From fc9a888e38be0f052ab3805ea4b9022ee17478c9 Mon Sep 17 00:00:00 2001
From: JaySoni1 <jaygsoni14@gmail.com>
Date: Mon, 5 Jan 2026 05:38:40 +0530
Subject: [PATCH] WEB-551 Fix Oauth (Keycloak)

---
 src/app/core/authentication/oauth.config.ts | 28 +++++++++++++++------
 src/environments/environment.prod.ts        | 14 +++++++----
 src/environments/environment.ts             | 14 +++++++----
 3 files changed, 39 insertions(+), 17 deletions(-)

diff --git a/src/app/core/authentication/oauth.config.ts b/src/app/core/authentication/oauth.config.ts
index 877429b42..d1a61c588 100644
--- a/src/app/core/authentication/oauth.config.ts
+++ b/src/app/core/authentication/oauth.config.ts
@@ -61,21 +61,35 @@ function getOIDCConfig(): AuthConfig {
 }
 
 /**
- * Creates the configuration required for classic OAuth2 providers (e.g., Fineract).
+ * Creates the configuration required for classic OAuth2 providers (e.g., Fineract, Keycloak).
  * @returns {AuthConfig} OAuth2 configuration block.
  */
 function getOAuth2Config(): AuthConfig {
   const frontendUrl = window.location.origin;
+  const { serverUrl, authorizeUrl, tokenUrl, redirectUri, scope, appId } = environment.oauth;
+  const normalizedServerUrl = serverUrl?.replace(/\/$/, '') || '';
+
+  // Allow custom Keycloak realm via MIFOS_OAUTH_REALM (defaults to master)
+  const keycloakRealm = (window as any)['env']?.['MIFOS_OAUTH_REALM'] || 'master';
+  const resolvedAuthorizeUrl =
+    authorizeUrl || `${normalizedServerUrl}/auth/realms/${keycloakRealm}/protocol/openid-connect/auth`;
+  const resolvedTokenUrl =
+    tokenUrl || `${normalizedServerUrl}/auth/realms/${keycloakRealm}/protocol/openid-connect/token`;
+  const resolvedRedirectUri = redirectUri || `${frontendUrl}/#/callback`;
+  const resolvedScope = scope || 'openid profile email';
+
+  // For Keycloak, issuer should be the realm URL for correct OAuth2 semantics
+  const issuerUrl = authorizeUrl ? normalizedServerUrl : `${normalizedServerUrl}/auth/realms/${keycloakRealm}`;
 
   return {
-    issuer: environment.oauth.serverUrl,
-    loginUrl: environment.oauth.authorizeUrl,
-    tokenEndpoint: environment.oauth.tokenUrl,
-    redirectUri: environment.oauth.redirectUri,
+    issuer: issuerUrl,
+    loginUrl: resolvedAuthorizeUrl,
+    tokenEndpoint: resolvedTokenUrl,
+    redirectUri: resolvedRedirectUri,
     postLogoutRedirectUri: `${frontendUrl}/#/login`,
-    clientId: environment.oauth.appId,
+    clientId: appId,
     responseType: 'code',
-    scope: environment.oauth.scope,
+    scope: resolvedScope,
     useSilentRefresh: false,
     oidc: false,
     // Skip issuer validation for OAuth2 (non-OIDC) flows
diff --git a/src/environments/environment.prod.ts b/src/environments/environment.prod.ts
index 8bb7a37ac..6f5ceb435 100644
--- a/src/environments/environment.prod.ts
+++ b/src/environments/environment.prod.ts
@@ -26,14 +26,18 @@ export const environment = {
   apiActuator: loadedEnv.apiActuator || '/fineract-provider',
   serverUrl: '',
   oauth: {
-    enabled: loadedEnv.oauthServerEnabled === true,
-    serverUrl: loadedEnv.oauthServerUrl || '',
+    // Support legacy MIFOS_OAUTH_* variable names for backward compatibility with Keycloak
+    enabled:
+      loadedEnv.oauthServerEnabled === true ||
+      String(loadedEnv.oauthServerEnabled).toLowerCase() === 'true' ||
+      String(loadedEnv['MIFOS_OAUTH_SERVER_ENABLED']).toLowerCase() === 'true',
+    serverUrl: loadedEnv.oauthServerUrl || loadedEnv['MIFOS_OAUTH_SERVER_URL'] || '',
     logoutUrl: loadedEnv.oauthServerLogoutUrl || '',
-    appId: loadedEnv.oauthAppId || '',
+    appId: loadedEnv.oauthAppId || loadedEnv['MIFOS_OAUTH_CLIENT_ID'] || '',
     authorizeUrl: loadedEnv.oauthAuthorizeUrl || '',
     tokenUrl: loadedEnv.oauthTokenUrl || '',
-    redirectUri: loadedEnv.oauthRedirectUri || '',
-    scope: loadedEnv.oauthScope || ''
+    redirectUri: loadedEnv.oauthRedirectUri || `${window.location.origin}/#/callback`,
+    scope: loadedEnv.oauthScope || 'openid profile email'
   },
   /** Feature flag for Remember Me functionality */
   enableRememberMe: false,
diff --git a/src/environments/environment.ts b/src/environments/environment.ts
index c64c95606..39750d9c7 100644
--- a/src/environments/environment.ts
+++ b/src/environments/environment.ts
@@ -32,14 +32,18 @@ export const environment = {
   /** Feature flag for Remember Me functionality */
   enableRememberMe: false,
   oauth: {
-    enabled: loadedEnv.oauthServerEnabled === true,
-    serverUrl: loadedEnv.oauthServerUrl || '',
+    // Support legacy MIFOS_OAUTH_* variable names for backward compatibility with Keycloak
+    enabled:
+      loadedEnv.oauthServerEnabled === true ||
+      String(loadedEnv.oauthServerEnabled).toLowerCase() === 'true' ||
+      String(loadedEnv.MIFOS_OAUTH_SERVER_ENABLED).toLowerCase() === 'true',
+    serverUrl: loadedEnv.oauthServerUrl || loadedEnv.MIFOS_OAUTH_SERVER_URL || '',
     logoutUrl: loadedEnv.oauthServerLogoutUrl || '',
-    appId: loadedEnv.oauthAppId || '',
+    appId: loadedEnv.oauthAppId || loadedEnv.MIFOS_OAUTH_CLIENT_ID || '',
     authorizeUrl: loadedEnv.oauthAuthorizeUrl || '',
     tokenUrl: loadedEnv.oauthTokenUrl || '',
-    redirectUri: loadedEnv.oauthRedirectUri || '',
-    scope: loadedEnv.oauthScope || ''
+    redirectUri: loadedEnv.oauthRedirectUri || `${window.location.origin}/#/callback`,
+    scope: loadedEnv.oauthScope || 'openid profile email'
   },
   warningDialog: {
     title: 'Warning',