Merge pull request #144 from anirbandas18/main

issue-137-Add-Keycloak-Authentication-Support

Author: devondragon

.vscode/settings.json

@@ -9,5 +9,5 @@
     "debug.javascript.defaultRuntimeExecutable": {
         "pwa-node": "/Users/devon/.local/share/mise/shims/node"
     },
-    "python.defaultInterpreterPath": "/Users/devon/.local/share/mise/shims/python"
+    "python.defaultInterpreterPath": "/Users/devon/.local/share/mise/installs/python/3.13.1/bin/python"
 }

CHANGELOG.md

@@ -1,3 +1,12 @@
+## [3.0.1] - 2025-02-01
+### Features
+- The controller path mappings are now configurable.
+
+### Fixes
+- Fixed the bug where the schema.sql file was in a location that caused it to be automatically executed, it has now been migrated from the resources to the db-scripts directory.
+
+
+
 ## [3.0.0] - 2025-01-12
 ### Features
 - Converted project from a simple framework to a Maven library with a separate demo app (#136).

README.md

@@ -41,6 +41,7 @@ The framework provides support for the following features:
 - Database-backed user store using Spring JPA.
 - SSO support for Google
 - SSO support for Facebook
+- SSO support for Keycloak
 - Configuration options to control anonymous access, whitelist URIs, and protect specific URIs requiring a logged-in user session.
 - CSRF protection enabled by default, with example jQuery AJAX calls passing the CSRF token from the Thymeleaf page context.
 - Audit event framework for recording and logging security events, customizable to store audit events in a database or publish them via a REST API.
@@ -54,7 +55,7 @@ The framework provides support for the following features:
 This Framework is now available as a library on Maven Central.  You can add it to your Gradle project by adding the following dependency to your `build.gradle` file:
 
 ```groovy
-implementation 'com.digitalsanctuary:ds-spring-user-framework:3.0.0'
+implementation 'com.digitalsanctuary:ds-spring-user-framework:3.0.1'
 ```
 
 Or to your Maven project by adding it to your `pom.xml` file:
@@ -63,7 +64,7 @@ Or to your Maven project by adding it to your `pom.xml` file:
 <dependency>
     <groupId>com.digitalsanctuary</groupId>
     <artifactId>ds-spring-user-framework</artifactId>
-    <version>3.0.0</version>
+    <version>3.0.1</version>
 </dependency>
 ```
 
@@ -91,7 +92,7 @@ If you set your JPA Hibernate ddl-auto property to "create" it will create the t
 If you are not using automatic schema updates or Flyway, you can set up your database manually using the provided `schema.sql` file:
 
 ```bash
-mysql -u username -p database_name < src/main/resources/schema.sql
+mysql -u username -p database_name < db-scripts/mariadb-schema.sql
 ```
 
 Flyway support will be coming soon. This will allow you to automatically update your database schema as you deploy new versions of your application.
@@ -102,7 +103,7 @@ The framework sends emails for verification links, forgot password flow, etc...
 
 
 ### SSO OAuth2 with Google and Facebook
-The framework supports SSO OAuth2 with Google and Facebook.  To enable this you need to configure the client id and secret for each provider.  This is done in the application.yml (or application.properties) file using the [Spring Security OAuth2 properties](https://docs.spring.io/spring-security/reference/servlet/oauth2/login/core.html). You can see the example configuration in the Demo Project's `application.yml` file.
+The framework supports SSO OAuth2 with Google, Facebook and Keycloak.  To enable this you need to configure the client id and secret for each provider.  This is done in the application.yml (or application.properties) file using the [Spring Security OAuth2 properties](https://docs.spring.io/spring-security/reference/servlet/oauth2/login/core.html). You can see the example configuration in the Demo Project's `application.yml` file.
 
 Here is a quick example for your reference:
 
@@ -120,9 +121,13 @@ spring:
             client-id: YOUR_FACEBOOK_CLIENT_ID
             client-secret: YOUR_FACEBOOK_CLIENT_SECRET
             redirect-uri: "{baseUrl}/login/oauth2/code/facebook"
+          keycloak:
+            client-id: YOUR_KEYCLOAK_CLIENT_ID
+            client-secret: YOUR_KEYCLOAK_CLIENT_SECRET
+            redirect-uri: "{baseUrl}/login/oauth2/code/keycloak"
 ```
 
-For public OAuth you will need a public hostname and HTTPS enabled.  You can use ngrok or Cloudflare tunnels to create a public hostname and tunnel to your local machine during development.  You can then use the ngrok hostname in your Google and Facebook developer console configuration.
+For public OAuth you will need a public hostname and HTTPS enabled.  You can use ngrok or Cloudflare tunnels to create a public hostname and tunnel to your local machine during development.  You can then use the ngrok hostname in your Google, Facebook and Keycloak developer console configuration.
 
