chore: update keycloak

[basmasking]

Fixes #410

Changes proposed in this pull request:

• keycloak updated to v26.2 (latest at this time)
• enabled PAR authentication
• used keycloakify to generate login and register screens
• fixed LinkedIn icon for social login

@MaskingTechnology/comify

Summary by CodeRabbit

• New Features

  • Added documentation for customizing Keycloak login and registration pages using keycloakify.
  • Introduced new environment variables for Keycloak configuration.

• Bug Fixes

  • Corrected logo image path and improved button styling in Keycloak theme.

• Refactor

  • Updated Keycloak Docker Compose configuration to use a newer image and revised environment variables.
  • Changed Keycloak realm and client settings, including SSL requirements and pushed authorization requests.
  • Improved OpenID login flow to use the pushed authorization request method.

• Chores

  • Removed the legacy Keycloak theme properties file.

[coderabbitai]

Walkthrough

The changes update Keycloak to version 26.2, adjust its Docker Compose configuration, and modify the Keycloak realm and theme files to align with the new version. The authentication flow is updated to use PAR (Pushed Authorization Requests). Related documentation and environment variable examples are also revised.

Changes

File(s)	Change Summary
docker-compose.yml, example.env	Update Keycloak image version, adjust environment variables, add new config options, update command; add new env vars.
docker/keycloak/comify-realm.json	Change SSL requirement, enable PAR for a client, rename LinkedIn IdP alias.
docker/keycloak/themes/comify/login/theme.properties	Remove the theme.properties file for the "comify" login theme.
docker/keycloak/themes_src/README.md	Add new README explaining Keycloakify-based theme customization and usage.
docker/keycloak/themes_src/main.css	Update styles: button background, logo path, TOTP app list, add .col-md-10 padding rule.
src/integrations/authentication/implementations/openid/OpenID.ts	Switch from buildAuthorizationUrl to async buildAuthorizationUrlWithPAR for PAR support.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant App
    participant OpenID Client
    participant Keycloak

    User->>App: Initiate login
    App->>OpenID Client: getLoginUrl()
    OpenID Client->>Keycloak: Send Pushed Authorization Request (PAR)
    Keycloak-->>OpenID Client: Return PAR URI
    OpenID Client-->>App: Return login URL with PAR
    App-->>User: Redirect to Keycloak login with PAR
    User->>Keycloak: Authenticate
    Keycloak-->>App: Return authorization code

Loading

Assessment against linked issues

Objective	Addressed	Explanation
Update Keycloak to the latest version (#410)	✅
Update or recreate login and registration templates to match new Keycloak version (#410)	✅
Implement PAR (Pushed Authorization Requests) in authentication flow (#410)	✅

Assessment against linked issues: Out-of-scope changes

Code Change	Explanation
None found

Poem

🐇
Keycloak hops to version new,
With PAR in tow and styles askew.
Templates shed, a freshened theme,
Login flows now swift and clean.
Compose and CSS, all aligned,
This rabbit’s code is redefined!
🌱

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

docker/keycloak/themes_src/README.md (1)

16-17: Fix typos and grammar in documentation.

There are two issues that need correction:

1. Line 16: Grammar issue - "Don't forget the change" should be "Don't forget to change"
2. Line 17: Typo - "comfiy" should be "comify"

Apply this diff:

-Then copy all the files from this directory to the `keycloakify-starter-main/src/login` directory. Import the `main.css` in the `KcPage.tsx`.
+Then copy all the files from this directory to the `keycloakify-starter-main/src/login` directory. Import the `main.css` in the `KcPage.tsx`.

-Don't forget the change the name of the theme to `comfiy` in the `vite.config.ts` file.
+Don't forget to change the name of the theme to `comify` in the `vite.config.ts` file.

docker-compose.yml (2)

50-50: Verify you’re mounting built providers, not raw theme sources

/opt/keycloak/providers is where Keycloak 26 expects compiled provider/theme JARs.
If KEYCLOAK_THEME_PATH still points to themes_src, Keycloak won’t pick the custom UI and will silently fall back to the default theme.

