Skip to content

Add keycloak as oidc provider and remove non-standard fields from keycloaks response #395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
krokosik merged 2 commits into from
Sep 30, 2025
Merged

Add keycloak as oidc provider and remove non-standard fields from keycloaks response #395

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e0b69d3
Add keycloak as oidc provider and remove non-standard fields from key…
beposec Sep 23, 2025
1716ffa
Migrate eslint to oxlint
beposec Sep 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,12 @@ AUTHENTIK_ID=
AUTHENTIK_SECRET=
AUTHENTIK_ISSUER=

# Keycloak Providder : https://next-auth.js.org/providers/keycloak
# Issuer: should include the realm – e.g. https://my-keycloak-domain.com/realms/My_Realm
KEYCLOAK_ID=
KEYCLOAK_SECRET=
KEYCLOAK_ISSUER=

# OIDC Provider
# The (lowercase) name will be used to generate an id and possibly display an icon if it is added in https://github.com/oss-apps/split-pro/blob/main/src/pages/auth/signin.tsx#L25
# If your provider is not added, simpleicon probably has it and you may submit a PR
Expand Down
6 changes: 6 additions & 0 deletions src/env.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ export const env = createEnv({
AUTHENTIK_ID: z.string().optional(),
AUTHENTIK_SECRET: z.string().optional(),
AUTHENTIK_ISSUER: z.string().optional(),
KEYCLOAK_ID: z.string().optional(),
KEYCLOAK_SECRET: z.string().optional(),
KEYCLOAK_ISSUER: z.string().optional(),
R2_ACCESS_KEY: z.string().optional(),
R2_SECRET_KEY: z.string().optional(),
R2_BUCKET: z.string().optional(),
Expand Down Expand Up @@ -97,6 +100,9 @@ export const env = createEnv({
AUTHENTIK_ID: process.env.AUTHENTIK_ID,
AUTHENTIK_SECRET: process.env.AUTHENTIK_SECRET,
AUTHENTIK_ISSUER: process.env.AUTHENTIK_ISSUER,
KEYCLOAK_ID: process.env.KEYCLOAK_ID,
KEYCLOAK_SECRET: process.env.KEYCLOAK_SECRET,
KEYCLOAK_ISSUER: process.env.KEYCLOAK_ISSUER,
R2_ACCESS_KEY: process.env.R2_ACCESS_KEY,
R2_SECRET_KEY: process.env.R2_SECRET_KEY,
R2_BUCKET: process.env.R2_BUCKET,
Expand Down
43 changes: 40 additions & 3 deletions src/server/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,11 @@ import { PrismaAdapter } from '@next-auth/prisma-adapter';
import { type GetServerSidePropsContext } from 'next';
import type { User } from 'next-auth';
import { type DefaultSession, type NextAuthOptions, getServerSession } from 'next-auth';
import { type Adapter, type AdapterUser } from 'next-auth/adapters';
import { type Adapter, type AdapterUser, type AdapterAccount } from 'next-auth/adapters';
import AuthentikProvider from 'next-auth/providers/authentik';
import EmailProvider from 'next-auth/providers/email';
import GoogleProvider from 'next-auth/providers/google';
import KeycloakProvider from 'next-auth/providers/keycloak';

import { env } from '~/env';
import { db } from '~/server/db';
Expand Down Expand Up @@ -44,7 +45,7 @@ const SplitProPrismaAdapter = (...args: Parameters<typeof PrismaAdapter>): Adapt
return {
...prismaAdapter,
createUser: (user: Omit<AdapterUser, 'id'>): Promise<AdapterUser> => {
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
// oxlint-disable-next-line typescript/no-unsafe-assignment
const prismaCreateUser = prismaAdapter.createUser;

if (env.INVITE_ONLY) {
Expand All @@ -56,9 +57,34 @@ const SplitProPrismaAdapter = (...args: Parameters<typeof PrismaAdapter>): Adapt
throw new Error('Prisma Adapter lacks User Creation');
}

// eslint-disable-next-line @typescript-eslint/no-unsafe-return, @typescript-eslint/no-unsafe-call
// oxlint-disable-next-line typescript/no-unsafe-return, typescript/no-unsafe-call
return prismaCreateUser(user);
},
linkAccount: async (account: AdapterAccount) => {
// oxlint-disable-next-line typescript/no-unsafe-assignment
const originalLinkAccount = prismaAdapter.linkAccount;

if (!originalLinkAccount) {
throw new Error('Adapter is missing the linkAccount method.');
}

if (account.provider === 'keycloak') {
// Keycloak provides some non-standard fields that do not exist in the prisma schema.
// We strip them out before passing them on to the original adapter.
const {
['not-before-policy']: _notBeforePolicy,
refresh_expires_in: _refresh_expires_in,
// keep the rest
...standardAccountData
} = account as unknown as Record<string, unknown>;

// oxlint-disable-next-line typescript/no-unsafe-return
return originalLinkAccount(standardAccountData as AdapterAccount);
}

// Default: proceed directly
return originalLinkAccount(account);
},
} as Adapter;
};

Expand Down Expand Up @@ -197,6 +223,17 @@ function getProviders() {
);
}

if (env.KEYCLOAK_ID && env.KEYCLOAK_SECRET && env.KEYCLOAK_ISSUER) {
providersList.push(
KeycloakProvider({
clientId: env.KEYCLOAK_ID,
clientSecret: env.KEYCLOAK_SECRET,
issuer: env.KEYCLOAK_ISSUER,
allowDangerousEmailAccountLinking: true,
}),
);
}

if (env.OIDC_CLIENT_ID && env.OIDC_CLIENT_SECRET && env.OIDC_WELL_KNOWN_URL) {
providersList.push({
id: env.OIDC_NAME?.toLowerCase() ?? 'oidc',
Expand Down