Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
1b58710
Move auth flow to backend
jurei733 Oct 2, 2025
2f78970
Update the README with a new section explaining the Keycloak OAuth2 A…
jurei733 Oct 9, 2025
28a73a1
Fixes security issue for the untrusted URL redirect vulnerability
jurei733 Nov 19, 2025
8b6e31d
Fixes the type confusion vulnerability in the auth controller callbac…
jurei733 Nov 19, 2025
86655e0
Fixes the server-side URL redirect vulnerability in the authenticatio…
jurei733 Nov 19, 2025
7d8c25d
Ensure that JWT_SECRET infrastructure is dismantled since Keycloak no…
jurei733 Nov 19, 2025
64ac27a
Fix the authentication crash issue by adding safe decodeURIComponent …
jurei733 Nov 19, 2025
7ac621e
Fix the authentication callback error handling issue
jurei733 Nov 19, 2025
3e81d6a
Refactor that Keycloak configuration values (keycloakUrl, keycloakRea…
jurei733 Nov 19, 2025
d888815
Configure the routing through environment variables instead of hard-c…
jurei733 Nov 19, 2025
d72a4b3
Remove processing of obsolete environment variable 'JWT_SECRET'
svwolter Jan 30, 2026
0ec62e3
Rename 'KEYCLOAK_URL' to 'OIDC_PROVIDER_URL'
svwolter Feb 2, 2026
54779ac
Rename 'KEYCLOAK_REALM' to 'OIDC_REALM'
svwolter Feb 2, 2026
001af2c
Rename 'KEYCLOAK_CLIENT_ID' to 'OAUTH2_CLIENT_ID'
svwolter Feb 2, 2026
58d0675
Rename 'KEYCLOAK_CLIENT_SECRET' to 'OAUTH2_CLIENT_SECRET'
svwolter Feb 2, 2026
d1e9055
Generalize Keycloak integration to OIDC
svwolter Feb 3, 2026
d5f93c8
Roll back the 'Nginx OIDC runtime configuration'
svwolter Feb 3, 2026
2e4f1b9
Delete obsolete docker compose environment variable 'API_HOST'
svwolter Feb 5, 2026
9f87dee
Revise processing of docker compose environment variable 'BACKEND_CAL…
svwolter Feb 5, 2026
fcaa61a
Revise docker compose environment files
svwolter Feb 6, 2026
9b8d134
Revise install script
svwolter Feb 9, 2026
983ef4e
Add initial coding box keycloak realm
svwolter Feb 17, 2026
727a0f1
Move auth flow to backend
jurei733 Oct 2, 2025
d4f81e6
Implement PKCE support for OIDC authentication flow, overhaul backend…
jurei733 Mar 10, 2026
0f67081
Add keycloak dev environment
svwolter Mar 23, 2026
9a99ec8
Add Postgres 14 image pull to dev makefile
jurei733 Mar 27, 2026
8755d81
Add "admin" role to coding-box-realm configuration
jurei733 Mar 27, 2026
62b1de8
Update README with Keycloak realm setup and timestamp replacement steps
jurei733 Apr 11, 2026
8f48dc4
Add comprehensive documentation for OIDC authentication flow, includi…
jurei733 Apr 11, 2026
4af14cc
Remove unnecessary "peer" field entries and dependency "path-to-regex…
jurei733 Apr 11, 2026
84c7f1e
Add initial .env file with configuration values for Redis, Postgres, …
jurei733 Apr 11, 2026
f6743a5
Update default admin credentials and document them for local developm…
jurei733 Apr 11, 2026
cca4e8f
Refactor workspace creation and testing for consistency and enhanced …
jurei733 Apr 13, 2026
f608ea3
Fix OAuth redirect validation
jurei733 Apr 28, 2026
1d3c521
test: allow docx integration test more time
jurei733 Apr 28, 2026
6640b90
Fix OIDC rebase conflict regressions
jurei733 Jun 1, 2026
548e428
fix backend oidc and workspace token auth
jurei733 Jun 2, 2026
fa84fa1
add replay-safe coding job endpoints
jurei733 Jun 2, 2026
5b9fcb1
update frontend oidc token handling
jurei733 Jun 2, 2026
3863702
configure frontend redirect port in dev compose
jurei733 Jun 2, 2026
21455ff
Resolve develop rebase regressions
jurei733 Jul 3, 2026
9d5e49e
Enforce workspace token scopes
jurei733 Jul 3, 2026
f12dc44
Fix OIDC refresh and workspace token guards
jurei733 Jul 3, 2026
203942c
Fix auth refresh and guard user resolution
jurei733 Jul 3, 2026
d461649
Fix compose OIDC anchors
jurei733 Jul 3, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions .env
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
## Version
TAG=latest

