Skip to content

Add docker configuration for keycloak#2363

Open
melaniekung wants to merge 2 commits into
qa/2.xfrom
dev/keycloak-docker
Open

Add docker configuration for keycloak#2363
melaniekung wants to merge 2 commits into
qa/2.xfrom
dev/keycloak-docker

Conversation

@melaniekung

Copy link
Copy Markdown
Contributor

No description provided.

@melaniekung melaniekung added this to the 2.11 milestone Jun 9, 2026
@melaniekung melaniekung requested review from a team and sbreker June 9, 2026 18:03
@melaniekung melaniekung self-assigned this Jun 9, 2026
@melaniekung melaniekung added Type: enhancement An improvement to existing functionality. work-in-progress labels Jun 9, 2026
Comment thread docker/bootstrap.php
htmlpurifier_enabled: false
csp:
response_header: Content-Security-Policy
response_header: Content-Security-Policy-Report-Only

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change should perhaps be in its own commit as it seems unrelated to adding Keycloak to the dev Docker env.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you want to avoid using -Report-Only, you should be able to add the Keycloak host to the CSP header/meta connect-src. It must be the host without path, so it works with all redirects.

@sbreker

sbreker commented Jun 17, 2026

Copy link
Copy Markdown
Member

Will a dev still be able to select local logins for authenticate vs using OIDC/Keycloak if their testing requires?

if ($request->isMethod('post') || isset($_REQUEST['code'])) {
if (null !== $providerId = $this->context->user->parseProviderIdFromUrl($this->context->user->getAttribute('atom-login-referer', null))) {
if (($request->isMethod('post') || isset($_REQUEST['code'])) && null !== $this->context->user->getAttribute('atom-login-referer')) {
if (null !== $providerId = $this->context->user->parseProviderIdFromUrl($this->context->user->getAttribute('atom-login-referer'))) {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are the checks duplicated?

Comment thread docker/bootstrap.php

enable_refresh_token_use: true

server_cert: 'docker/certs/cert.pem'

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will require generating certs and adding them to the certs folder

Comment thread docker/etc/environment
ATOM_MYSQL_PASSWORD=atom_12345
NODE_ENV=development
ATOM_KEYCLOAK_HOST=host.docker.internal
ATOM_KEYCLOAK_PORT=9000

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The OIDC plugin will need activation. This commit allows the plugin to be activated using an env var.

Comment on lines +458 to +473
if (isset($provider['issuer'])) {
$this->oidcClient->setIssuer($provider['issuer']);

$endpointOverrides = [];
foreach (['authorization_endpoint', 'token_endpoint', 'userinfo_endpoint', 'jwks_uri', 'end_session_endpoint'] as $endpointName) {
if (!empty($provider[$endpointName])) {
$endpointOverrides[$endpointName] = $provider[$endpointName];
}
}

if (!empty($endpointOverrides)) {
$this->oidcClient->providerConfigParam($endpointOverrides);
}
} else {
$this->oidcClient->setProviderUrl($provider['url']);
}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed a new OIDC param 'issuer' - what is this for?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Type: enhancement An improvement to existing functionality. work-in-progress

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants