ldraney/landscaping-assistant
1
0
Fork 0
Code Issues 32 Pull requests 1 Projects Releases Packages Wiki Activity Actions 4

Phase 1: Keycloak login with Authorization Code + PKCE (five test accounts) #115

New issue
Closed
opened 2026-06-06 03:24:41 +00:00 by ldraney · 9 comments
ldraney commented 2026-06-06 03:24:41 +00:00
Owner
Copy link

Type

Feature

Lineage

Child of #107 (Auth + Roles + Audit Trail). First of five phases defined in docs/user-stories-auth.md (PR #120, updated in PR #131).
Spike #132 validated architecture: standard flow (not ROPC), Terraform-managed realm via pal-e-services.

Repo

ldraney/landscaping-assistant

User Story

As Lucas, I want to log in with a username and password so the app knows who I am and stops being publicly accessible.

Context

The app is currently wide open -- anyone on Tailscale can view and modify property data. This ticket adds basic login/logout as the foundation for multi-user auth. Five test accounts cover all five roles (super_admin, admin, lead, member, client) so we can verify the permission model in later phases without needing real users yet.

Keycloak setup (Terraform via pal-e-services, per spike #132):

  • New realm: landscaping (separate from westside-basketball -- added to k3s.tfvars)
  • Confidential client: landscaping-assistant with Standard flow + PKCE S256 (no ROPC -- Direct Access Grants disabled per SOP and OAuth 2.1)
  • NetworkPolicy: landscaping-assistant namespace must be added to Keycloak allowlist in pal-e-platform/terraform/network-policies.tf
  • Five test users in the landscaping realm (created via admin console after tofu apply):
    • lucas-super-admin (roles: admin + super_admin)
    • lucas-admin (role: admin)
    • lucas-lead (role: lead)
    • lucas-crew (role: member)
    • lucas-client (role: client)
  • Five realm roles: admin, lead, member, client, super_admin

Auth flow (Authorization Code + PKCE):

  1. User visits any page → redirected to Keycloak login page (themed or default)
  2. User enters username + password on Keycloak's page
  3. Keycloak redirects back to /auth/keycloak/callback with auth code
  4. Rails exchanges auth code for tokens (server-side, confidential client)
  5. Rails decodes ID token, extracts username + realm roles, stores in session
  6. User sees the app. Logout clears session + Keycloak session (RP-initiated logout).

turbo-ios compatibility:

  • Keycloak login page works in turbo-ios webview (no external browser needed for V1)
  • Future: custom landscaping theme to match app visual identity
  • Alternative: ASWebAuthenticationSession for native OIDC flow if webview is insufficient

Not in scope (later phases): role enforcement, per-user queues, PaperTrail, user management UI.

Prerequisites (separate tickets/PRs)

  • pal-e-services: Add landscaping realm + landscaping-assistant client to k3s.tfvars, run tofu apply
  • pal-e-platform: Add landscaping-assistant namespace to Keycloak NetworkPolicy allowlist
  • pal-e-deployments: Add KEYCLOAK_* env vars to deployment-patch.yaml
  • Keycloak admin console: Create five test users with role assignments
  • kubectl: Add KEYCLOAK_* values to landscaping-assistant-secrets k8s secret

File Targets

  • app/controllers/sessions_controller.rb (new -- OmniAuth callback handler)
  • app/controllers/application_controller.rb (add authenticate_user! before_action)
  • config/initializers/omniauth.rb (new -- OmniAuth OIDC strategy config)
  • config/routes.rb (add /auth/keycloak/callback, /logout)
  • app/views/layouts/application.html.erb (logout button)
  • Gemfile (add omniauth_openid_connect gem)
  • spec/requests/sessions_spec.rb (new)
  • spec/support/auth_helper.rb (new -- test helper for authenticated requests)

Acceptance Criteria

  • landscaping realm exists in Keycloak with five test users and five realm roles
  • landscaping-assistant client exists (confidential, standard flow + PKCE, no ROPC)
  • Unauthenticated users are redirected to Keycloak login page
  • Successful login redirects back to the originally requested page (or Today tab)
  • Username + realm roles stored in Rails session after successful login
  • Failed login shows Keycloak's error on the login page (not a Rails error)
  • All pages except the auth callback redirect to login when unauthenticated
  • Logout clears Rails session AND Keycloak session (RP-initiated logout)
  • Logout button visible from all pages
  • All five test users can log in and see the app
  • Env vars in k8s secret: KEYCLOAK_URL, KEYCLOAK_REALM, KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET
  • Login works in turbo-ios webview (Keycloak page renders correctly)

