feat(keycloak): added controller and OIDC helpers

Author: thorsten

phpmyfaq/assets/templates/admin/login.twig

@@ -78,12 +78,18 @@
                         <i class="bi bi-windows" aria-hidden="true"></i>
                         {{ msgSignInWithMicrosoft }}
                       </a>
-                      {% if isWebAuthnEnabled %}
-                        <a class="w-100 py-2 mb-2 btn btn-outline-primary rounded-3" href="../services/webauthn">
-                          <i class="bi bi-key" aria-hidden="true"></i>
-                          {{ 'msgSignInWithPasskey' | translate }}
-                        </a>
-                      {% endif %}
+                    {% endif %}
+                    {% if hasSignInWithKeycloakActive %}
+                      <a class="w-100 py-2 mb-2 btn btn-outline-dark rounded-3" href="../auth/keycloak/authorize">
+                        <i class="bi bi-shield-lock" aria-hidden="true"></i>
+                        {{ msgSignInWithKeycloak }}
+                      </a>
+                    {% endif %}
+                    {% if isWebAuthnEnabled %}
+                      <a class="w-100 py-2 mb-2 btn btn-outline-primary rounded-3" href="../services/webauthn">
+                        <i class="bi bi-key" aria-hidden="true"></i>
+                        {{ 'msgSignInWithPasskey' | translate }}
+                      </a>
                     {% endif %}
                   </div>
                 </div>

phpmyfaq/assets/templates/default/login.twig

@@ -74,6 +74,12 @@
                     {{ 'msgSignInWithMicrosoft' | translate }}
                   </a>
                   {% endif %}
+                  {% if useSignInWithKeycloak %}
+                  <a class="w-100 py-2 mb-2 btn btn-outline-warning rounded-3" href="./auth/keycloak/authorize">
+                    <i class="bi bi-shield-lock" aria-hidden="true"></i>
+                    {{ 'msgSignInWithKeycloak' | translate }}
+                  </a>
+                  {% endif %}
                   {%  if isWebAuthnEnabled %}
                   <a class="w-100 py-2 mb-2 btn btn-outline-primary rounded-3" href="./services/webauthn">
                     <i class="bi bi-key" aria-hidden="true"></i>

phpmyfaq/src/phpMyFAQ/Auth/AuthKeycloak.php

@@ -0,0 +1,138 @@
+<?php
+
+/**
+ * Manages user authentication with Keycloak via OIDC.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth;
+
+use Closure;
+use phpMyFAQ\Auth;
+use phpMyFAQ\Auth\Oidc\OidcProviderConfig;
+use phpMyFAQ\Configuration;
+use phpMyFAQ\Core\Exception;
+use phpMyFAQ\Enums\AuthenticationSourceType;
+use phpMyFAQ\User;
+use SensitiveParameter;
+
+class AuthKeycloak extends Auth implements AuthDriverInterface
+{
+    /** @param array<string, mixed> $claims */
+    public function __construct(
+        Configuration $configuration,
+        private readonly OidcProviderConfig $providerConfig,
+        private readonly array $claims,
+        private readonly string $resolvedLogin,
+        private readonly ?Closure $userFactory = null,
+    ) {
+        parent::__construct($configuration);
+    }
+
+    /**
+     * @throws Exception
+     */
+    public function create(string $login, #[SensitiveParameter] string $password, string $domain = ''): bool
+    {
+        $result = false;
+        $user = $this->createUser();
+
+        try {
+            $result = $user->createUser($login, '', $domain);
+        } catch (\Exception $exception) {
+            $this->configuration->getLogger()->info($exception->getMessage());
+        }
+
+        $user->setStatus('active');
+        $user->setAuthSource(AuthenticationSourceType::AUTH_KEYCLOAK->value);
+        $user->setUserData([
+            'display_name' => $this->getDisplayName(),
+            'email' => $this->getEmail(),
+        ]);
+
+        return $result;
+    }
+
+    public function update(string $login, #[SensitiveParameter] string $password): bool
+    {
+        return true;
+    }
+
+    public function delete(string $login): bool
+    {
+        return true;
+    }
+
+    public function checkCredentials(
+        string $login,
+        #[SensitiveParameter]
+        string $password,
+        ?array $optionalData = null,
+    ): bool {
+        if ($login !== $this->resolvedLogin) {
+            return false;
+        }
+
+        if ($this->userExists($login)) {
+            return true;
+        }
+
+        if (!$this->providerConfig->autoProvision) {
+            return false;
+        }
+
+        return $this->create($login, '');
+    }
+
+    public function isValidLogin(string $login, ?array $optionalData = null): int
+    {
+        return $login === $this->resolvedLogin ? 1 : 0;
+    }
+
+    private function getDisplayName(): string
+    {
+        $name = trim((string) ($this->claims['name'] ?? ''));
+        if ($name !== '') {
+            return $name;
+        }
+
+        $preferredUsername = trim((string) ($this->claims['preferred_username'] ?? ''));
+        if ($preferredUsername !== '') {
+            return $preferredUsername;
+        }
+
+        return $this->resolvedLogin;
+    }
+
+    private function getEmail(): string
+    {
+        return trim((string) ($this->claims['email'] ?? ''));
+    }
+
+    private function userExists(string $login): bool
+    {
+        $user = $this->createUser();
+        return $user->getUserByLogin($login, false);
+    }
+
+    private function createUser(): User
+    {
+        if ($this->userFactory instanceof Closure) {
+            return ($this->userFactory)();
+        }
+
+        return new User($this->configuration);
+    }
+}

