@ -5,7 +5,7 @@ import {
type NextAuthOptions,
type DefaultSession,
} from "next-auth";
import GoogleProvider from "next-auth/providers/google";
import KeycloakProvider from "next-auth/providers/keycloak";
import { env } from "~/env.mjs";
import { prisma } from "~/server/db";
@ -49,9 +49,14 @@ export const authOptions: NextAuthOptions = {
},
adapter: PrismaAdapter(prisma),
providers: [
GoogleProvider({
clientId: env.GOOGLE_CLIENT_ID,
clientSecret: env.GOOGLE_CLIENT_SECRET,
KeycloakProvider({
clientId: env.KEYCLOAK_CLIENT_ID,
clientSecret: env.KEYCLOAK_CLIENT_SECRET,
issuer: env.KEYCLOAK_ISSUER,
// authorizationUrl: env.KEYCLOAK_ISSUER + "/protocol/openid-connect/auth",
// accessTokenUrl: env.KEYCLOAK_ISSUER + "/protocol/openid-connect/token",
// profileUrl: env.KEYCLOAK_ISSUER + "/protocol/openid-connect/userinfo",
// wellKnown: env.KEYCLOAK_ISSUER + "/.well-known/openid-configuration",
}),
/**
* ...add more providers here.