Test Expectations

  • spec/requests/sessions_spec.rb: OmniAuth callback success, callback failure, logout, redirect-after-login
  • spec/support/auth_helper.rb: helper to mock OmniAuth auth hash in request specs
  • Existing request specs updated to use auth helper (they'll break once authenticate_user! lands)
  • OmniAuth test mode used in specs (no live Keycloak needed in CI)
  • Run: bundle exec rspec

Constraints

  • Authorization Code flow with PKCE (S256), NOT ROPC -- per SOP and OAuth 2.1
  • Confidential client -- Rails is server-rendered, client secret stays server-side
  • No local User model -- Keycloak is the sole user store
  • Session-based auth -- Rails session cookie holds user info extracted from ID token
  • omniauth_openid_connect gem (or equivalent) for the OIDC flow
  • Login page is Keycloak's (default theme for V1, custom theme later)
  • Feature-flag the login behind keycloak_login flag (per docs/feature-flags.md)

Checklist

  • Keycloak realm + client created via Terraform (pal-e-services)
  • NetworkPolicy updated (pal-e-platform)
  • K8s secret updated with Keycloak env vars
  • Deployment overlay updated (pal-e-deployments)
  • Test users created in Keycloak admin console
  • PR opened
  • Tests pass
  • Tested in turbo-ios
  • No unrelated changes

