Register http://localhost:4173 as valid Keycloak redirect URI for pal-e-app client #113

New issue

Open

opened 2026-04-21 01:48:43 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-04-21 01:48:43 +00:00

Contributor

Type

Bug

Lineage

Discovered during pipeline #127 (PR #111). After switching Playwright to preview webServer (#112), 3 auth-boundary tests fail against http://localhost:4173 because Keycloak's pal-e-app client doesn't list that URL in validRedirectUris.

Repo

forgejo_admin/pal-e-app

What Broke

Three e2e tests reach the auth-redirect step but the redirect to Keycloak fails (or returns to a wrong URL) because Keycloak's pal-e-app client config only allows the prod redirect:

e2e/auth.spec.ts:45 — /notes/{slug}/edit redirects to Keycloak when unauthenticated
e2e/note-edit.spec.ts:4 — edit page redirects to Keycloak when not authenticated
e2e/note-edit.spec.ts:18 — edit page does not render edit form when unauthenticated

These pass when tests run against the live prod URL (pipeline #125 — they were green) and fail only when running against http://localhost:4173 (pipeline #127).

Repro Steps

Build pal-e-app locally: npm run build && npm run preview
In a browser at http://localhost:4173/notes/some-slug/edit (unauthenticated)
Observe: redirect to Keycloak fails or loops, or never returns to localhost:4173

Expected Behavior

localhost:4173/* registered as a valid redirect URI on the Keycloak pal-e-app client. After unauthenticated access to /notes/{slug}/edit, browser → Keycloak login page → on success returns to localhost:4173/....

Environment

Keycloak realm: prod (whichever realm hosts the pal-e-app client; check src/lib/keycloak.ts for realm + client id)
Client id (default per .env.example): pal-e-app
Frontends that should be allowed redirect URIs:
- https://pal-e-app.tail5b443a.ts.net/* (prod — already there)
- http://localhost:4173/* (preview — to add)
- http://localhost:5173/* (Vite dev — likely worth adding too)

Acceptance Criteria

Keycloak pal-e-app client validRedirectUris includes http://localhost:4173/*
(Optional but recommended) also includes http://localhost:5173/* for Vite dev workflow
Web Origins also includes both localhost origins (so CORS in Keycloak's own endpoints works)
Manual: visit http://localhost:4173/notes/{slug}/edit unauthenticated → land on Keycloak login → after login return to localhost:4173 page
Pipeline #127's 3 auth-boundary tests pass on next CI run

Out of Scope

Other clients (basketball-app, mcd-tracker-app, etc.) — file separately if they have the same issue
Migrating Keycloak config to IaC (terraform-keycloak provider) — separate platform-track ticket

forgejo_admin/pal-e-app#110, #112 — sibling fixes in PR #111
feedback_keycloak_first.md — check Keycloak built-in features before custom auth flows

### Type Bug ### Lineage Discovered during pipeline #127 (PR #111). After switching Playwright to preview webServer (#112), 3 auth-boundary tests fail against `http://localhost:4173` because Keycloak's `pal-e-app` client doesn't list that URL in `validRedirectUris`. ### Repo `forgejo_admin/pal-e-app` ### What Broke Three e2e tests reach the auth-redirect step but the redirect to Keycloak fails (or returns to a wrong URL) because Keycloak's `pal-e-app` client config only allows the prod redirect: - `e2e/auth.spec.ts:45` — `/notes/{slug}/edit redirects to Keycloak when unauthenticated` - `e2e/note-edit.spec.ts:4` — `edit page redirects to Keycloak when not authenticated` - `e2e/note-edit.spec.ts:18` — `edit page does not render edit form when unauthenticated` These pass when tests run against the live prod URL (pipeline #125 — they were green) and fail only when running against `http://localhost:4173` (pipeline #127). ### Repro Steps 1. Build pal-e-app locally: `npm run build && npm run preview` 2. In a browser at `http://localhost:4173/notes/some-slug/edit` (unauthenticated) 3. Observe: redirect to Keycloak fails or loops, or never returns to `localhost:4173` ### Expected Behavior `localhost:4173/*` registered as a valid redirect URI on the Keycloak `pal-e-app` client. After unauthenticated access to `/notes/{slug}/edit`, browser → Keycloak login page → on success returns to `localhost:4173/...`. ### Environment - Keycloak realm: prod (whichever realm hosts the `pal-e-app` client; check `src/lib/keycloak.ts` for realm + client id) - Client id (default per `.env.example`): `pal-e-app` - Frontends that should be allowed redirect URIs: - `https://pal-e-app.tail5b443a.ts.net/*` (prod — already there) - `http://localhost:4173/*` (preview — to add) - `http://localhost:5173/*` (Vite dev — likely worth adding too) ### Acceptance Criteria - [ ] Keycloak `pal-e-app` client `validRedirectUris` includes `http://localhost:4173/*` - [ ] (Optional but recommended) also includes `http://localhost:5173/*` for Vite dev workflow - [ ] Web Origins also includes both localhost origins (so CORS in Keycloak's own endpoints works) - [ ] Manual: visit `http://localhost:4173/notes/{slug}/edit` unauthenticated → land on Keycloak login → after login return to localhost:4173 page - [ ] Pipeline #127's 3 auth-boundary tests pass on next CI run ### Out of Scope - Other clients (basketball-app, mcd-tracker-app, etc.) — file separately if they have the same issue - Migrating Keycloak config to IaC (terraform-keycloak provider) — separate platform-track ticket ### Related - `forgejo_admin/pal-e-app#110, #112` — sibling fixes in PR #111 - `feedback_keycloak_first.md` — check Keycloak built-in features before custom auth flows

Commenting is not possible because the repository is archived.