From 2a7b833b2ec4908d8a70d1ac94949f578623d641 Mon Sep 17 00:00:00 2001
From: Vojtech Mares <iam@vojtechmares.com>
Date: Sat, 2 Sep 2023 17:37:45 +0200
Subject: [PATCH] refactor(nextauth): change provider from Google to Keycloak

- using self-hosted keycloak as SSO `https://sso.mareshq.com`
---
 .env.example                                  |  7 ++++---
 .gitlab-ci.yml                                | 20 +++++++++++--------
 .../backoffice/templates/secret-nextauth.yaml |  5 +++--
 charts/backoffice/values.dummy.yaml           |  5 +++--
 charts/backoffice/values.yaml                 |  5 +++--
 src/env.mjs                                   | 10 ++++++----
 src/server/auth.ts                            | 13 ++++++++----
 7 files changed, 40 insertions(+), 25 deletions(-)

diff --git a/.env.example b/.env.example
index cba7d35..e2be20b 100644
--- a/.env.example
+++ b/.env.example
@@ -20,6 +20,7 @@ DATABASE_URL="postgresql://username:password@localhost:5432/database"
 # NEXTAUTH_SECRET=""
 NEXTAUTH_URL="http://localhost:3000"
 
-# Next Auth Google Provider
-GOOGLE_CLIENT_ID=""
-GOOGLE_CLIENT_SECRET=""
+# Next Auth Keycloak Provider
+KEYCLOAK_CLIENT_ID=""
+KEYCLOAK_CLIENT_SECRET=""
+KEYCLOAK_ISSUER=""
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 0181ceb..399573d 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -46,8 +46,9 @@ deploy to staging (dry-run):
         --set dockerconfigjsonBase64=dummy \
         --set backoffice.secrets.databaseURL=dummy \
         --set backoffice.secrets.nextauthSecret=dummy \
-        --set backoffice.secrets.googleClientID=dummy \
-        --set backoffice.secrets.googleClientSecret=dummy \
+        --set backoffice.secrets.keycloakClientID=dummy \
+        --set backoffice.secrets.keycloakClientSecret=dummy \
+        --set backoffice.secrets.keycloakIssuer=dummy \
         backoffice \
         ./charts/backoffice
   rules:
@@ -72,8 +73,9 @@ deploy to production (dry-run):
         --set dockerconfigjsonBase64=dummy \
         --set backoffice.secrets.databaseURL=dummy \
         --set backoffice.secrets.nextauthSecret=dummy \
-        --set backoffice.secrets.googleClientID=dummy \
-        --set backoffice.secrets.googleClientSecret=dummy \
+        --set backoffice.secrets.keycloakClientID=dummy \
+        --set backoffice.secrets.keycloakClientSecret=dummy \
+        --set backoffice.secrets.keycloakIssuer=dummy \
         backoffice \
         ./charts/backoffice
   rules:
@@ -97,8 +99,9 @@ deploy to staging:
         --set dockerconfigjsonBase64=$DOCKERCONFIG_BASE64 \
         --set backoffice.secrets.databaseURL=$DATABASE_URL \
         --set backoffice.secrets.nextauthSecret=$NEXTAUTH_SECRET \
-        --set backoffice.secrets.googleClientID=$GOOGLE_CLIENT_ID \
-        --set backoffice.secrets.googleClientSecret=$GOOGLE_CLIENT_SECRET \
+        --set backoffice.secrets.keycloakClientID=$KEYCLOAK_CLIENT_ID \
+        --set backoffice.secrets.keycloakClientSecret=$KEYCLOAK_CLIENT_SECRET \
+        --set backoffice.secrets.keycloakIssuer=$KEYCLOAK_ISSUER \
         backoffice \
         ./charts/backoffice
   environment:
@@ -125,8 +128,9 @@ deploy to production:
         --set dockerconfigjsonBase64=$DOCKERCONFIG_BASE64 \
         --set backoffice.secrets.databaseURL=$DATABASE_URL \
         --set backoffice.secrets.nextauthSecret=$NEXTAUTH_SECRET \
-        --set backoffice.secrets.googleClientID=$GOOGLE_CLIENT_ID \
-        --set backoffice.secrets.googleClientSecret=$GOOGLE_CLIENT_SECRET \
+        --set backoffice.secrets.keycloakClientID=$KEYCLOAK_CLIENT_ID \
+        --set backoffice.secrets.keycloakClientSecret=$KEYCLOAK_CLIENT_SECRET \
+        --set backoffice.secrets.keycloakIssuer=$KEYCLOAK_ISSUER \
         backoffice \
         ./charts/backoffice
   environment:
diff --git a/charts/backoffice/templates/secret-nextauth.yaml b/charts/backoffice/templates/secret-nextauth.yaml
index 03e1f3a..956a7b6 100644
--- a/charts/backoffice/templates/secret-nextauth.yaml
+++ b/charts/backoffice/templates/secret-nextauth.yaml
@@ -8,5 +8,6 @@ metadata:
     "helm.sh/hook-weight": "-15"
 stringData:
   NEXTAUTH_SECRET: {{ .Values.backoffice.secrets.nextauthSecret | quote }}
-  GOOGLE_CLIENT_ID: {{ .Values.backoffice.secrets.googleClientID | quote }}
-  GOOGLE_CLIENT_SECRET: {{ .Values.backoffice.secrets.googleClientSecret | quote }}
+  KEYCLOAK_CLIENT_ID: {{ .Values.backoffice.secrets.keycloakClientID | quote }}
+  KEYCLOAK_CLIENT_SECRET: {{ .Values.backoffice.secrets.keycloakClientSecret | quote }}
+  KEYCLOAK_ISSUER: {{ .Values.backoffice.secrets.keycloakIssuer | quote }}
diff --git a/charts/backoffice/values.dummy.yaml b/charts/backoffice/values.dummy.yaml
index 17d932b..0ae33e0 100644
--- a/charts/backoffice/values.dummy.yaml
+++ b/charts/backoffice/values.dummy.yaml
@@ -2,8 +2,9 @@ backoffice:
   secretes:
     databaseURL: "postgres://postgres:postgres@localhost:5432/backoffice"
     nextauthSecret: "secret"
-    googleClientID: "secret"
-    googleClientSecret: "secret"
+    keycloakClientID: "secret"
+    keycloakClientSecret: "secret"
+    keycloakIssuer: "secret"
 
