freezer/mareshq-backoffice-v1-monolith
Archived
1
0
Fork 0
Code Activity

refactor(nextauth): change provider from Google to Keycloak

Browse source 
- using self-hosted keycloak as SSO `https://sso.mareshq.com`
This commit is contained in:
Vojtěch Mareš 2023-09-02 17:37:45 +02:00
parent 083fe4565d
commit 2a7b833b2e
Signed by: vojtech.mares
GPG key ID: C6827B976F17240D
7 changed files with 40 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.env.example
View file

@ -20,6 +20,7 @@ DATABASE_URL="postgresql://username:password@localhost:5432/database"
# NEXTAUTH_SECRET="" # NEXTAUTH_SECRET=""
NEXTAUTH_URL="http://localhost:3000" NEXTAUTH_URL="http://localhost:3000"
# Next Auth Google Provider # Next Auth Keycloak Provider
GOOGLE_CLIENT_ID="" KEYCLOAK_CLIENT_ID=""
GOOGLE_CLIENT_SECRET="" KEYCLOAK_CLIENT_SECRET=""
KEYCLOAK_ISSUER=""

20
.gitlab-ci.yml
View file

@ -46,8 +46,9 @@ deploy to staging (dry-run):
--set dockerconfigjsonBase64=dummy \ --set dockerconfigjsonBase64=dummy \
--set backoffice.secrets.databaseURL=dummy \ --set backoffice.secrets.databaseURL=dummy \
--set backoffice.secrets.nextauthSecret=dummy \ --set backoffice.secrets.nextauthSecret=dummy \
--set backoffice.secrets.googleClientID=dummy \ --set backoffice.secrets.keycloakClientID=dummy \
--set backoffice.secrets.googleClientSecret=dummy \ --set backoffice.secrets.keycloakClientSecret=dummy \
--set backoffice.secrets.keycloakIssuer=dummy \
backoffice \ backoffice \
./charts/backoffice ./charts/backoffice
rules: rules:
@ -72,8 +73,9 @@ deploy to production (dry-run):
--set dockerconfigjsonBase64=dummy \ --set dockerconfigjsonBase64=dummy \
--set backoffice.secrets.databaseURL=dummy \ --set backoffice.secrets.databaseURL=dummy \
--set backoffice.secrets.nextauthSecret=dummy \ --set backoffice.secrets.nextauthSecret=dummy \
--set backoffice.secrets.googleClientID=dummy \ --set backoffice.secrets.keycloakClientID=dummy \
--set backoffice.secrets.googleClientSecret=dummy \ --set backoffice.secrets.keycloakClientSecret=dummy \
--set backoffice.secrets.keycloakIssuer=dummy \
backoffice \ backoffice \
./charts/backoffice ./charts/backoffice
rules: rules:
@ -97,8 +99,9 @@ deploy to staging:
--set dockerconfigjsonBase64=$DOCKERCONFIG_BASE64 \ --set dockerconfigjsonBase64=$DOCKERCONFIG_BASE64 \
--set backoffice.secrets.databaseURL=$DATABASE_URL \ --set backoffice.secrets.databaseURL=$DATABASE_URL \
--set backoffice.secrets.nextauthSecret=$NEXTAUTH_SECRET \ --set backoffice.secrets.nextauthSecret=$NEXTAUTH_SECRET \
--set backoffice.secrets.googleClientID=$GOOGLE_CLIENT_ID \ --set backoffice.secrets.keycloakClientID=$KEYCLOAK_CLIENT_ID \
--set backoffice.secrets.googleClientSecret=$GOOGLE_CLIENT_SECRET \ --set backoffice.secrets.keycloakClientSecret=$KEYCLOAK_CLIENT_SECRET \
--set backoffice.secrets.keycloakIssuer=$KEYCLOAK_ISSUER \
backoffice \ backoffice \
./charts/backoffice ./charts/backoffice
environment: environment:
@ -125,8 +128,9 @@ deploy to production:
--set dockerconfigjsonBase64=$DOCKERCONFIG_BASE64 \ --set dockerconfigjsonBase64=$DOCKERCONFIG_BASE64 \
--set backoffice.secrets.databaseURL=$DATABASE_URL \ --set backoffice.secrets.databaseURL=$DATABASE_URL \
--set backoffice.secrets.nextauthSecret=$NEXTAUTH_SECRET \ --set backoffice.secrets.nextauthSecret=$NEXTAUTH_SECRET \
--set backoffice.secrets.googleClientID=$GOOGLE_CLIENT_ID \ --set backoffice.secrets.keycloakClientID=$KEYCLOAK_CLIENT_ID \
--set backoffice.secrets.googleClientSecret=$GOOGLE_CLIENT_SECRET \ --set backoffice.secrets.keycloakClientSecret=$KEYCLOAK_CLIENT_SECRET \
--set backoffice.secrets.keycloakIssuer=$KEYCLOAK_ISSUER \
backoffice \ backoffice \
./charts/backoffice ./charts/backoffice
environment: environment:

5
charts/backoffice/templates/secret-nextauth.yaml
View file

@ -8,5 +8,6 @@ metadata:
"helm.sh/hook-weight": "-15" "helm.sh/hook-weight": "-15"
stringData: stringData:
NEXTAUTH_SECRET: {{ .Values.backoffice.secrets.nextauthSecret | quote }} NEXTAUTH_SECRET: {{ .Values.backoffice.secrets.nextauthSecret | quote }}
GOOGLE_CLIENT_ID: {{ .Values.backoffice.secrets.googleClientID | quote }} KEYCLOAK_CLIENT_ID: {{ .Values.backoffice.secrets.keycloakClientID | quote }}
GOOGLE_CLIENT_SECRET: {{ .Values.backoffice.secrets.googleClientSecret | quote }} KEYCLOAK_CLIENT_SECRET: {{ .Values.backoffice.secrets.keycloakClientSecret | quote }}
KEYCLOAK_ISSUER: {{ .Values.backoffice.secrets.keycloakIssuer | quote }}

5
charts/backoffice/values.dummy.yaml
View file

@ -2,8 +2,9 @@ backoffice:
secretes: secretes:
databaseURL: "postgres://postgres:postgres@localhost:5432/backoffice" databaseURL: "postgres://postgres:postgres@localhost:5432/backoffice"
nextauthSecret: "secret" nextauthSecret: "secret"
googleClientID: "secret" keycloakClientID: "secret"
googleClientSecret: "secret" keycloakClientSecret: "secret"
keycloakIssuer: "secret"
image: image:
tag: dummy tag: dummy

5
charts/backoffice/values.yaml
View file

@ -52,7 +52,8 @@ backoffice:
secrets: secrets:
databaseURL: null databaseURL: null
nextauthSecret: null nextauthSecret: null
googleClientID: null keycloakClientID: null
googleClientSecret: null keycloakClientSecret: null
keycloakIssuer: null
dockerconfigjsonBase64: null dockerconfigjsonBase64: null

10
src/env.mjs
View file

@ -21,8 +21,9 @@ export const env = createEnv({
process.env.VERCEL ? z.string().min(1) : z.string().url(), process.env.VERCEL ? z.string().min(1) : z.string().url(),
), ),
// Add `.min(1) on ID and SECRET if you want to make sure they're not empty // Add `.min(1) on ID and SECRET if you want to make sure they're not empty
GOOGLE_CLIENT_ID: z.string(), KEYCLOAK_CLIENT_ID: z.string(),
GOOGLE_CLIENT_SECRET: z.string(), KEYCLOAK_CLIENT_SECRET: z.string(),
KEYCLOAK_ISSUER: z.string(),
}, },
/** /**
@ -43,8 +44,9 @@ export const env = createEnv({
NODE_ENV: process.env.NODE_ENV, NODE_ENV: process.env.NODE_ENV,
NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET, NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET,
NEXTAUTH_URL: process.env.NEXTAUTH_URL, NEXTAUTH_URL: process.env.NEXTAUTH_URL,
GOOGLE_CLIENT_ID: process.env.GOOGLE_CLIENT_ID, KEYCLOAK_CLIENT_ID: process.env.KEYCLOAK_CLIENT_ID,
GOOGLE_CLIENT_SECRET: process.env.GOOGLE_CLIENT_SECRET, KEYCLOAK_CLIENT_SECRET: process.env.KEYCLOAK_CLIENT_SECRET,
KEYCLOAK_ISSUER: process.env.KEYCLOAK_ISSUER,
}, },
/** /**
* Run `build` or `dev` with `SKIP_ENV_VALIDATION` to skip env validation. * Run `build` or `dev` with `SKIP_ENV_VALIDATION` to skip env validation.

13
src/server/auth.ts
View file

@ -5,7 +5,7 @@ import {
type NextAuthOptions, type NextAuthOptions,
type DefaultSession, type DefaultSession,
} from "next-auth"; } from "next-auth";
import GoogleProvider from "next-auth/providers/google"; import KeycloakProvider from "next-auth/providers/keycloak";
import { env } from "~/env.mjs"; import { env } from "~/env.mjs";
import { prisma } from "~/server/db"; import { prisma } from "~/server/db";
@ -49,9 +49,14 @@ export const authOptions: NextAuthOptions = {
}, },
adapter: PrismaAdapter(prisma), adapter: PrismaAdapter(prisma),
providers: [ providers: [
GoogleProvider({ KeycloakProvider({
clientId: env.GOOGLE_CLIENT_ID, clientId: env.KEYCLOAK_CLIENT_ID,
clientSecret: env.GOOGLE_CLIENT_SECRET, clientSecret: env.KEYCLOAK_CLIENT_SECRET,
issuer: env.KEYCLOAK_ISSUER,
// authorizationUrl: env.KEYCLOAK_ISSUER + "/protocol/openid-connect/auth",
// accessTokenUrl: env.KEYCLOAK_ISSUER + "/protocol/openid-connect/token",
// profileUrl: env.KEYCLOAK_ISSUER + "/protocol/openid-connect/userinfo",
// wellKnown: env.KEYCLOAK_ISSUER + "/.well-known/openid-configuration",
}), }),
/** /**
* ...add more providers here. * ...add more providers here.