feat(keycloak): added persistent keycloak_sub support to the user schema

Author: thorsten

phpmyfaq/admin/assets/src/configuration/configuration.test.ts

@@ -327,6 +327,13 @@ describe('Configuration Functions', () => {
           <li class="nav-item" data-config-group="core" data-config-label="Main">
             <a class="nav-link" href="#main"></a>
           </li>
+          <li class="pmf-configuration-group" data-config-group="integrations"><span>Integrations</span></li>
+          <li class="nav-item" data-config-group="integrations" data-config-label="OAuth 2.0">
+            <a class="nav-link" href="#oauth2"></a>
+          </li>
+          <li class="nav-item" data-config-group="integrations" data-config-label="Keycloak">
+            <a class="nav-link" href="#keycloak"></a>
+          </li>
           <li class="pmf-configuration-group" data-config-group="maintenance"><span>Maintenance</span></li>
           <li class="nav-item" data-config-group="maintenance" data-config-label="Upgrade">
             <a class="nav-link active" href="#upgrade"></a>
@@ -436,6 +443,59 @@ describe('Configuration Functions', () => {
       vi.useRealTimers();
     });
 
+    it('should show Keycloak tab and items when filtering by "keycloak"', async () => {
+      vi.useFakeTimers();
+      buildFilterDOM();
+
+      (fetchConfiguration as Mock).mockResolvedValue('');
+
+      handleConfigurationTabFiltering();
+
+      await triggerFilterAndFlush('keycloak');
+
+      const keycloakTab = document.querySelector('li.nav-item[data-config-label="Keycloak"]');
+      const oauth2Tab = document.querySelector('li.nav-item[data-config-label="OAuth 2.0"]');
+      const mainTab = document.querySelector('li.nav-item[data-config-label="Main"]');
+      const upgradeTab = document.querySelector('li.nav-item[data-config-label="Upgrade"]');
+
+      expect(keycloakTab?.classList.contains('d-none')).toBe(false);
+      expect(oauth2Tab?.classList.contains('d-none')).toBe(true);
+      expect(mainTab?.classList.contains('d-none')).toBe(true);
+      expect(upgradeTab?.classList.contains('d-none')).toBe(true);
+
+      const keycloakEnable = document.querySelector('.pmf-config-item[data-config-key="keycloak.enable"]');
+      const keycloakClientId = document.querySelector('.pmf-config-item[data-config-key="keycloak.clientId"]');
+      const languageItem = document.querySelector('.pmf-config-item[data-config-key="main.language"]');
+
+      expect(keycloakEnable?.classList.contains('d-none')).toBe(false);
+      expect(keycloakClientId?.classList.contains('d-none')).toBe(false);
+      expect(languageItem?.classList.contains('d-none')).toBe(true);
+
+      vi.useRealTimers();
+    });
+
+    it('should show Keycloak tab when filtering by "client id"', async () => {
+      vi.useFakeTimers();
+      buildFilterDOM();
+
+      (fetchConfiguration as Mock).mockResolvedValue('');
+
+      handleConfigurationTabFiltering();
+
+      await triggerFilterAndFlush('client id');
+
+      const keycloakTab = document.querySelector('li.nav-item[data-config-label="Keycloak"]');
+      const mainTab = document.querySelector('li.nav-item[data-config-label="Main"]');
+
+      expect(keycloakTab?.classList.contains('d-none')).toBe(false);
+      expect(mainTab?.classList.contains('d-none')).toBe(true);
+
+      const clientIdItem = document.querySelector('.pmf-config-item[data-config-key="keycloak.clientId"]');
+      expect(clientIdItem?.classList.contains('d-none')).toBe(false);
+
+      vi.useRealTimers();
+    });
+
     it('should restore all items and tabs when filter is cleared', async () => {
       vi.useFakeTimers();
       buildFilterDOM();

phpmyfaq/assets/templates/default/login.twig

@@ -75,7 +75,7 @@
                   </a>
                   {% endif %}
                   {% if useSignInWithKeycloak %}
-                  <a class="w-100 py-2 mb-2 btn btn-outline-warning rounded-3" href="./auth/keycloak/authorize">
+                  <a class="w-100 py-2 mb-2 btn btn-warning rounded-3" href="./auth/keycloak/authorize">
                     <i class="bi bi-shield-lock" aria-hidden="true"></i>
                     {{ 'msgSignInWithKeycloak' | translate }}
                   </a>