phpmyfaq/src/phpMyFAQ/Auth/Keycloak/KeycloakProviderConfigFactory.php

@@ -19,6 +19,7 @@
 
 namespace phpMyFAQ\Auth\Keycloak;
 
+use InvalidArgumentException;
 use phpMyFAQ\Auth\Oidc\OidcClientConfig;
 use phpMyFAQ\Auth\Oidc\OidcProviderConfig;
 use phpMyFAQ\Configuration;
@@ -40,17 +41,27 @@ public function create(): OidcProviderConfig
             $scopes = [];
         }
 
+        $enabled = $this->toBool($this->configuration->get('keycloak.enable'));
+
+        if ($enabled && ($baseUrl === '' || $realm === '')) {
+            $missing = array_filter([
+                $baseUrl === '' ? 'baseUrl' : null,
+                $realm === '' ? 'realm' : null,
+            ]);
+            throw new InvalidArgumentException(sprintf('Keycloak enabled but missing: %s', implode(' and ', $missing)));
+        }
+
         if ($redirectUri === '') {
             $redirectUri = rtrim($this->configuration->getDefaultUrl(), characters: '/') . '/auth/keycloak/callback';
         }
 
         return new OidcProviderConfig(
             provider: 'keycloak',
-            enabled: $this->toBool($this->configuration->get('keycloak.enable')),
+            enabled: $enabled,
             discoveryUrl: $this->buildDiscoveryUrl($baseUrl, $realm),
             client: new OidcClientConfig(
                 clientId: trim((string) $this->configuration->get('keycloak.clientId')),
-                clientSecret: trim((string) $this->configuration->get('keycloak.clientSecret')),
+                clientSecret: (string) $this->configuration->get('keycloak.clientSecret'),
                 redirectUri: $redirectUri,
                 scopes: array_values(array_filter($scopes, static fn(string $scope): bool => $scope !== '')),
             ),

phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcClient.php

@@ -0,0 +1,151 @@
+<?php
+
+/**
+ * OIDC HTTP client helper.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use JsonException;
+use RuntimeException;
+use SensitiveParameter;
+use Symfony\Contracts\HttpClient\Exception\ExceptionInterface;
+use Symfony\Contracts\HttpClient\HttpClientInterface;
+
+final readonly class OidcClient
+{
+    public function __construct(
+        private HttpClientInterface $httpClient,
+    ) {
+    }
+
+    public function buildAuthorizationUrl(
+        OidcProviderConfig $config,
+        OidcDiscoveryDocument $discoveryDocument,
+        string $state,
+        string $nonce,
+        string $codeChallenge,
+    ): string {
+        $query = http_build_query([
+            'response_type' => 'code',
+            'client_id' => $config->client->clientId,
+            'redirect_uri' => $config->client->redirectUri,
+            'scope' => $config->client->getScopesAsString(),
+            'state' => $state,
+            'nonce' => $nonce,
+            'code_challenge' => $codeChallenge,
+            'code_challenge_method' => 'S256',
+        ]);
+
+        return $discoveryDocument->authorizationEndpoint . '?' . $query;
+    }
+
+    /**
+     * @return array<string, mixed>
+     * @throws ExceptionInterface
+     */
+    public function exchangeAuthorizationCode(
+        OidcProviderConfig $config,
+        OidcDiscoveryDocument $discoveryDocument,
+        string $code,
+        #[SensitiveParameter]
+        string $codeVerifier,
+    ): array {
+        $response = $this->httpClient->request('POST', $discoveryDocument->tokenEndpoint, [
+            'body' => [
+                'grant_type' => 'authorization_code',
+                'code' => $code,
+                'client_id' => $config->client->clientId,
+                'client_secret' => $config->client->clientSecret,
+                'redirect_uri' => $config->client->redirectUri,
+                'code_verifier' => $codeVerifier,
+            ],
+        ]);
+
+        $payload = $this->decodeJsonResponse($response->getContent(false), $response->getStatusCode(), 'token');
+        if (
+            !array_key_exists('access_token', $payload)
+            || !is_string($payload['access_token'])
+            || $payload['access_token'] === ''
+        ) {
+            throw new RuntimeException('OIDC token response did not contain a valid access_token');
+        }
+
+        return $payload;
+    }
+
+    /**
+     * @return array<string, mixed>
+     * @throws ExceptionInterface
+     */
+    public function fetchUserInfo(
+        OidcDiscoveryDocument $discoveryDocument,
+        #[SensitiveParameter]
+        string $accessToken,
+    ): array {
+        $response = $this->httpClient->request('GET', $discoveryDocument->userInfoEndpoint, [
+            'headers' => [
+                'Authorization' => 'Bearer ' . $accessToken,
+            ],
+        ]);
+
+        return $this->decodeJsonResponse($response->getContent(false), $response->getStatusCode(), 'userinfo');
+    }
+
+    public function buildLogoutUrl(
+        OidcProviderConfig $config,
+        OidcDiscoveryDocument $discoveryDocument,
+        #[SensitiveParameter]
+        string $idTokenHint = '',
+    ): ?string {
+        if ($discoveryDocument->endSessionEndpoint === null || $discoveryDocument->endSessionEndpoint === '') {
+            return null;
+        }
+
+        $query = [
+            'client_id' => $config->client->clientId,
+        ];
+
+        if ($config->logoutRedirectUrl !== '') {
+            $query['post_logout_redirect_uri'] = $config->logoutRedirectUrl;
+        }
+
+        if ($idTokenHint !== '') {
+            $query['id_token_hint'] = $idTokenHint;
+        }
+
+        return $discoveryDocument->endSessionEndpoint . '?' . http_build_query($query);
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    private function decodeJsonResponse(string $content, int $statusCode, string $context): array
+    {
+        if ($statusCode >= 400) {
+            throw new RuntimeException(sprintf('OIDC %s request failed with status %d', $context, $statusCode));
+        }
+
+        try {
+            /** @var array<string, mixed> $payload */
+            $payload = json_decode($content, associative: true, depth: 512, flags: JSON_THROW_ON_ERROR);
+        } catch (JsonException $exception) {
+            throw new RuntimeException(sprintf('OIDC %s response is not valid JSON', $context), previous: $exception);
+        }
+
+        return $payload;
+    }
+}

phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcDiscoveryService.php

@@ -48,12 +48,18 @@ public function discover(OidcProviderConfig $config): OidcDiscoveryDocument
         }
 
         try {
-            /** @var array<string, mixed> $payload */
             $payload = json_decode($content, associative: true, depth: 512, flags: JSON_THROW_ON_ERROR);
         } catch (JsonException $exception) {
             throw new RuntimeException('OIDC discovery response is not valid JSON', previous: $exception);
         }
 
+        if (!is_array($payload)) {
+            throw new RuntimeException(sprintf(
+                'OIDC discovery response is not a JSON object/array, got %s',
+                gettype($payload),
+            ));
+        }
+
         return OidcDiscoveryDocument::fromArray($payload);
     }
 }