Ensure the CI pipeline runs keycloakify build (or similar), produces the JAR, and that KEYCLOAK_THEME_PATH resolves to that output directory/file.

---

54-57: Standardise admin env-var names to avoid confusion

You feed the new KC_BOOTSTRAP_* variables from legacy KEYCLOAK_ADMIN_* names. Mixing conventions in one file is easy to overlook and may bite newcomers.

Recommend renaming the .env entries and wiring them straight through:

-      KC_BOOTSTRAP_ADMIN_USERNAME: ${KEYCLOAK_ADMIN_USERNAME}
-      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+      KC_BOOTSTRAP_ADMIN_USERNAME: ${KC_BOOTSTRAP_ADMIN_USERNAME}
+      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_BOOTSTRAP_ADMIN_PASSWORD}

Deprecate the old variables in example.env with a clear comment.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ac3bd6a and 65d6f40.

⛔ Files ignored due to path filters (9)

• docker/keycloak/themes/comify/login/resources/img/favicon.ico is excluded by !**/*.ico
• docker/keycloak/themes/comify/login/resources/img/feedback-error-arrow-down.png is excluded by !**/*.png
• docker/keycloak/themes/comify/login/resources/img/feedback-error-sign.png is excluded by !**/*.png
• docker/keycloak/themes/comify/login/resources/img/feedback-success-arrow-down.png is excluded by !**/*.png
• docker/keycloak/themes/comify/login/resources/img/feedback-success-sign.png is excluded by !**/*.png
• docker/keycloak/themes/comify/login/resources/img/feedback-warning-arrow-down.png is excluded by !**/*.png
• docker/keycloak/themes/comify/login/resources/img/feedback-warning-sign.png is excluded by !**/*.png
• docker/keycloak/themes/keycloak-theme-for-kc-all-other-versions.jar is excluded by !**/*.jar
• docker/keycloak/themes_src/logo.svg is excluded by !**/*.svg

📒 Files selected for processing (7)

• docker-compose.yml (1 hunks)
• docker/keycloak/comify-realm.json (3 hunks)
• docker/keycloak/themes/comify/login/theme.properties (0 hunks)
• docker/keycloak/themes_src/README.md (1 hunks)
• docker/keycloak/themes_src/main.css (3 hunks)
• example.env (1 hunks)
• src/integrations/authentication/implementations/openid/OpenID.ts (2 hunks)

💤 Files with no reviewable changes (1)

• docker/keycloak/themes/comify/login/theme.properties

🧰 Additional context used

🪛 LanguageTool

docker/keycloak/themes_src/README.md

[style] ~16-~16: For a more polite and respectful tone, consider rephrasing with ‘please’.
Context: ...rt the main.css in the KcPage.tsx. Don't forget the change the name of the theme to `co...

(DONT_FORGET)

---

[uncategorized] ~17-~17: “the” seems less likely than “to”.
Context: ...cssin theKcPage.tsx. Don't forget the change the name of the theme to comfiy...

(AI_HYDRA_LEO_CP_THE_TO)

🪛 YAMLlint (1.37.1)

docker-compose.yml

[warning] 46-46: wrong indentation: expected 6 but found 4

(indentation)

---

[warning] 49-49: wrong indentation: expected 8 but found 6

(indentation)

---

[warning] 52-52: wrong indentation: expected 8 but found 6

(indentation)

---

[warning] 54-54: wrong indentation: expected 8 but found 6

(indentation)

🔇 Additional comments (7)

src/integrations/authentication/implementations/openid/OpenID.ts (1)

4-4: LGTM! PAR implementation is correctly integrated.

The changes properly implement Pushed Authorization Requests (PAR) by updating the import to buildAuthorizationUrlWithPAR and making the getLoginUrl method asynchronous. This aligns perfectly with the realm configuration that enables require.pushed.authorization.requests.

