Merge fc9a888e38 into bd2408fcc4

2026-02-06 14:11:48 +00:00 · 2026-02-06 11:07:57 +01:00 · 2026-02-06 11:07:57 +01:00 · 2e0df04a55
commit 2e0df04a55
parent bd2408fcc4 fc9a888e38
3 changed files with 39 additions and 17 deletions
--- a/src/app/core/authentication/oauth.config.ts
+++ b/src/app/core/authentication/oauth.config.ts
@ -69,21 +69,35 @@ function getOIDCConfig(): AuthConfig {
 }

 /**
- * Creates the configuration required for classic OAuth2 providers (e.g., Fineract).
+ * Creates the configuration required for classic OAuth2 providers (e.g., Fineract, Keycloak).
 * @returns {AuthConfig} OAuth2 configuration block.
 */
 function getOAuth2Config(): AuthConfig {
  const frontendUrl = window.location.origin;
+  const { serverUrl, authorizeUrl, tokenUrl, redirectUri, scope, appId } = environment.oauth;
+  const normalizedServerUrl = serverUrl?.replace(/\/$/, '') || '';
+
+  // Allow custom Keycloak realm via MIFOS_OAUTH_REALM (defaults to master)
+  const keycloakRealm = (window as any)['env']?.['MIFOS_OAUTH_REALM'] || 'master';
+  const resolvedAuthorizeUrl =
+    authorizeUrl || `${normalizedServerUrl}/auth/realms/${keycloakRealm}/protocol/openid-connect/auth`;
+  const resolvedTokenUrl =
+    tokenUrl || `${normalizedServerUrl}/auth/realms/${keycloakRealm}/protocol/openid-connect/token`;
+  const resolvedRedirectUri = redirectUri || `${frontendUrl}/#/callback`;
+  const resolvedScope = scope || 'openid profile email';
+
+  // For Keycloak, issuer should be the realm URL for correct OAuth2 semantics
+  const issuerUrl = authorizeUrl ? normalizedServerUrl : `${normalizedServerUrl}/auth/realms/${keycloakRealm}`;

  return {
-    issuer: environment.oauth.serverUrl,
-    loginUrl: environment.oauth.authorizeUrl,
-    tokenEndpoint: environment.oauth.tokenUrl,
-    redirectUri: environment.oauth.redirectUri,
+    issuer: issuerUrl,
+    loginUrl: resolvedAuthorizeUrl,
+    tokenEndpoint: resolvedTokenUrl,
+    redirectUri: resolvedRedirectUri,
    postLogoutRedirectUri: `${frontendUrl}/#/login`,
-    clientId: environment.oauth.appId,
+    clientId: appId,
    responseType: 'code',
-    scope: environment.oauth.scope,
+    scope: resolvedScope,
    useSilentRefresh: false,
    oidc: false,
    // Skip issuer validation for OAuth2 (non-OIDC) flows
--- a/src/environments/environment.prod.ts
+++ b/src/environments/environment.prod.ts
@ -36,14 +36,18 @@ export const environment = {
  apiActuator: loadedEnv.apiActuator || '/fineract-provider',
  serverUrl: '',
  oauth: {
-    enabled: loadedEnv.oauthServerEnabled === true,
-    serverUrl: loadedEnv.oauthServerUrl || '',
+    // Support legacy MIFOS_OAUTH_* variable names for backward compatibility with Keycloak
+    enabled:
+      loadedEnv.oauthServerEnabled === true ||
+      String(loadedEnv.oauthServerEnabled).toLowerCase() === 'true' ||
+      String(loadedEnv['MIFOS_OAUTH_SERVER_ENABLED']).toLowerCase() === 'true',
+    serverUrl: loadedEnv.oauthServerUrl || loadedEnv['MIFOS_OAUTH_SERVER_URL'] || '',
    logoutUrl: loadedEnv.oauthServerLogoutUrl || '',
-    appId: loadedEnv.oauthAppId || '',
+    appId: loadedEnv.oauthAppId || loadedEnv['MIFOS_OAUTH_CLIENT_ID'] || '',
    authorizeUrl: loadedEnv.oauthAuthorizeUrl || '',
    tokenUrl: loadedEnv.oauthTokenUrl || '',
-    redirectUri: loadedEnv.oauthRedirectUri || '',
-    scope: loadedEnv.oauthScope || ''
+    redirectUri: loadedEnv.oauthRedirectUri || `${window.location.origin}/#/callback`,
+    scope: loadedEnv.oauthScope || 'openid profile email'
  },
  /** Feature flag for Remember Me functionality */
  enableRememberMe: false,
--- a/src/environments/environment.ts
+++ b/src/environments/environment.ts
@ -40,14 +40,18 @@ export const environment = {
  /** Feature flag for Remember Me functionality */
  enableRememberMe: false,
  oauth: {
-    enabled: loadedEnv.oauthServerEnabled === true,
-    serverUrl: loadedEnv.oauthServerUrl || '',
+    // Support legacy MIFOS_OAUTH_* variable names for backward compatibility with Keycloak
+    enabled:
+      loadedEnv.oauthServerEnabled === true ||
+      String(loadedEnv.oauthServerEnabled).toLowerCase() === 'true' ||
+      String(loadedEnv.MIFOS_OAUTH_SERVER_ENABLED).toLowerCase() === 'true',
+    serverUrl: loadedEnv.oauthServerUrl || loadedEnv.MIFOS_OAUTH_SERVER_URL || '',
    logoutUrl: loadedEnv.oauthServerLogoutUrl || '',
-    appId: loadedEnv.oauthAppId || '',
+    appId: loadedEnv.oauthAppId || loadedEnv.MIFOS_OAUTH_CLIENT_ID || '',
    authorizeUrl: loadedEnv.oauthAuthorizeUrl || '',
    tokenUrl: loadedEnv.oauthTokenUrl || '',
-    redirectUri: loadedEnv.oauthRedirectUri || '',
-    scope: loadedEnv.oauthScope || ''
+    redirectUri: loadedEnv.oauthRedirectUri || `${window.location.origin}/#/callback`,
+    scope: loadedEnv.oauthScope || 'openid profile email'
  },
  warningDialog: {
    title: 'Warning',