chore: update keycloak

docker-compose.yml

@@ -43,16 +43,18 @@ services:
     command: server --console-address ":9001" /data
 
   keycloak:
-    image: quay.io/keycloak/keycloak:23.0.4
+    image: quay.io/keycloak/keycloak:26.2
     restart: always
     volumes:
       - "${KEYCLOAK_IMPORT_PATH}:/opt/keycloak/data/import"
-      - "${KEYCLOAK_THEME_PATH}:/opt/keycloak/themes"
+      - "${KEYCLOAK_THEME_PATH}:/opt/keycloak/providers"
     ports:
       - "${KEYCLOAK_PORT_NUMBER:-8080}:8080"
     environment:
-      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN_USERNAME}
-      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+      KC_HTTP_ENABLED: ${KEYCLOAK_HTTP_ENABLED}
+      KC_HOSTNAME_STRICT: ${KEYCLOAK_HOSTNAME_STRICT}
+      KC_BOOTSTRAP_ADMIN_USERNAME: ${KEYCLOAK_BOOTSTRAP_ADMIN_USERNAME}
+      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_BOOTSTRAP_ADMIN_PASSWORD}
       KEYCLOAK_GITHUB_CLIENT_ID: ${KEYCLOAK_GITHUB_CLIENT_ID}
       KEYCLOAK_GITHUB_CLIENT_SECRET: ${KEYCLOAK_GITHUB_CLIENT_SECRET}
       KEYCLOAK_GOOGLE_CLIENT_ID: ${KEYCLOAK_GOOGLE_CLIENT_ID}

docker/keycloak/realm-export.json → docker/keycloak/comify-realm.json

@@ -26,7 +26,7 @@
   "oauth2DeviceCodeLifespan": 600,
   "oauth2DevicePollingInterval": 5,
   "enabled": true,
-  "sslRequired": "external",
+  "sslRequired": "none",
   "registrationAllowed": true,
   "registrationEmailAsUsername": true,
   "rememberMe": false,
@@ -691,7 +691,7 @@
         "backchannel.logout.session.required": "true",
         "client_credentials.use_refresh_token": "true",
         "tls.client.certificate.bound.access.tokens": "false",
-        "require.pushed.authorization.requests": "false",
+        "require.pushed.authorization.requests": "true",
         "acr.loa.map": "{}",
         "display.on.consent.screen": "false",
         "token.response.type.bearer.lower-case": "false"
@@ -1441,7 +1441,7 @@
       }
     },
     {
-      "alias": "linkedin-openid-connect",
+      "alias": "linkedin",
       "internalId": "cb473677-9319-4078-8d15-f013242e00e2",
       "providerId": "linkedin-openid-connect",
       "enabled": true,

docker/keycloak/themes_src/README.md

@@ -0,0 +1,19 @@
+# Generate the login and registration pages for Keycloak
+
+To generate the login and registration pages for Keycloak, we use the [keycloakify](https://www.keycloakify.dev/) project.
+
+The files in this `src` directory are the only files we modified in the keycloakify-starter-main project. To regenerate the login and registration pages, you need to clone the project from github using the following command:
+
+```bash
+git clone https://github.com/keycloakify/keycloakify-starter
+cd keycloakify-starter
+npm install
+npx keycloakify add-story #login.ftl
+npm run storybook
+```
+
+Then copy all the files from this directory to the `keycloakify-starter-main/src/login` directory. Import the `main.css` in the `KcPage.tsx`.
+
+Don't forget to change the name of the theme to `comify` in the `vite.config.ts` file.
+
+These steps are also documented in the keycloakify [documentation](https://docs.keycloakify.dev/#quick-start).

docker/keycloak/themes/comify/login/resources/css/login.css → docker/keycloak/themes_src/main.css

@@ -82,6 +82,7 @@ p.instruction
     --pf-c-button--m-primary--hover--BackgroundColor: color-mix(in srgb, black 10%, #e06666);
 
     color: var(--pf-c-button--m-primary--Color);
+    background-color: var(--pf-c-button--m-primary--BackgroundColor);
     border-radius: 2em;
 }
 
@@ -167,7 +168,7 @@ div.kc-logo-text span
     padding: 30px 10px 20px;
     white-space: normal;
     color: transparent;
-    background-image: url(../img/logo.svg);
+    background-image: url(./logo.svg);
     background-repeat: no-repeat;
     background-position: center bottom;
     background-size: auto 55px;
@@ -647,6 +648,13 @@ ul#kc-totp-supported-apps
     padding: 0 20px;
     max-width: 500px;
     background-color: #f3f3f3;
+    border-top: 0;
+    box-shadow: none;
+}
+
+.col-md-10
+{
+    padding: 0;
 }
 
 /*phone*/

example.env

@@ -71,9 +71,11 @@ MINIO_ADMIN_PORT_NUMBER=9001
 # MINIO_SECRET_KEY=specified in the application section
 
 # KEYCLOAK
+KEYCLOAK_HTTP_ENABLED="true"
+KEYCLOAK_HOSTNAME_STRICT="false"
 KEYCLOAK_PORT_NUMBER=8080
-KEYCLOAK_ADMIN_USERNAME="development"
-KEYCLOAK_ADMIN_PASSWORD="development"
+KEYCLOAK_BOOTSTRAP_ADMIN_USERNAME="development"
+KEYCLOAK_BOOTSTRAP_ADMIN_PASSWORD="development"
 KEYCLOAK_IMPORT_PATH="./docker/keycloak"
 KEYCLOAK_THEME_PATH="./docker/keycloak/themes"
 KEYCLOAK_GITHUB_CLIENT_ID="development"

src/integrations/authentication/implementations/openid/OpenID.ts

@@ -1,7 +1,7 @@
 
 import
 {
-    allowInsecureRequests, authorizationCodeGrant, buildAuthorizationUrl, calculatePKCECodeChallenge, discovery,
+    allowInsecureRequests, authorizationCodeGrant, buildAuthorizationUrlWithPAR, calculatePKCECodeChallenge, discovery,
     fetchUserInfo, randomPKCECodeVerifier, refreshTokenGrant, tokenRevocation
 } from 'openid-client';
 
@@ -67,7 +67,7 @@ export default class OpenID implements IdentityProvider
         };
 
         const clientConfiguration = this.#getClientConfiguration();
-        const redirectTo = buildAuthorizationUrl(clientConfiguration, parameters);
+        const redirectTo = await buildAuthorizationUrlWithPAR(clientConfiguration, parameters);
 
         return redirectTo.href;
     }