## Image Registry Path
# Docker Hub: (aka registry-1.docker.io/) leave REGISTRY_PATH value empty!
# Docker Hub Proxy: scm.cms.hu-berlin.de:443/iqb/dependency_proxy/containers/
# GitLab: scm.cms.hu-berlin.de:4567/iqb/coding-box/
REGISTRY_PATH=scm.cms.hu-berlin.de:443/iqb/dependency_proxy/containers/

## Redis
REDIS_PORT=6379

## Database
POSTGRES_PORT=5432
POSTGRES_USER=root
POSTGRES_PASSWORD=root-password
POSTGRES_DB=coding-box

## Backend
API_PORT=3333
JWT_SECRET=random_string
AUTH_MODE=dev

## Frontend
HTTP_PORT=4200

## Infrastructure
SERVER_NAME=localhost

# OpenID Connect (OIDC)
OIDC_PROVIDER_URL=https://keycloak.kodierbox.iqb.hu-berlin.de
OIDC_ISSUER=https://keycloak.kodierbox.iqb.hu-berlin.de/realms/coding-box
OIDC_ACCOUNT_ENDPOINT=https://keycloak.kodierbox.iqb.hu-berlin.de/realms/coding-box/account
OIDC_AUTHORIZATION_ENDPOINT=https://keycloak.kodierbox.iqb.hu-berlin.de/realms/coding-box/protocol/openid-connect/auth
OIDC_TOKEN_ENDPOINT=https://keycloak.kodierbox.iqb.hu-berlin.de/realms/coding-box/protocol/openid-connect/token
OIDC_USERINFO_ENDPOINT=https://keycloak.kodierbox.iqb.hu-berlin.de/realms/coding-box/protocol/openid-connect/userinfo
OIDC_END_SESSION_ENDPOINT=https://keycloak.kodierbox.iqb.hu-berlin.de/realms/coding-box/protocol/openid-connect/logout
OIDC_JWKS_URI=https://keycloak.kodierbox.iqb.hu-berlin.de/realms/coding-box/protocol/openid-connect/certs
OAUTH2_CLIENT_ID=coding-box
OAUTH2_CLIENT_SECRET=
OAUTH2_REDIRECT_URL=//localhost:3333/api/auth/callback

# Keycloak
## Realm Admin
ADMIN_NAME=admin
ADMIN_PASSWORD=change_me

# Keycloak DB
KEYCLOAK_DB_USER=keycloak
KEYCLOAK_DB_PASSWORD=change_me
KEYCLOAK_DB_NAME=keycloak
15 changes: 14 additions & 1 deletion .env.coding-box.template
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ REGISTRY_PATH=

## Database
POSTGRES_USER=root
POSTGRES_PASSWORD=root-password
POSTGRES_PASSWORD=change_me
POSTGRES_DB=coding-box

## Backend
Expand Down Expand Up @@ -41,3 +41,16 @@ EXPORT_WORKER_MEMORY_LIMIT=3G
## Infrastructure
SERVER_NAME=hostname.de
TRAEFIK_DIR=