Related

  • #107 -- parent auth issue
  • #119 -- user stories doc (PR #120)
  • #130 -- FeatureFlag implementation (super_admin role, keycloak_login flag)
  • #132 -- spike: Keycloak architecture (validated standard flow, Terraform approach)
  • docs/user-stories-auth.md -- five-role model, permission matrix
  • docs/keycloak-setup.md -- spike output with realm design and setup instructions
  • docs/feature-flags.md -- keycloak_login flag
  • sop-keycloak-client-creation -- security baselines (PKCE, no ROPC, etc.)
### Type Feature ### Lineage Child of #107 (Auth + Roles + Audit Trail). First of five phases defined in `docs/user-stories-auth.md` (PR #120, updated in PR #131). Spike #132 validated architecture: standard flow (not ROPC), Terraform-managed realm via pal-e-services. ### Repo `ldraney/landscaping-assistant` ### User Story As Lucas, I want to log in with a username and password so the app knows who I am and stops being publicly accessible. ### Context The app is currently wide open -- anyone on Tailscale can view and modify property data. This ticket adds basic login/logout as the foundation for multi-user auth. Five test accounts cover all five roles (super_admin, admin, lead, member, client) so we can verify the permission model in later phases without needing real users yet. **Keycloak setup (Terraform via pal-e-services, per spike #132):** - New realm: `landscaping` (separate from `westside-basketball` -- added to `k3s.tfvars`) - Confidential client: `landscaping-assistant` with **Standard flow + PKCE S256** (no ROPC -- Direct Access Grants disabled per SOP and OAuth 2.1) - NetworkPolicy: `landscaping-assistant` namespace must be added to Keycloak allowlist in `pal-e-platform/terraform/network-policies.tf` - Five test users in the `landscaping` realm (created via admin console after `tofu apply`): - `lucas-super-admin` (roles: `admin` + `super_admin`) - `lucas-admin` (role: `admin`) - `lucas-lead` (role: `lead`) - `lucas-crew` (role: `member`) - `lucas-client` (role: `client`) - Five realm roles: `admin`, `lead`, `member`, `client`, `super_admin` **Auth flow (Authorization Code + PKCE):** 1. User visits any page → redirected to Keycloak login page (themed or default) 2. User enters username + password on Keycloak's page 3. Keycloak redirects back to `/auth/keycloak/callback` with auth code 4. Rails exchanges auth code for tokens (server-side, confidential client) 5. Rails decodes ID token, extracts username + realm roles, stores in session 6. User sees the app. Logout clears session + Keycloak session (RP-initiated logout). **turbo-ios compatibility:** - Keycloak login page works in turbo-ios webview (no external browser needed for V1) - Future: custom `landscaping` theme to match app visual identity - Alternative: `ASWebAuthenticationSession` for native OIDC flow if webview is insufficient **Not in scope (later phases):** role enforcement, per-user queues, PaperTrail, user management UI. ### Prerequisites (separate tickets/PRs) - [ ] pal-e-services: Add `landscaping` realm + `landscaping-assistant` client to `k3s.tfvars`, run `tofu apply` - [ ] pal-e-platform: Add `landscaping-assistant` namespace to Keycloak NetworkPolicy allowlist - [ ] pal-e-deployments: Add KEYCLOAK_* env vars to deployment-patch.yaml - [ ] Keycloak admin console: Create five test users with role assignments - [ ] kubectl: Add KEYCLOAK_* values to `landscaping-assistant-secrets` k8s secret ### File Targets - `app/controllers/sessions_controller.rb` (new -- OmniAuth callback handler) - `app/controllers/application_controller.rb` (add `authenticate_user!` before_action) - `config/initializers/omniauth.rb` (new -- OmniAuth OIDC strategy config) - `config/routes.rb` (add `/auth/keycloak/callback`, `/logout`) - `app/views/layouts/application.html.erb` (logout button) - `Gemfile` (add `omniauth_openid_connect` gem) - `spec/requests/sessions_spec.rb` (new) - `spec/support/auth_helper.rb` (new -- test helper for authenticated requests) ### Acceptance Criteria - [ ] `landscaping` realm exists in Keycloak with five test users and five realm roles - [ ] `landscaping-assistant` client exists (confidential, standard flow + PKCE, no ROPC) - [ ] Unauthenticated users are redirected to Keycloak login page - [ ] Successful login redirects back to the originally requested page (or Today tab) - [ ] Username + realm roles stored in Rails session after successful login - [ ] Failed login shows Keycloak's error on the login page (not a Rails error) - [ ] All pages except the auth callback redirect to login when unauthenticated - [ ] Logout clears Rails session AND Keycloak session (RP-initiated logout) - [ ] Logout button visible from all pages - [ ] All five test users can log in and see the app - [ ] Env vars in k8s secret: KEYCLOAK_URL, KEYCLOAK_REALM, KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET - [ ] Login works in turbo-ios webview (Keycloak page renders correctly) ### Test Expectations - `spec/requests/sessions_spec.rb`: OmniAuth callback success, callback failure, logout, redirect-after-login - `spec/support/auth_helper.rb`: helper to mock OmniAuth auth hash in request specs - Existing request specs updated to use auth helper (they'll break once `authenticate_user!` lands) - OmniAuth test mode used in specs (no live Keycloak needed in CI) - Run: `bundle exec rspec` ### Constraints - Authorization Code flow with PKCE (S256), NOT ROPC -- per SOP and OAuth 2.1 - Confidential client -- Rails is server-rendered, client secret stays server-side - No local User model -- Keycloak is the sole user store - Session-based auth -- Rails session cookie holds user info extracted from ID token - `omniauth_openid_connect` gem (or equivalent) for the OIDC flow - Login page is Keycloak's (default theme for V1, custom theme later) - Feature-flag the login behind `keycloak_login` flag (per docs/feature-flags.md) ### Checklist - [ ] Keycloak realm + client created via Terraform (pal-e-services) - [ ] NetworkPolicy updated (pal-e-platform) - [ ] K8s secret updated with Keycloak env vars - [ ] Deployment overlay updated (pal-e-deployments) - [ ] Test users created in Keycloak admin console - [ ] PR opened - [ ] Tests pass - [ ] Tested in turbo-ios - [ ] No unrelated changes ### Related - #107 -- parent auth issue - #119 -- user stories doc (PR #120) - #130 -- FeatureFlag implementation (super_admin role, keycloak_login flag) - #132 -- spike: Keycloak architecture (validated standard flow, Terraform approach) - `docs/user-stories-auth.md` -- five-role model, permission matrix - `docs/keycloak-setup.md` -- spike output with realm design and setup instructions - `docs/feature-flags.md` -- keycloak_login flag - `sop-keycloak-client-creation` -- security baselines (PKCE, no ROPC, etc.)
ldraney changed title from Phase 1: Keycloak login for single user (three test accounts) to Phase 1: Keycloak login for single user (four test accounts) 2026-06-06 19:26:15 +00:00
ldraney commented 2026-06-06 21:26:20 +00:00
Author
Owner
Copy link