Also applies to: 70-70

example.env (1)

74-75: LGTM! Environment variables are appropriate for development.

The new Keycloak environment variables KC_HTTP_ENABLED and KC_HOSTNAME_STRICT are correctly configured for development environments and align with the Keycloak 26.2 update.

docker/keycloak/themes_src/main.css (1)

85-85: LGTM! CSS improvements enhance theme styling.

The changes improve the theme by:

• Adding proper background color for primary buttons
• Correcting the logo path reference
• Enhancing card and column layouts

These updates align with the keycloakify theme generation approach mentioned in the README.

Also applies to: 171-171, 651-658

docker/keycloak/comify-realm.json (3)

29-29: LGTM! SSL disabled for development environment.

Setting sslRequired to "none" is appropriate for development environments and aligns with the HTTP-enabled configuration.

---

694-694: LGTM! PAR requirement aligns with code changes.

Enabling require.pushed.authorization.requests perfectly matches the OpenID.ts implementation changes that switched to buildAuthorizationUrlWithPAR.

---

1444-1444: LGTM! LinkedIn provider alias simplified.

The alias change from "linkedin-openid-connect" to "linkedin" improves consistency and simplicity.

docker-compose.yml (1)

45-47: ```shell
#!/bin/bash

Show lines 40-60 of docker-compose.yml to verify indentation around the keycloak service

sed -n '40,60p' docker-compose.yml

</details>

</blockquote></details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

docker-compose.yml (3)

45-47: Indentation breaks Compose-spec conventions
Lines under the keycloak: service are indented 4 spaces instead of the expected 6 (two per hierarchy level). While Docker Compose tolerates mixed indentation, it becomes painful when editing or diff-ing later.

-  keycloak:
-    image: quay.io/keycloak/keycloak:26.2
+  keycloak:
+      image: quay.io/keycloak/keycloak:26.2

Fix the whole service block to use consistent 2-space steps.

---

46-46: Pin by digest to prevent silent upstream changes
quay.io/keycloak/keycloak:26.2 will float if Red Hat republishes the tag. Consider locking to the immutable digest (find it with podman pull --quiet …) and keep the semantic tag as a comment:

-      image: quay.io/keycloak/keycloak:26.2
+      # quay.io/keycloak/keycloak:26.2
+      image: quay.io/keycloak/keycloak@sha256:<digest>

This shields your CI/CD from unexpected patch rebuilds.

---

58-63: Secret envs should use _FILE pattern
Leaking client secrets via plain-text environment variables is risky. Docker Compose supports the _FILE convention:

KEYCLOAK_GOOGLE_CLIENT_SECRET_FILE: /run/secrets/google_client_secret

Switching to secrets keeps credentials out of docker ps and shell history.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 65d6f40 and e3452f0.

📒 Files selected for processing (3)

• docker-compose.yml (1 hunks)
• docker/keycloak/themes_src/README.md (1 hunks)
• example.env (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• docker/keycloak/themes_src/README.md
• example.env

🧰 Additional context used

🪛 YAMLlint (1.37.1)

docker-compose.yml

[warning] 46-46: wrong indentation: expected 6 but found 4

(indentation)

---

[warning] 49-49: wrong indentation: expected 8 but found 6

(indentation)

---

[warning] 52-52: wrong indentation: expected 8 but found 6

(indentation)

---

[warning] 54-54: wrong indentation: expected 8 but found 6

(indentation)

🔇 Additional comments (1)

docker-compose.yml (1)

49-51: Verify correct mount location for themes vs. providers
From KC 21+, raw theme folders are still read only from /opt/keycloak/themes; /opt/keycloak/providers is intended for compiled providers/theme JARs. If you mount an uncompiled directory produced by yarn keycloakify --watch, Keycloak will no longer pick it up.