 
 

build.gradle

@@ -43,7 +43,7 @@ dependencies {
     compileOnly 'org.springframework.boot:spring-boot-starter-thymeleaf'
     compileOnly "org.springframework.boot:spring-boot-starter-web:$springBootVersion"
     compileOnly 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6:3.1.3.RELEASE'
-    compileOnly 'nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:3.3.0'
+    compileOnly 'nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:3.4.0'
 
     // Other dependencies
     runtimeOnly 'org.springframework.boot:spring-boot-devtools'
@@ -52,7 +52,7 @@ dependencies {
     implementation 'org.passay:passay:1.6.6'
     implementation 'com.google.guava:guava:33.4.0-jre'
     compileOnly 'org.springframework.boot:spring-boot-starter-actuator'
-    compileOnly 'jakarta.validation:jakarta.validation-api:3.1.0'
+    compileOnly 'jakarta.validation:jakarta.validation-api:3.1.1'
 
     // Lombok dependencies
     compileOnly "org.projectlombok:lombok:$lombokVersion"

src/main/resources/schema.sql db-scripts/mariadb-schema.sqlsrc/main/resources/schema.sql renamed to db-scripts/mariadb-schema.sql

@@ -64,7 +64,7 @@ CREATE TABLE `user_account` (
   `last_name` VARCHAR(255) DEFAULT NULL,
   `locked` BIT(1) NOT NULL,
   `password` VARCHAR(60) DEFAULT NULL,
-  `provider` ENUM('LOCAL','FACEBOOK','GOOGLE','APPLE') DEFAULT NULL,
+  `provider` ENUM('LOCAL','FACEBOOK','GOOGLE','APPLE','KEYCLOAK') DEFAULT NULL,
   `registration_date` DATETIME(6) DEFAULT NULL,
   `failed_login_attempts` INT(11) NOT NULL,
   `locked_date` DATETIME(6) DEFAULT NULL,

gradle.properties

@@ -1 +1 @@
-version=3.0.1-SNAPSHOT
+version=3.0.2-SNAPSHOT

src/main/java/com/digitalsanctuary/spring/user/controller/UserActionController.java

@@ -21,7 +21,8 @@
 import lombok.extern.slf4j.Slf4j;
 
 /**
- * The UserActionController handles non-API, non-Page requests like token validation links from emails.
+ * The UserActionController handles non-API, non-Page requests like token
+ * validation links from emails.
  */
 @Slf4j
 @RequiredArgsConstructor
@@ -56,20 +57,23 @@ public class UserActionController {
 	private String forgotPasswordChangeURI;
 
 	/**
-	 * Validate a forgot password token link from an email, and if valid, show the change password page.
+	 * Validate a forgot password token link from an email, and if valid, show the
+	 * change password page.
 	 *
 	 * @param request the request
-	 * @param model the model
-	 * @param token the token
+	 * @param model   the model
+	 * @param token   the token
 	 * @return the model and view
 	 */
-	@GetMapping("/user/changePassword")
-	public ModelAndView showChangePasswordPage(final HttpServletRequest request, final ModelMap model, @RequestParam("token") final String token) {
+	@GetMapping("${user.security.changePasswordURI:/user/changePassword}")
+	public ModelAndView showChangePasswordPage(final HttpServletRequest request, final ModelMap model,
+			@RequestParam("token") final String token) {
 		log.debug("UserAPI.showChangePasswordPage: called with token: {}", token);
 		final TokenValidationResult result = userService.validatePasswordResetToken(token);
 		log.debug("UserAPI.showChangePasswordPage:" + "result: {}", result);
 		AuditEvent changePasswordAuditEvent = AuditEvent.builder().source(this).sessionId(request.getSession().getId())
-				.ipAddress(UserUtils.getClientIP(request)).userAgent(request.getHeader("User-Agent")).action("showChangePasswordPage")
+				.ipAddress(UserUtils.getClientIP(request)).userAgent(request.getHeader("User-Agent"))
+				.action("showChangePasswordPage")
 				.actionStatus("Success").message("Requested. Result:" + result).build();
 
 		eventPublisher.publishEvent(changePasswordAuditEvent);
@@ -85,15 +89,16 @@ public ModelAndView showChangePasswordPage(final HttpServletRequest request, fin
 	}
 