Issue #115 Template Review

TEMPLATE CONFORMANCE

  • ### Type header present and valid (Feature)
  • ### Lineage present and populated -- references parent #107 and source doc
  • ### Repo present and populated (ldraney/landscaping-assistant)
  • ### User Story present and follows As/I want/So that format
  • ### Context present and thorough -- includes Keycloak setup details, Rails auth flow, and explicit scope exclusions
  • ### File Targets present with specific file paths and descriptions
  • ### Acceptance Criteria present with checkboxes (- [ ] format)
  • ### Test Expectations present with specific spec file names and run command
  • ### Constraints present with clear patterns and boundaries
  • ### Checklist present with checkboxes
  • ### Related present with issue references and doc references

All 11 required sections present, non-empty, and well-formed. No template conformance issues.

CONTENT QUALITY

File Targets -- verified against repo:
All file paths are accurate. Files marked as new (sessions_controller.rb, keycloak_auth_service.rb, sessions/new.html.erb, both spec files) do not exist yet. Files marked as modify (application_controller.rb, routes.rb, application.html.erb, Gemfile) exist and are correctly identified. The app/services/ directory does not exist yet either -- the implementing agent will need to create it. This is implicit but obvious, so not a blocker.

Acceptance Criteria -- testable and complete:
All 11 criteria are specific and verifiable. Good coverage of happy path (login, redirect, session), error path (failed login), and infrastructure (realm, client, env vars). The "user returns to originally requested page" criterion is a nice catch for redirect-after-login behavior.

Test Expectations -- realistic:
Spec files are named correctly per Rails conventions. The note about existing request specs needing a session auth helper is critical and shows awareness of the blast radius -- adding authenticate_user! as a before_action will break every existing request spec. Good that this is called out explicitly.

Constraints -- clear and non-contradictory:
The constraints are well-scoped: username-only login, no local User model, session-based auth, Turbo Native compatibility. The reference to basketball-api's ROPC pattern gives the implementing agent a concrete example to follow.

Related -- verified:

  • #107 exists (open) -- "Keycloak auth with direct grant, roles, and audit trail"
  • #119 exists (closed) -- "Update docs for four-role model, tab layout, and multi-tenancy"
  • docs/user-stories-auth.md exists and references this ticket at line 393
  • sop-keycloak-client-creation is a pal-e-docs reference (external, not verified here)

Phase 1 alignment:
The ticket scope matches the Phase 1 definition in docs/user-stories-auth.md (lines 346-349) exactly: Keycloak realm + client, four test users, login/logout/redirect. No scope creep into Phase 2 (role enforcement, tab visibility).

Implementability:
The ticket is implementable by a dev agent with minimal ambiguity. Two observations:

  1. Keycloak realm pre-requisite: The Context section states Keycloak setup is "manual, per sop-keycloak-client-creation." The Checklist also lists "Keycloak realm + client + users created (manual)" and "K8s secret updated with Keycloak env vars (manual)." This is correctly scoped -- the agent codes the Rails side, and the manual steps are clearly separated. However, the ticket does not specify the order dependency: the manual Keycloak steps must be done BEFORE the agent can integration-test anything. Since the Test Expectations say to stub HTTP calls to Keycloak in the service spec, this is fine for CI, but worth noting for anyone doing manual verification.

  2. JWT gem: The Gemfile target correctly identifies that a jwt gem needs to be added. The current Gemfile has no JWT dependency. The agent will need to pick between jwt (ruby-jwt) and potentially json-jwt -- the constraint to follow basketball-api's pattern should clarify this, but the ticket could be more explicit about which gem.

  3. Case-insensitive username: The constraint says "case-insensitive matching," but since there is no local User model and Keycloak is the sole user store, case sensitivity depends on the Keycloak realm configuration. The agent needs to either (a) downcase the username before sending to Keycloak's token endpoint, or (b) ensure the Keycloak realm is configured for case-insensitive usernames. This is an edge case worth noting but not a blocker since the constraint is stated and the agent can handle it.

BLOCKERS

None.

NITS

  1. Gem name specificity: The File Targets say "add jwt gem" but do not specify the exact gem name. Ruby has jwt (ruby-jwt) and json-jwt. Consider specifying gem "jwt" explicitly to remove ambiguity.