Double-check that ${KEYCLOAK_THEME_PATH} contains built .jar artefacts; otherwise revert to /opt/keycloak/themes or add a build step that copies the jar(s) there.

[coderabbitai]

🛠️ Refactor suggestion

Env var defaults & type-safety
KC_HTTP_ENABLED and KC_HOSTNAME_STRICT must be explicit "true"/"false" strings; unset vars will cause Keycloak to fail at start-up. Provide sane fallbacks in the compose file or example.env:

-      KC_HTTP_ENABLED: ${KC_HTTP_ENABLED}
-      KC_HOSTNAME_STRICT: ${KC_HOSTNAME_STRICT}
+      KC_HTTP_ENABLED: ${KC_HTTP_ENABLED:-true}
+      KC_HOSTNAME_STRICT: ${KC_HOSTNAME_STRICT:-false}

Similarly, ensure the new bootstrap admin credentials are present in every deployment pipeline.

🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 54-54: wrong indentation: expected 8 but found 6

(indentation)

🤖 Prompt for AI Agents

In docker-compose.yml around lines 54 to 57, the environment variables
KC_HTTP_ENABLED and KC_HOSTNAME_STRICT need explicit "true" or "false" string
values to prevent Keycloak startup failures. Update the compose file to provide
default values for these variables using the syntax ${VAR:-default}, setting
sane fallbacks like "true" or "false". Additionally, ensure
KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD are always set in
deployment pipelines by adding appropriate defaults or validation to avoid
missing credentials.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

docker-compose.yml (1)

54-55: Defaults for critical env vars still missing (duplicate of previous feedback)

KC_HTTP_ENABLED and KC_HOSTNAME_STRICT inherit directly from ${KEYCLOAK_HTTP_ENABLED} / ${KEYCLOAK_HOSTNAME_STRICT}.
If these variables are unset, Keycloak fails hard at startup. Provide sane fall-backs, e.g.:

-      KC_HTTP_ENABLED: ${KEYCLOAK_HTTP_ENABLED}
-      KC_HOSTNAME_STRICT: ${KEYCLOAK_HOSTNAME_STRICT}
+      KC_HTTP_ENABLED: ${KEYCLOAK_HTTP_ENABLED:-true}
+      KC_HOSTNAME_STRICT: ${KEYCLOAK_HOSTNAME_STRICT:-false}

Same concern applies to the new bootstrap admin credentials if they might be omitted in some environments.

🧹 Nitpick comments (1)

docker-compose.yml (1)

46-46: Consider pinning the image with a digest for deterministic builds

Upgrading to quay.io/keycloak/keycloak:26.2 is fine, but relying solely on a mutable tag can lead to non-reproducible deployments once 26.2 is re-built or re-published. Pin the image with its SHA digest—or at least freeze to the minor/patch version you have locally validated—to guarantee identical bits across CI/CD environments.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e3452f0 and 9fef7ad.

📒 Files selected for processing (2)

• docker-compose.yml (1 hunks)
• example.env (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• example.env

🧰 Additional context used

🪛 YAMLlint (1.37.1)

docker-compose.yml

[warning] 46-46: wrong indentation: expected 6 but found 4

(indentation)

---

[warning] 49-49: wrong indentation: expected 8 but found 6

(indentation)

---

[warning] 52-52: wrong indentation: expected 8 but found 6

(indentation)

---

[warning] 54-54: wrong indentation: expected 8 but found 6

(indentation)

🔇 Additional comments (1)

docker-compose.yml (1)

50-50: Verify that the mounted path matches the artefact produced by keycloakify

/opt/keycloak/providers is correct only when you mount a JAR generated by keycloakify (≥ 7.x).
If you intend to hot-reload raw theme files (e.g., for local styling tweaks) you still need /opt/keycloak/themes. Double-check that KEYCLOAK_THEME_PATH indeed points to the built provider JAR; otherwise the theme will no longer be discovered after the upgrade.