phpmyfaq/src/phpMyFAQ/Auth/AuthKeycloak.php

@@ -54,14 +54,22 @@ public function create(string $login, #[SensitiveParameter] string $password, st
         try {
             $result = $user->createUser($login, '', $domain);
         } catch (\Exception $exception) {
-            $this->configuration->getLogger()->info($exception->getMessage());
+            $this->configuration
+                ->getLogger()
+                ->error(sprintf('Keycloak user creation failed for "%s": %s', $login, $exception->getMessage()));
+            return false;
+        }
+
+        if (!$result) {
+            return false;
         }
 
         $user->setStatus('active');
         $user->setAuthSource(AuthenticationSourceType::AUTH_KEYCLOAK->value);
         $user->setUserData([
             'display_name' => $this->getDisplayName(),
             'email' => $this->getEmail(),
+            'keycloak_sub' => $this->getSubject(),
         ]);
 
         if ($this->shouldAssignGroups()) {
@@ -127,6 +135,11 @@ private function getEmail(): string
         return trim((string) ($this->claims['email'] ?? ''));
     }
 
+    private function getSubject(): string
+    {
+        return trim((string) ($this->claims['sub'] ?? ''));
+    }
+
     private function userExists(string $login): bool
     {
         $user = $this->createUser();
@@ -156,7 +169,11 @@ private function assignUserToGroups(int $userId): void
         $groupMapping = $this->getGroupMapping();
 
         foreach ($roleNames as $roleName) {
-            $faqGroupName = $groupMapping[$roleName] ?? $roleName;
+            if (!isset($groupMapping[$roleName])) {
+                continue;
+            }
+
+            $faqGroupName = $groupMapping[$roleName];
             $groupId = $mediumPermission->findOrCreateGroupByName($faqGroupName);
 
             if ($groupId <= 0) {
@@ -166,7 +183,7 @@ private function assignUserToGroups(int $userId): void
             $mediumPermission->addToGroup($userId, $groupId);
             $this->configuration
                 ->getLogger()
-                ->info(sprintf('Added Keycloak user %s to group %s', $this->resolvedLogin, $faqGroupName));
+                ->info(sprintf('Added Keycloak user #%d to group %s', $userId, $faqGroupName));
         }
     }
 
@@ -188,20 +205,16 @@ private function extractRoleNames(): array
             }
         }
 
-        $resourceAccess = $this->claims['resource_access'] ?? [];
-        if (is_array($resourceAccess)) {
-            foreach ($resourceAccess as $resource) {
-                $resourceRoles = is_array($resource) ? $resource['roles'] ?? null : null;
-                if (!is_array($resourceRoles)) {
-                    continue;
-                }
-
-                foreach ($resourceRoles as $resourceRole) {
-                    if (!is_string($resourceRole) || $resourceRole === '') {
+        $clientId = trim((string) $this->configuration->get(item: 'keycloak.clientId'));
+        if ($clientId !== '') {
+            $clientRoles = $this->claims['resource_access'][$clientId]['roles'] ?? [];
+            if (is_array($clientRoles)) {
+                foreach ($clientRoles as $clientRole) {
+                    if (!is_string($clientRole) || $clientRole === '') {
                         continue;
                     }
 
-                    $roleNames[] = $resourceRole;
+                    $roleNames[] = $clientRole;
                 }
             }
         }

phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcClient.php

@@ -140,12 +140,19 @@ private function decodeJsonResponse(string $content, int $statusCode, string $co
         }
 
         try {
-            /** @var array<string, mixed> $payload */
             $payload = json_decode($content, associative: true, depth: 512, flags: JSON_THROW_ON_ERROR);
         } catch (JsonException $exception) {
             throw new RuntimeException(sprintf('OIDC %s response is not valid JSON', $context), previous: $exception);
         }
 
+        if (!is_array($payload)) {
+            throw new RuntimeException(sprintf(
+                'OIDC %s response is not a JSON object/array, got %s',
+                $context,
+                gettype($payload),
+            ));
+        }
+
         return $payload;
     }
 }