  2. Successful login redirect target: The Acceptance Criteria says "Successful login redirects to Today tab." Currently root points to work_queue_items#index (the Today tab), so this is correct for now. But Phase 2 will change the default tab per role (Admin -> Crew, Client -> My Property per docs/user-stories-auth.md lines 65-68). A brief note acknowledging that the redirect target will change in Phase 2 would help future readers understand why it's hardcoded to Today now.

  3. Missing "do not touch" list: The File Targets template encourages listing "Files the agent should NOT touch." This section is absent. For a ticket that adds before_action :authenticate_user! to ApplicationController, it might be worth noting that individual controllers (e.g., properties_controller.rb, work_queue_items_controller.rb) should NOT get their own auth logic -- the ApplicationController approach covers them all.

  4. Checklist ordering: The manual Keycloak steps are listed first in the Checklist, which correctly reflects dependency order. No change needed, just noting this is well done.

VERDICT: APPROVED

## Issue #115 Template Review ### TEMPLATE CONFORMANCE - [x] `### Type` header present and valid (`Feature`) - [x] `### Lineage` present and populated -- references parent #107 and source doc - [x] `### Repo` present and populated (`ldraney/landscaping-assistant`) - [x] `### User Story` present and follows As/I want/So that format - [x] `### Context` present and thorough -- includes Keycloak setup details, Rails auth flow, and explicit scope exclusions - [x] `### File Targets` present with specific file paths and descriptions - [x] `### Acceptance Criteria` present with checkboxes (`- [ ]` format) - [x] `### Test Expectations` present with specific spec file names and run command - [x] `### Constraints` present with clear patterns and boundaries - [x] `### Checklist` present with checkboxes - [x] `### Related` present with issue references and doc references All 11 required sections present, non-empty, and well-formed. No template conformance issues. ### CONTENT QUALITY **File Targets -- verified against repo:** All file paths are accurate. Files marked as new (`sessions_controller.rb`, `keycloak_auth_service.rb`, `sessions/new.html.erb`, both spec files) do not exist yet. Files marked as modify (`application_controller.rb`, `routes.rb`, `application.html.erb`, `Gemfile`) exist and are correctly identified. The `app/services/` directory does not exist yet either -- the implementing agent will need to create it. This is implicit but obvious, so not a blocker. **Acceptance Criteria -- testable and complete:** All 11 criteria are specific and verifiable. Good coverage of happy path (login, redirect, session), error path (failed login), and infrastructure (realm, client, env vars). The "user returns to originally requested page" criterion is a nice catch for redirect-after-login behavior. **Test Expectations -- realistic:** Spec files are named correctly per Rails conventions. The note about existing request specs needing a session auth helper is critical and shows awareness of the blast radius -- adding `authenticate_user!` as a `before_action` will break every existing request spec. Good that this is called out explicitly. **Constraints -- clear and non-contradictory:** The constraints are well-scoped: username-only login, no local User model, session-based auth, Turbo Native compatibility. The reference to basketball-api's ROPC pattern gives the implementing agent a concrete example to follow. **Related -- verified:** - #107 exists (open) -- "Keycloak auth with direct grant, roles, and audit trail" - #119 exists (closed) -- "Update docs for four-role model, tab layout, and multi-tenancy" - `docs/user-stories-auth.md` exists and references this ticket at line 393 - `sop-keycloak-client-creation` is a pal-e-docs reference (external, not verified here) **Phase 1 alignment:** The ticket scope matches the Phase 1 definition in `docs/user-stories-auth.md` (lines 346-349) exactly: Keycloak realm + client, four test users, login/logout/redirect. No scope creep into Phase 2 (role enforcement, tab visibility). **Implementability:** The ticket is implementable by a dev agent with minimal ambiguity. Two observations: 1. **Keycloak realm pre-requisite**: The Context section states Keycloak setup is "manual, per sop-keycloak-client-creation." The Checklist also lists "Keycloak realm + client + users created (manual)" and "K8s secret updated with Keycloak env vars (manual)." This is correctly scoped -- the agent codes the Rails side, and the manual steps are clearly separated. However, the ticket does not specify the order dependency: the manual Keycloak steps must be done BEFORE the agent can integration-test anything. Since the Test Expectations say to stub HTTP calls to Keycloak in the service spec, this is fine for CI, but worth noting for anyone doing manual verification. 2. **JWT gem**: The Gemfile target correctly identifies that a `jwt` gem needs to be added. The current Gemfile has no JWT dependency. The agent will need to pick between `jwt` (ruby-jwt) and potentially `json-jwt` -- the constraint to follow basketball-api's pattern should clarify this, but the ticket could be more explicit about which gem. 3. **Case-insensitive username**: The constraint says "case-insensitive matching," but since there is no local User model and Keycloak is the sole user store, case sensitivity depends on the Keycloak realm configuration. The agent needs to either (a) downcase the username before sending to Keycloak's token endpoint, or (b) ensure the Keycloak realm is configured for case-insensitive usernames. This is an edge case worth noting but not a blocker since the constraint is stated and the agent can handle it. ### BLOCKERS None. ### NITS 1. **Gem name specificity**: The File Targets say "add jwt gem" but do not specify the exact gem name. Ruby has `jwt` (ruby-jwt) and `json-jwt`. Consider specifying `gem "jwt"` explicitly to remove ambiguity. 2. **Successful login redirect target**: The Acceptance Criteria says "Successful login redirects to Today tab." Currently `root` points to `work_queue_items#index` (the Today tab), so this is correct for now. But Phase 2 will change the default tab per role (Admin -> Crew, Client -> My Property per `docs/user-stories-auth.md` lines 65-68). A brief note acknowledging that the redirect target will change in Phase 2 would help future readers understand why it's hardcoded to Today now. 3. **Missing "do not touch" list**: The File Targets template encourages listing "Files the agent should NOT touch." This section is absent. For a ticket that adds `before_action :authenticate_user!` to `ApplicationController`, it might be worth noting that individual controllers (e.g., `properties_controller.rb`, `work_queue_items_controller.rb`) should NOT get their own auth logic -- the `ApplicationController` approach covers them all. 4. **Checklist ordering**: The manual Keycloak steps are listed first in the Checklist, which correctly reflects dependency order. No change needed, just noting this is well done. ### VERDICT: APPROVED
ldraney changed title from Phase 1: Keycloak login for single user (four test accounts) to Phase 1: Keycloak login with Authorization Code + PKCE (five test accounts) 2026-06-06 22:19:59 +00:00
ldraney commented 2026-06-06 23:38:27 +00:00
Author
Owner
Copy link