 	/**
-	 * Validate a forgot password token link from an email, and if valid, show the registration success page.
+	 * Validate a forgot password token link from an email, and if valid, show the
+	 * registration success page.
 	 *
 	 * @param request the request
-	 * @param model the model
-	 * @param token the token
+	 * @param model   the model
+	 * @param token   the token
 	 * @return the model and view
 	 * @throws UnsupportedEncodingException the unsupported encoding exception
 	 */
-	@GetMapping("/user/registrationConfirm")
+	@GetMapping("${user.security.registrationConfirmURI:/user/registrationConfirm}")
 	public ModelAndView confirmRegistration(final HttpServletRequest request, final ModelMap model,
 			@RequestParam("token") final String token) throws UnsupportedEncodingException {
 		log.debug("UserAPI.confirmRegistration: called with token: {}", token);
@@ -107,8 +112,10 @@ public ModelAndView confirmRegistration(final HttpServletRequest request, final
 				userService.authWithoutPassword(user);
 				userVerificationService.deleteVerificationToken(token);
 
-				AuditEvent registrationAuditEvent = AuditEvent.builder().source(this).user(user).sessionId(request.getSession().getId())
-						.ipAddress(UserUtils.getClientIP(request)).userAgent(request.getHeader("User-Agent")).action("Registration Confirmation")
+				AuditEvent registrationAuditEvent = AuditEvent.builder().source(this).user(user)
+						.sessionId(request.getSession().getId())
+						.ipAddress(UserUtils.getClientIP(request)).userAgent(request.getHeader("User-Agent"))
+						.action("Registration Confirmation")
 						.actionStatus("Success").message("Registration Confirmed. User logged in.").build();
 
 				eventPublisher.publishEvent(registrationAuditEvent);

src/main/java/com/digitalsanctuary/spring/user/controller/UserPageController.java

@@ -27,6 +27,9 @@ public class UserPageController {
 	@Value("${user.registration.googleEnabled}")
 	private boolean googleEnabled;
 
+	@Value("${user.registration.keycloakEnabled}")
+	private boolean keycloakEnabled;
+
 	/**
 	 * Login Page.
 	 *
@@ -36,7 +39,7 @@ public class UserPageController {
 	 *
 	 * @return the string
 	 */
-	@GetMapping("/user/login.html")
+	@GetMapping("${user.security.loginPageURI:/user/login.html}")
 	public String login(@AuthenticationPrincipal DSUserDetails userDetails, HttpSession session, ModelMap model) {
 		log.debug("UserPageController.login:" + "userDetails: {}", userDetails);
 		if (session != null && session.getAttribute("error.message") != null) {
@@ -45,6 +48,7 @@ public String login(@AuthenticationPrincipal DSUserDetails userDetails, HttpSess
 		}
 		model.addAttribute("googleEnabled", googleEnabled);
 		model.addAttribute("facebookEnabled", facebookEnabled);
+		model.addAttribute("keycloakEnabled", keycloakEnabled);
 		return "user/login";
 	}
 
@@ -56,7 +60,7 @@ public String login(@AuthenticationPrincipal DSUserDetails userDetails, HttpSess
 	 * @param model the model
 	 * @return the string
 	 */
-	@GetMapping("/user/register.html")
+	@GetMapping("${user.security.registrationURI:/user/register.html}")
 	public String register(@AuthenticationPrincipal DSUserDetails userDetails, HttpSession session, ModelMap model) {
 		log.debug("UserPageController.register:" + "userDetails: {}", userDetails);
 		if (session != null && session.getAttribute("error.message") != null) {
@@ -65,6 +69,7 @@ public String register(@AuthenticationPrincipal DSUserDetails userDetails, HttpS
 		}
 		model.addAttribute("googleEnabled", googleEnabled);
 		model.addAttribute("facebookEnabled", facebookEnabled);
+		model.addAttribute("keycloakEnabled", keycloakEnabled);
 		return "user/register";
 	}
 