# OpenID Connect (OIDC)
OIDC_PROVIDER_URL=https://keycloak.${SERVER_NAME}
OIDC_ISSUER=https://keycloak.${SERVER_NAME}/auth/realms/iqb
OIDC_ACCOUNT_ENDPOINT=https://keycloak.${SERVER_NAME}/auth/realms/iqb/account
OIDC_AUTHORIZATION_ENDPOINT=https://keycloak.${SERVER_NAME}/auth/realms/iqb/protocol/openid-connect/auth
OIDC_TOKEN_ENDPOINT=https://keycloak.${SERVER_NAME}/auth/realms/iqb/protocol/openid-connect/token
OIDC_USERINFO_ENDPOINT=https://keycloak.${SERVER_NAME}/auth/realms/iqb/protocol/openid-connect/userinfo
OIDC_END_SESSION_ENDPOINT=https://keycloak.${SERVER_NAME}/auth/realms/iqb/protocol/openid-connect/logout
OIDC_JWKS_URI=https://keycloak.${SERVER_NAME}/auth/realms/iqb/protocol/openid-connect/certs
OAUTH2_CLIENT_ID=coding-box
OAUTH2_CLIENT_SECRET=change_me
OAUTH2_REDIRECT_URL=//${SERVER_NAME}/api/auth/callback
48 changes: 30 additions & 18 deletions .env.dev.template
Original file line number Diff line number Diff line change
Expand Up @@ -19,24 +19,7 @@ POSTGRES_DB=coding-box
## Backend
API_PORT=3333
JWT_SECRET=random_string
KEYCLOAK_URL=https://keycloak.kodierbox.iqb.hu-berlin.de/
KEYCLOAK_REALM=coding-box
KEYCLOAK_CLIENT_ID=coding-box
KEYCLOAK_CLIENT_SECRET=change_me
OIDC_ISSUER=https://keycloak.kodierbox.iqb.hu-berlin.de/realms/coding-box
OIDC_JWKS_URI=https://keycloak.kodierbox.iqb.hu-berlin.de/realms/coding-box/protocol/openid-connect/certs
WORKSPACE_TOKEN_REPLAY_READ_MAX_DURATION_DAYS=90
ALLOW_LEGACY_WORKSPACE_REPLAY_TOKENS=true
# API backend PostgreSQL connection pool size.
POSTGRES_POOL_MAX=10
# Export worker DB session options. The default disables PostgreSQL JIT for large export queries.
EXPORT_WORKER_PGOPTIONS=-c jit=off
# Dedicated export worker PostgreSQL connection pool size.
EXPORT_WORKER_POSTGRES_POOL_MAX=4
# Coding-list export DB batch size. Smaller batches improve cancel responsiveness for large exports.
EXPORT_CODING_LIST_BATCH_SIZE=500
# Versioned export DB batch size. Smaller batches improve cancel responsiveness for large exports.
EXPORT_VERSIONED_BATCH_SIZE=250
AUTH_MODE=dev
# Optional override if GeoGebra changes the public bundle URL.
# GEOGEBRA_BUNDLE_DOWNLOAD_URL=https://download.geogebra.org/package/geogebra-math-apps-bundle

Expand All @@ -45,3 +28,32 @@ HTTP_PORT=4200

## Infrastructure
SERVER_NAME=localhost

# OpenID Connect (OIDC)
OIDC_PROVIDER_URL=http://${SERVER_NAME}:8080
OIDC_ISSUER=http://${SERVER_NAME}:8080/realms/coding-box
OIDC_ACCOUNT_ENDPOINT=http://${SERVER_NAME}:8080/realms/coding-box/account
OIDC_AUTHORIZATION_ENDPOINT=http://${SERVER_NAME}:8080/realms/coding-box/protocol/openid-connect/auth
OIDC_TOKEN_ENDPOINT=http://keycloak:8080/realms/coding-box/protocol/openid-connect/token
OIDC_USERINFO_ENDPOINT=http://keycloak:8080/realms/coding-box/protocol/openid-connect/userinfo
OIDC_END_SESSION_ENDPOINT=http://keycloak:8080/realms/coding-box/protocol/openid-connect/logout
OIDC_JWKS_URI=http://keycloak:8080/realms/coding-box/protocol/openid-connect/certs
OAUTH2_CLIENT_ID=coding-box
OAUTH2_CLIENT_SECRET=change_me
OAUTH2_REDIRECT_URL=//${SERVER_NAME}:${API_PORT}/api/auth/callback