Cross-Repo Prerequisites — Starting 2026-06-06

Working through these in order. Each step depends on the previous.

Step 1: pal-e-services — Terraform realm + client

  • Add landscaping realm to keycloak_realms in k3s.tfvars
  • Add landscaping-assistant client to keycloak_clients in k3s.tfvars
  • tofu plantofu apply
  • Verify: curl https://keycloak.tail5b443a.ts.net/realms/landscaping/.well-known/openid-configuration

Step 2: pal-e-platform — NetworkPolicy

  • Add landscaping-assistant namespace to Keycloak ingress allowlist in network-policies.tf
  • tofu apply

Step 3: Keycloak admin console — 5 test users

  • lucas-super-admin (admin + super_admin), lucas-admin, lucas-lead, lucas-crew, lucas-client
  • Manual via admin console after realm exists

Step 4: k8s secrets

  • Add KEYCLOAK_URL, KEYCLOAK_REALM, KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET to landscaping-assistant-secrets

Step 5: pal-e-deployments — env vars

  • Add 4 Keycloak env vars to deployment-patch.yaml (initContainer + container)

Step 6: Rails auth (this repo)

  • omniauth_openid_connect gem, OmniAuth initializer, sessions controller, feature-flagged behind keycloak_login

Will comment progress on each step.

## Cross-Repo Prerequisites — Starting 2026-06-06 Working through these in order. Each step depends on the previous. ### Step 1: pal-e-services — Terraform realm + client - Add `landscaping` realm to `keycloak_realms` in `k3s.tfvars` - Add `landscaping-assistant` client to `keycloak_clients` in `k3s.tfvars` - `tofu plan` → `tofu apply` - Verify: `curl https://keycloak.tail5b443a.ts.net/realms/landscaping/.well-known/openid-configuration` ### Step 2: pal-e-platform — NetworkPolicy - Add `landscaping-assistant` namespace to Keycloak ingress allowlist in `network-policies.tf` - `tofu apply` ### Step 3: Keycloak admin console — 5 test users - `lucas-super-admin` (admin + super_admin), `lucas-admin`, `lucas-lead`, `lucas-crew`, `lucas-client` - Manual via admin console after realm exists ### Step 4: k8s secrets - Add `KEYCLOAK_URL`, `KEYCLOAK_REALM`, `KEYCLOAK_CLIENT_ID`, `KEYCLOAK_CLIENT_SECRET` to `landscaping-assistant-secrets` ### Step 5: pal-e-deployments — env vars - Add 4 Keycloak env vars to `deployment-patch.yaml` (initContainer + container) ### Step 6: Rails auth (this repo) - `omniauth_openid_connect` gem, OmniAuth initializer, sessions controller, feature-flagged behind `keycloak_login` Will comment progress on each step.
ldraney commented 2026-06-06 23:56:46 +00:00
Author
Owner
Copy link

