Feature: Marcus admin access to Keycloak + player self-service account management

forgejo_admin commented

2026-03-21 21:36:00 +00:00

Owner

Type

Feature

Lineage

plan-wkq → Phase 11 (Girls Tryout — March 24)

Repo

forgejo_admin/basketball-api (Keycloak config) + forgejo_admin/westside-app (UI links)

User Story

As Marcus (owner/coach)
I want to reset any player's password from Keycloak admin console
So that I don't need Lucas or a CLI session when a player can't log in

As a player/parent
I want to change my password and manage my account from the app
So that I'm not dependent on anyone else

Context

We've been doing ad-hoc password resets via Keycloak admin API through CLI sessions. Keycloak already has a full admin console and account console deployed — we just haven't given Marcus access or linked players to self-service. This is 10 minutes of work, not a feature build.

File Targets

No code changes needed. This is Keycloak config + UI links.

basketball-api (Keycloak config via API):

Give Marcus's Keycloak account the realm-management/realm-admin role (or scoped manage-users role)
Verify admin console is accessible at keycloak.tail5b443a.ts.net/admin/westside-basketball/console/

westside-app:

src/routes/my-players/+page.svelte — add "Account Settings" link to Keycloak account console (keycloak.tail5b443a.ts.net/realms/westside-basketball/account/)
src/routes/admin/+page.svelte — add "Manage Users" link to Keycloak admin console

Acceptance Criteria

Marcus can log into Keycloak admin console and search/reset player passwords
Players see "Account Settings" link on their dashboard that opens Keycloak account console
Admin dashboard has "Manage Users" link to Keycloak admin console
SOP documented: Player Login Recovery flow

Test Expectations

Marcus logs into Keycloak admin console successfully
Marcus can find a player and trigger password reset
Player clicks "Account Settings" and can change their password
Run command: manual browser verification

Constraints

Use Keycloak's built-in capabilities — no custom admin UIs
Marcus gets scoped admin role (manage-users), not full realm-admin
Account console link opens in new tab (don't redirect away from westside-app)

Checklist

Marcus has admin access
UI links added
SOP written
No unrelated changes

basketball-api #132 — password reset flow (custom, keeps working alongside this)
basketball-api #136 — Gmail OAuth fix that enables email
David Kaneko — first player who couldn't log in, triggered this whole chain

### Type Feature ### Lineage `plan-wkq` → Phase 11 (Girls Tryout — March 24) ### Repo `forgejo_admin/basketball-api` (Keycloak config) + `forgejo_admin/westside-app` (UI links) ### User Story As Marcus (owner/coach) I want to reset any player's password from Keycloak admin console So that I don't need Lucas or a CLI session when a player can't log in As a player/parent I want to change my password and manage my account from the app So that I'm not dependent on anyone else ### Context We've been doing ad-hoc password resets via Keycloak admin API through CLI sessions. Keycloak already has a full admin console and account console deployed — we just haven't given Marcus access or linked players to self-service. This is 10 minutes of work, not a feature build. ### File Targets **No code changes needed.** This is Keycloak config + UI links. **basketball-api (Keycloak config via API):** - Give Marcus's Keycloak account the `realm-management/realm-admin` role (or scoped `manage-users` role) - Verify admin console is accessible at `keycloak.tail5b443a.ts.net/admin/westside-basketball/console/` **westside-app:** - `src/routes/my-players/+page.svelte` — add "Account Settings" link to Keycloak account console (`keycloak.tail5b443a.ts.net/realms/westside-basketball/account/`) - `src/routes/admin/+page.svelte` — add "Manage Users" link to Keycloak admin console ### Acceptance Criteria - [ ] Marcus can log into Keycloak admin console and search/reset player passwords - [ ] Players see "Account Settings" link on their dashboard that opens Keycloak account console - [ ] Admin dashboard has "Manage Users" link to Keycloak admin console - [ ] SOP documented: Player Login Recovery flow ### Test Expectations - [ ] Marcus logs into Keycloak admin console successfully - [ ] Marcus can find a player and trigger password reset - [ ] Player clicks "Account Settings" and can change their password - Run command: manual browser verification ### Constraints - Use Keycloak's built-in capabilities — no custom admin UIs - Marcus gets scoped admin role (manage-users), not full realm-admin - Account console link opens in new tab (don't redirect away from westside-app) ### Checklist - [ ] Marcus has admin access - [ ] UI links added - [ ] SOP written - [ ] No unrelated changes ### Related - basketball-api #132 — password reset flow (custom, keeps working alongside this) - basketball-api #136 — Gmail OAuth fix that enables email - David Kaneko — first player who couldn't log in, triggered this whole chain