 image:
   tag: dummy
diff --git a/charts/backoffice/values.yaml b/charts/backoffice/values.yaml
index d214a2a..f1041c6 100644
--- a/charts/backoffice/values.yaml
+++ b/charts/backoffice/values.yaml
@@ -52,7 +52,8 @@ backoffice:
   secrets:
     databaseURL: null
     nextauthSecret: null
-    googleClientID: null
-    googleClientSecret: null
+    keycloakClientID: null
+    keycloakClientSecret: null
+    keycloakIssuer: null
 
 dockerconfigjsonBase64: null
diff --git a/src/env.mjs b/src/env.mjs
index 9644ed3..f16cdac 100644
--- a/src/env.mjs
+++ b/src/env.mjs
@@ -21,8 +21,9 @@ export const env = createEnv({
       process.env.VERCEL ? z.string().min(1) : z.string().url(),
     ),
     // Add `.min(1) on ID and SECRET if you want to make sure they're not empty
-    GOOGLE_CLIENT_ID: z.string(),
-    GOOGLE_CLIENT_SECRET: z.string(),
+    KEYCLOAK_CLIENT_ID: z.string(),
+    KEYCLOAK_CLIENT_SECRET: z.string(),
+    KEYCLOAK_ISSUER: z.string(),
   },
 
   /**
@@ -43,8 +44,9 @@ export const env = createEnv({
     NODE_ENV: process.env.NODE_ENV,
     NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET,
     NEXTAUTH_URL: process.env.NEXTAUTH_URL,
-    GOOGLE_CLIENT_ID: process.env.GOOGLE_CLIENT_ID,
-    GOOGLE_CLIENT_SECRET: process.env.GOOGLE_CLIENT_SECRET,
+    KEYCLOAK_CLIENT_ID: process.env.KEYCLOAK_CLIENT_ID,
+    KEYCLOAK_CLIENT_SECRET: process.env.KEYCLOAK_CLIENT_SECRET,
+    KEYCLOAK_ISSUER: process.env.KEYCLOAK_ISSUER,
   },
   /**
    * Run `build` or `dev` with `SKIP_ENV_VALIDATION` to skip env validation.
diff --git a/src/server/auth.ts b/src/server/auth.ts
index c94b788..3328cf6 100644
--- a/src/server/auth.ts
+++ b/src/server/auth.ts
@@ -5,7 +5,7 @@ import {
   type NextAuthOptions,
   type DefaultSession,
 } from "next-auth";
-import GoogleProvider from "next-auth/providers/google";
+import KeycloakProvider from "next-auth/providers/keycloak";
 import { env } from "~/env.mjs";
 import { prisma } from "~/server/db";
 
@@ -49,9 +49,14 @@ export const authOptions: NextAuthOptions = {
   },
   adapter: PrismaAdapter(prisma),
   providers: [
-    GoogleProvider({
-      clientId: env.GOOGLE_CLIENT_ID,
-      clientSecret: env.GOOGLE_CLIENT_SECRET,
+    KeycloakProvider({
+      clientId: env.KEYCLOAK_CLIENT_ID,
+      clientSecret: env.KEYCLOAK_CLIENT_SECRET,
+      issuer: env.KEYCLOAK_ISSUER,
+      // authorizationUrl: env.KEYCLOAK_ISSUER + "/protocol/openid-connect/auth",
+      // accessTokenUrl: env.KEYCLOAK_ISSUER + "/protocol/openid-connect/token",
+      // profileUrl: env.KEYCLOAK_ISSUER + "/protocol/openid-connect/userinfo",
+      // wellKnown: env.KEYCLOAK_ISSUER + "/.well-known/openid-configuration",
     }),
     /**
      * ...add more providers here.