Keycloak iOS redirect URI — westside-spa client #165

New issue

Open

opened 2026-03-26 03:49:15 +00:00 by forgejo_admin · 1 comment

forgejo_admin commented

2026-03-26 03:49:15 +00:00

Owner

Type

Infra

Lineage

project-capacitor-mobile → Board item (westside first consumer)

Repo

forgejo_admin/pal-e-platform

User Story

As an iOS app user
I want Keycloak to accept auth redirects from the Capacitor native shell
So that I can sign in to the westside app on my iPhone

Context

Capacitor iOS apps use capacitor://localhost as their origin. The Keycloak client westside-spa needs this added to Valid Redirect URIs and Web Origins. Without it, the OIDC PKCE flow will fail on iOS with a redirect_uri mismatch.

Phase 15 scope notes mention this was already planned. Verify current state before making changes.

File Targets

Files to modify:

Keycloak Admin API call or Terraform config for westside-basketball realm, westside-spa client

Files NOT to touch:

Application code — this is infra config only

Acceptance Criteria

westside-spa client has capacitor://localhost/* in Valid Redirect URIs
westside-spa client has capacitor://localhost in Web Origins
http://localhost:5174/* remains in redirect URIs (dev)
Existing web redirect URIs unchanged

Test Expectations

Verify via Keycloak Admin API: GET client config confirms all URIs present
Web login flow still works at production URL

Constraints

Check current client config first — this may already be configured from Phase 15
Use Keycloak Admin API (not manual UI)
Do not modify any other realm settings

Checklist

PR opened
Tests pass
No unrelated changes

project-capacitor-mobile — auth architecture section

### Type Infra ### Lineage `project-capacitor-mobile` → Board item (westside first consumer) ### Repo `forgejo_admin/pal-e-platform` ### User Story As an iOS app user I want Keycloak to accept auth redirects from the Capacitor native shell So that I can sign in to the westside app on my iPhone ### Context Capacitor iOS apps use `capacitor://localhost` as their origin. The Keycloak client `westside-spa` needs this added to Valid Redirect URIs and Web Origins. Without it, the OIDC PKCE flow will fail on iOS with a redirect_uri mismatch. Phase 15 scope notes mention this was already planned. Verify current state before making changes. ### File Targets Files to modify: - Keycloak Admin API call or Terraform config for `westside-basketball` realm, `westside-spa` client Files NOT to touch: - Application code — this is infra config only ### Acceptance Criteria - [ ] `westside-spa` client has `capacitor://localhost/*` in Valid Redirect URIs - [ ] `westside-spa` client has `capacitor://localhost` in Web Origins - [ ] `http://localhost:5174/*` remains in redirect URIs (dev) - [ ] Existing web redirect URIs unchanged ### Test Expectations - [ ] Verify via Keycloak Admin API: GET client config confirms all URIs present - [ ] Web login flow still works at production URL ### Constraints - Check current client config first — this may already be configured from Phase 15 - Use Keycloak Admin API (not manual UI) - Do not modify any other realm settings ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-capacitor-mobile` — auth architecture section

forgejo_admin commented

2026-03-26 04:00:57 +00:00

Author

Owner

Already configured. westside-spa client in k3s.tfvars (pal-e-services) has:

capacitor://localhost/* in valid_redirect_uris
capacitor://localhost in web_origins
http://localhost/* for local dev

No work needed. Closing.

Already configured. `westside-spa` client in `k3s.tfvars` (pal-e-services) has: - `capacitor://localhost/*` in valid_redirect_uris - `capacitor://localhost` in web_origins - `http://localhost/*` for local dev No work needed. Closing.