feat: sso admin mapping support

[BoxBoxJason]

Warning

I am not a cybersecurity expert, the "security" aspects of this PR should be reviewed with utmost care

This PR adds the support of an optional mapping for admin groups when using OIDC SSO.

Combining the variables:

• OIDC_GROUPS_CLAIM that specifies to the backend pod where in the jwt response from OIDC the groups are located
• OIDC_ADMIN_GROUPS that specifies to the backend pod which group(s) are supposed to be admin (anyone not in them will NOT be admin)

Caution

When these parameters are set, the default first user to connect is NO LONGER admin by default
Also, if these parameters are set, manually setting someone as admin will NO LONGER WORK, because the OIDC provider groups become the source of truth for who is admin

Every route call now re evaluates if the user is admin or not before processing.

The README was updated to showcase these new available parameters.

This adds many unit tests for authentication (those were AI generated, they are very complete)

Closes #99

This also fixes some minor issues:

• First one being that the current test setup was not fully functionnal, because the backend pod AND the browser had to reach "localhost:8080" which was not possible (for the backend, because it was reaching itself instead of keycloak)
• Fixed an issue with the example keycloak client created. It did not seem like the "PUBLIC" client was working in the dev setup, so I forced a "PRIVATE" one.
• An optional OIDC_DISCOVERY_URL variable was added to be able to give a separate "discovery" endpoint to the backend than the one the browser will use. (Useful for people who wish to use an internal URL for the backend to reach)
• Applied autoformat (prettier-eslint with default configuration) on the files I edited for better readability

Note

This was fully tested with the exact setup in the docker-compose.yml and the docker-compose.oidc.yml. In the keycloak, I just manually created one "admins" group, with one user inside, and created a protocol mapper for the groups in the client (default scopes)

[ebuildy]

Amazing PR, we strongly need this feature in our team , many thanks 😊

[ZimengXiong]

Looks good! I will do a full review in a bit, currently not planned as part of the next release (resolving p1 comes first). Expecting to merge this next week.

[ZimengXiong]

Still interested in this, and this is the path I want to use for #99

The main thing I want here is OIDC admin-group mapping with role reconciliation, so IdP groups stay the source of truth after login too.

What I don't want in the same PR is the extra local dev / compose / Keycloak setup work (separate into another PR if you're interested). Please try to narrow this down to:

• admin-group mapping
• role reconciliation
• minimal config/docs/tests

Thanks!

[BoxBoxJason]

Hey there !

Thanks for the review and for your interest,

Is it ok if just comment the edited values in the compose / dev setup ?
Those changes were actually required for the dev keycloak setup to work (on my machine at least)

[BoxBoxJason]

Please tell me what you think about this revised version with comments in for optional (SSO) values in the docker-compose.yml file.

If you want me to remove values in some files, please point out the files to me.

[ZimengXiong]

Looks good, LGTM

[BoxBoxJason]

Hey there,

I just performed the rebase, and fixed introduced compatibility issues,
Everything has be tested again and is functionnal

Do you think it could be included in the next release ?

[ZimengXiong]

Thanks, I'll review it soon and likely include it in the next release (prob this weekend)