Enable Keycloak event logging for login/logout/error events #251

New issue

Open

opened 2026-03-30 16:05:50 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-30 16:05:50 +00:00

Contributor

Type

Feature

Lineage

Standalone -- discovered during jersey ordering session 2026-03-29. No parent issue.

Repo

forgejo_admin/pal-e-platform

User Story

As an admin
I want Keycloak to log login, logout, and failed login events to stdout
So that I can query auth activity in Loki/Grafana and detect issues early

Context

Keycloak has a built-in event system (LOGIN, LOGIN_ERROR, LOGOUT, REGISTER, etc.) that is currently NOT configured in the westside-basketball realm. No login events are captured anywhere. Structured API logs include user_id per request (basketball-api logging_config.py), but there's no record of the auth event itself -- when someone logs in, fails to log in, or logs out.

Keycloak supports event listeners out of the box. The jboss-logging listener writes events to stdout, which Loki already scrapes from all pods. Enabling this is a configuration change, not a code change.

File Targets

Files the agent should modify or create:

terraform/modules/keycloak/main.tf -- Add Keycloak startup CLI commands or environment variables to enable realm event logging: eventsEnabled=true, eventsListeners=["jboss-logging"], enabledEventTypes=["LOGIN","LOGIN_ERROR","LOGOUT","REGISTER","REGISTER_ERROR"]

Files the agent should NOT touch:

basketball-api/ -- no application code changes needed
westside-app/ -- no frontend changes needed

Acceptance Criteria

When a parent logs in, a LOGIN event appears in Keycloak pod stdout
When a login fails, a LOGIN_ERROR event appears in Keycloak pod stdout
When a parent logs out, a LOGOUT event appears in Keycloak pod stdout
Existing auth flow is unchanged -- no user-facing impact

Test Expectations

Manual test: log in via westside-app, then kubectl logs on keycloak pod shows LOGIN event
Manual test: attempt login with wrong password, logs show LOGIN_ERROR
Run command: tofu plan -lock=false to verify no unintended changes

Constraints

Must use Keycloak's built-in event system, not custom code
Events must go to stdout so Loki scrapes them automatically
No SMTP needed -- this is logging, not email
Check feedback_keycloak_first.md -- use Keycloak built-in features

Checklist

PR opened
Tests pass
No unrelated changes

project-pal-e-platform -- platform infrastructure
Feeds into: Grafana auth dashboard (separate ticket)

### Type Feature ### Lineage Standalone -- discovered during jersey ordering session 2026-03-29. No parent issue. ### Repo `forgejo_admin/pal-e-platform` ### User Story As an admin I want Keycloak to log login, logout, and failed login events to stdout So that I can query auth activity in Loki/Grafana and detect issues early ### Context Keycloak has a built-in event system (LOGIN, LOGIN_ERROR, LOGOUT, REGISTER, etc.) that is currently NOT configured in the westside-basketball realm. No login events are captured anywhere. Structured API logs include user_id per request (basketball-api logging_config.py), but there's no record of the auth event itself -- when someone logs in, fails to log in, or logs out. Keycloak supports event listeners out of the box. The `jboss-logging` listener writes events to stdout, which Loki already scrapes from all pods. Enabling this is a configuration change, not a code change. ### File Targets Files the agent should modify or create: - `terraform/modules/keycloak/main.tf` -- Add Keycloak startup CLI commands or environment variables to enable realm event logging: `eventsEnabled=true`, `eventsListeners=["jboss-logging"]`, `enabledEventTypes=["LOGIN","LOGIN_ERROR","LOGOUT","REGISTER","REGISTER_ERROR"]` Files the agent should NOT touch: - `basketball-api/` -- no application code changes needed - `westside-app/` -- no frontend changes needed ### Acceptance Criteria - [ ] When a parent logs in, a LOGIN event appears in Keycloak pod stdout - [ ] When a login fails, a LOGIN_ERROR event appears in Keycloak pod stdout - [ ] When a parent logs out, a LOGOUT event appears in Keycloak pod stdout - [ ] Existing auth flow is unchanged -- no user-facing impact ### Test Expectations - [ ] Manual test: log in via westside-app, then `kubectl logs` on keycloak pod shows LOGIN event - [ ] Manual test: attempt login with wrong password, logs show LOGIN_ERROR - Run command: `tofu plan -lock=false` to verify no unintended changes ### Constraints - Must use Keycloak's built-in event system, not custom code - Events must go to stdout so Loki scrapes them automatically - No SMTP needed -- this is logging, not email - Check `feedback_keycloak_first.md` -- use Keycloak built-in features ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-pal-e-platform` -- platform infrastructure - Feeds into: Grafana auth dashboard (separate ticket)