@@ -73,7 +78,7 @@ public String register(@AuthenticationPrincipal DSUserDetails userDetails, HttpS
 	 *
 	 * @return the string
 	 */
-	@GetMapping("/user/registration-pending-verification.html")
+	@GetMapping("${user.security.registrationPendingURI:/user/registration-pending-verification.html}")
 	public String registrationPending() {
 		return "user/registration-pending-verification";
 	}
@@ -87,8 +92,9 @@ public String registrationPending() {
 	 *
 	 * @return the string
 	 */
-	@GetMapping("/user/registration-complete.html")
-	public String registrationComplete(@AuthenticationPrincipal DSUserDetails userDetails, HttpSession session, ModelMap model) {
+	@GetMapping("${user.security.registrationSuccessURI:/user/registration-complete.html}")
+	public String registrationComplete(@AuthenticationPrincipal DSUserDetails userDetails, HttpSession session,
+			ModelMap model) {
 		log.debug("UserPageController.registrationComplete:" + "userDetails: {}", userDetails);
 		return "user/registration-complete";
 	}
@@ -98,7 +104,7 @@ public String registrationComplete(@AuthenticationPrincipal DSUserDetails userDe
 	 *
 	 * @return the string
 	 */
-	@GetMapping("/user/request-new-verification-email.html")
+	@GetMapping("${user.security.registrationNewVerificationURI:/user/request-new-verification-email.html}")
 	public String requestNewVerificationEMail() {
 		return "user/request-new-verification-email";
 	}
@@ -108,7 +114,7 @@ public String requestNewVerificationEMail() {
 	 *
 	 * @return the string
 	 */
-	@GetMapping("/user/forgot-password.html")
+	@GetMapping("${user.security.forgotPasswordURI:/user/forgot-password.html}")
 	public String forgotPassword() {
 		return "user/forgot-password";
 	}
@@ -118,7 +124,7 @@ public String forgotPassword() {
 	 *
 	 * @return the string
 	 */
-	@GetMapping("/user/forgot-password-pending-verification.html")
+	@GetMapping("${user.security.forgotPasswordPendingURI:/user/forgot-password-pending-verification.html}")
 	public String forgotPasswordPendingVerification() {
 		return "user/forgot-password-pending-verification";
 	}
@@ -128,7 +134,7 @@ public String forgotPasswordPendingVerification() {
 	 *
 	 * @return the string
 	 */
-	@GetMapping("/user/forgot-password-change.html")
+	@GetMapping("${user.security.forgotPasswordChangeURI:/user/forgot-password-change.html}")
 	public String forgotPasswordChange() {
 		return "user/forgot-password-change";
 	}
@@ -140,8 +146,9 @@ public String forgotPasswordChange() {
 	 * @param model the model
 	 * @return String
 	 */
-	@GetMapping("/user/update-user.html")
-	public String updateUser(@AuthenticationPrincipal DSUserDetails userDetails, final HttpServletRequest request, final ModelMap model) {
+	@GetMapping("${user.security.updateUserURI:/user/update-user.html}")
+	public String updateUser(@AuthenticationPrincipal DSUserDetails userDetails, final HttpServletRequest request,
+			final ModelMap model) {
 		if (userDetails != null) {
 			User user = userDetails.getUser();
 			UserDto userDto = new UserDto();
@@ -157,7 +164,7 @@ public String updateUser(@AuthenticationPrincipal DSUserDetails userDetails, fin
 	 *
 	 * @return the string
 	 */
-	@GetMapping("/user/update-password.html")
+	@GetMapping("${user.security.updatePasswordURI:/user/update-password.html}")
 	public String updatePassword() {
 		return "user/update-password";
 	}
@@ -167,7 +174,7 @@ public String updatePassword() {
 	 *
 	 * @return the string
 	 */
-	@GetMapping("/user/delete-account.html")
+	@GetMapping("${user.security.deleteAccountURI:/user/delete-account.html}")
 	public String deleteAccount() {
 		return "user/delete-account";
 	}

src/main/java/com/digitalsanctuary/spring/user/persistence/model/User.java

@@ -40,7 +40,12 @@ public enum Provider {
 		/**
 		 * Login using Apple as the authentication provider.
 		 */
-		APPLE
+		APPLE,
+
+		/**
+		 * Login using Keycloak as the authentication provider.
+		 */
+		KEYCLOAK
 	}
 
 	/** The id. */

src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java

@@ -6,6 +6,8 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.stream.Collectors;
+
+import com.digitalsanctuary.spring.user.service.DSOidcUserService;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.annotation.Bean;
@@ -113,6 +115,7 @@ public class WebSecurityConfig {
 	private final LogoutSuccessService logoutSuccessService;
 	private final RolesAndPrivilegesConfig rolesAndPrivilegesConfig;
 	private final DSOAuth2UserService dsOAuth2UserService;
+	private final DSOidcUserService dsOidcUserService;
 
 	/**
 	 *
@@ -183,7 +186,10 @@ private void setupOAuth2(HttpSecurity http) throws Exception {
 					request.getSession().setAttribute("error.message", exception.getMessage());
 					response.sendRedirect(loginPageURI);
 					// handler.onAuthenticationFailure(request, response, exception);
-				}).userInfoEndpoint(userInfo -> userInfo.userService(dsOAuth2UserService)));
+				}).userInfoEndpoint(userInfo -> {
+					userInfo.userService(dsOAuth2UserService);
+					userInfo.oidcUserService(dsOidcUserService);
+				}));
 	}
 
 	// Commenting this out to try adding /error to the unprotected URIs list instead