Step 1 DONE: pal-e-services Terraform

PR pal-e-services#104 merged. landscaping realm and landscaping-assistant client added to k3s.tfvars.example.

Next: copy entries to real k3s.tfvars and run tofu plan / tofu apply on archbox. Then Step 2 (NetworkPolicy).

### Step 1 DONE: pal-e-services Terraform PR pal-e-services#104 merged. `landscaping` realm and `landscaping-assistant` client added to `k3s.tfvars.example`. Next: copy entries to real `k3s.tfvars` and run `tofu plan` / `tofu apply` on archbox. Then Step 2 (NetworkPolicy).
ldraney commented 2026-06-07 00:00:33 +00:00
Author
Owner
Copy link

Step 1 VERIFIED: Terraform applied

tofu apply complete. Realm is live:

issuer: https://keycloak.tail5b443a.ts.net/realms/landscaping

8 resources created: 1 realm, 5 roles (admin, lead, member, client, super_admin), 1 client (landscaping-assistant), 1 realm-roles protocol mapper.

Moving to Step 2 (NetworkPolicy) and Step 3 (test users).

### Step 1 VERIFIED: Terraform applied `tofu apply` complete. Realm is live: ``` issuer: https://keycloak.tail5b443a.ts.net/realms/landscaping ``` 8 resources created: 1 realm, 5 roles (admin, lead, member, client, super_admin), 1 client (landscaping-assistant), 1 realm-roles protocol mapper. Moving to Step 2 (NetworkPolicy) and Step 3 (test users).
ldraney commented 2026-06-07 00:03:11 +00:00
Author
Owner
Copy link

Step 3 DONE: Test users created

5 test users created via Keycloak Admin REST API with roles assigned:

User Roles
lucas-super-admin admin + super_admin (compound)
lucas-admin admin
lucas-lead lead
lucas-crew member
lucas-client client

Password: Test1234! (all users, non-temporary)

Step 2 (NetworkPolicy) agent is still running.

### Step 3 DONE: Test users created 5 test users created via Keycloak Admin REST API with roles assigned: | User | Roles | |------|-------| | lucas-super-admin | admin + super_admin (compound) | | lucas-admin | admin | | lucas-lead | lead | | lucas-crew | member | | lucas-client | client | Password: `Test1234!` (all users, non-temporary) Step 2 (NetworkPolicy) agent is still running.
ldraney commented 2026-06-07 00:05:13 +00:00
Author
Owner
Copy link

Step 4 DONE: k8s secrets updated

landscaping-assistant-secrets now has 12 keys (8 existing + 4 new):

  • KEYCLOAK_URL = https://keycloak.tail5b443a.ts.net
  • KEYCLOAK_REALM = landscaping
  • KEYCLOAK_CLIENT_ID = landscaping-assistant
  • KEYCLOAK_CLIENT_SECRET = (from Keycloak Credentials tab)

Step 2 (NetworkPolicy) QA review in progress. Step 5 (deployment env vars) agent running.

### Step 4 DONE: k8s secrets updated `landscaping-assistant-secrets` now has 12 keys (8 existing + 4 new): - `KEYCLOAK_URL` = `https://keycloak.tail5b443a.ts.net` - `KEYCLOAK_REALM` = `landscaping` - `KEYCLOAK_CLIENT_ID` = `landscaping-assistant` - `KEYCLOAK_CLIENT_SECRET` = (from Keycloak Credentials tab) Step 2 (NetworkPolicy) QA review in progress. Step 5 (deployment env vars) agent running.
ldraney commented 2026-06-07 00:07:44 +00:00
Author
Owner
Copy link

Step 2 DONE: NetworkPolicy applied

PR pal-e-platform#414 merged and tofu apply complete. landscaping-assistant namespace is in the Keycloak ingress allowlist. Pods can reach Keycloak.

Waiting on step 5 (pal-e-deployments env vars PR) — agent still running.

### Step 2 DONE: NetworkPolicy applied PR pal-e-platform#414 merged and `tofu apply` complete. `landscaping-assistant` namespace is in the Keycloak ingress allowlist. Pods can reach Keycloak. Waiting on step 5 (pal-e-deployments env vars PR) — agent still running.
ldraney commented 2026-06-07 00:26:39 +00:00
Author
Owner
Copy link

Step 5 DONE: Deployment env vars merged

PR pal-e-deployments#188 merged. ArgoCD will sync the 4 Keycloak env vars to the pod.

All prerequisites complete

Step Status
1. Terraform realm + client DONE (pal-e-services#103, applied)
2. NetworkPolicy DONE (pal-e-platform#413, applied)
3. Test users DONE (5 users via Admin REST API)
4. k8s secrets DONE (12 keys in landscaping-assistant-secrets)
5. Deployment env vars DONE (pal-e-deployments#187, merged)

Ready for Step 6: Rails auth implementation (OmniAuth) in this repo.

### Step 5 DONE: Deployment env vars merged PR pal-e-deployments#188 merged. ArgoCD will sync the 4 Keycloak env vars to the pod. ## All prerequisites complete | Step | Status | |------|--------| | 1. Terraform realm + client | DONE (pal-e-services#103, applied) | | 2. NetworkPolicy | DONE (pal-e-platform#413, applied) | | 3. Test users | DONE (5 users via Admin REST API) | | 4. k8s secrets | DONE (12 keys in landscaping-assistant-secrets) | | 5. Deployment env vars | DONE (pal-e-deployments#187, merged) | Ready for Step 6: Rails auth implementation (OmniAuth) in this repo.
ldraney commented 2026-06-07 00:44:11 +00:00
Author
Owner
Copy link

Step 6 DONE: Rails OmniAuth implementation

PR #134 opened: Add Keycloak OmniAuth login with Authorization Code + PKCE

Branch: 115-keycloak-omniauth-login — 10 files, 398 additions.

What's in the PR:

  • omniauth_openid_connect (> 0.8) + omniauth-rails_csrf_protection (> 1.0)
  • OmniAuth initializer configured from KEYCLOAK_* env vars, guarded for dev without Keycloak
  • SessionsController — callback extracts username/email/realm_access roles into session, logout redirects through Keycloak end-session endpoint
  • ApplicationController helpers: current_user, logged_in?, authenticate_user!, current_user_has_role?, keycloak_configured?
  • Auth bar in layout (login/logout), only renders when Keycloak is configured
  • 7 request specs (callback, roles, logout, failure, unauthenticated access) — all 101 specs pass

Auth NOT enforced globally — login/logout UI appears but all routes remain open. Role-gated tabs come in Phase 2.

QA review in progress.

### Step 6 DONE: Rails OmniAuth implementation PR #134 opened: **Add Keycloak OmniAuth login with Authorization Code + PKCE** Branch: `115-keycloak-omniauth-login` — 10 files, 398 additions. **What's in the PR:** - `omniauth_openid_connect` (~> 0.8) + `omniauth-rails_csrf_protection` (~> 1.0) - OmniAuth initializer configured from KEYCLOAK_* env vars, guarded for dev without Keycloak - `SessionsController` — callback extracts username/email/realm_access roles into session, logout redirects through Keycloak end-session endpoint - `ApplicationController` helpers: `current_user`, `logged_in?`, `authenticate_user!`, `current_user_has_role?`, `keycloak_configured?` - Auth bar in layout (login/logout), only renders when Keycloak is configured - 7 request specs (callback, roles, logout, failure, unauthenticated access) — all 101 specs pass **Auth NOT enforced globally** — login/logout UI appears but all routes remain open. Role-gated tabs come in Phase 2. QA review in progress.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
docs/update-app-architecture
revert-213
move-other-crew-bottom-remove-schedule
feature/today-view-improvements
154-enable-assume-ssl
revert-145-person-icon
docs/user-stories-auth
docs/update-infra-pipeline-post-incident
fix-cache-step-blocking-deploy
fix-kaniko-registry-pull
deactivate-from-today
feature/quick-address-entry
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/landscaping-assistant#115
No description provided.