# Keycloak
## Realm Admin
ADMIN_NAME=admin
ADMIN_PASSWORD=change_me

# Keycloak DB
KEYCLOAK_DB_USER=keycloak
KEYCLOAK_DB_PASSWORD=change_me
KEYCLOAK_DB_NAME=keycloak

# Keycloak Backend Configuration
KEYCLOAK_URL=http://${SERVER_NAME}:8080/
KEYCLOAK_REALM=coding-box
KEYCLOAK_CLIENT_ID=coding-box
KEYCLOAK_CLIENT_SECRET=change_me
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@ docker.env
.DS_Store
Thumbs.db

# Keycloak files
config/keycloak/realm/coding-box-realm.config

# Backend files
auth.constants.ts
database.constants.ts
Expand Down
53 changes: 52 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,12 +51,39 @@ Stellen Sie sicher, dass die folgenden Tools auf Ihrem System installiert sind:
cp .env.dev.template .env.dev
```

2. Installieren Sie die Abhängigkeiten:
2. Kopieren Sie die Vorlage der Keycloak-Realm-Konfiguration:

```
cp config/keycloak/realm/coding-box-realm.config.template config/keycloak/realm/coding-box-realm.config
```

3. Ersetzen Sie den Shell-Befehl für den Timestamp durch einen numerischen Wert:

Öffnen Sie die Datei `config/keycloak/realm/coding-box-realm.config` und ersetzen Sie
`CODING_BOX_ADMIN_CREATED_TIMESTAMP=date --utc +"%s%3N"`
durch einen aktuellen Timestamp in Millisekunden, z.B.:
`CODING_BOX_ADMIN_CREATED_TIMESTAMP=1775907461877`

4. Installieren Sie die Abhängigkeiten:

```
npm install
```

5. **Standard-Anmeldedaten für die Entwicklung**

Nach dem Start der Umgebung sind folgende Standard-Anmeldedaten verfügbar:

- **Keycloak Admin Console** (http://localhost:8080/admin):
- Benutzername: `admin`
- Passwort: `change_me`

- **Kodierbox Realm** (http://localhost:8080/realms/coding-box):
- Benutzername: `coding-box-admin`
- Passwort: `change_me`

**Wichtig:** Ändern Sie diese Passwörter nach dem ersten Login aus Sicherheitsgründen.

---

## Entwicklungsprozess
Expand Down Expand Up @@ -214,6 +241,30 @@ und geben Sie danach folgenden Befehl zum Hochfahren der Webanwendung ein:
make coding-box-up
```

## Authentication

### Keycloak Auth Flow (OIDC + PKCE)

Die Anwendung nutzt **Keycloak** als Identity Provider mit dem **OAuth2 Authorization Code Flow** und **PKCE**:

1. **Login starten** (`GET /api/auth/login`): Backend erzeugt `state` und PKCE (`code_verifier`, `code_challenge`) und leitet zum Keycloak‑Login weiter.
2. **Benutzer‑Login**: Nutzer meldet sich bei Keycloak an (Passwort, SSO, etc.).
3. **Callback** (`GET /api/auth/callback`): Keycloak liefert `code` und `state` zurück.
4. **Token‑Exchange**: Backend tauscht `code` gegen Tokens am Keycloak‑Token‑Endpoint, mit PKCE `code_verifier` (ohne Client‑Secret).
5. **Userinfo**: Backend ruft User‑Profil via `userinfo`‑Endpoint ab.
6. **User‑Persistenz**: Nutzer wird in der lokalen DB gespeichert (Identität über `sub`).
7. **Token‑Weitergabe**: Backend leitet den Nutzer zur Frontend‑URL zurück und hängt `token`, `id_token`, `refresh_token` als Query‑Params an.
8. **Frontend‑Session**: Frontend speichert Tokens in `localStorage` und lädt `auth-data` (Arbeitsbereiche).

Details:
- `state` enthält optional die Ziel‑URL (`redirect_uri`) und wird serverseitig geprüft.
- PKCE‑Verifier wird serverseitig kurzzeitig gespeichert (TTL 5 Minuten).
- API‑Requests senden den Access‑Token als `Authorization: Bearer <token>`.
- Logout nutzt `POST /api/auth/logout` und invalidiert die SSO‑Session bei Keycloak.

---

## Additional Information
Nachdem die Prozesse dieser Befehle beendet sind, ist der Edge-Router und das Monitoring aktiv, die Kodierbox
Datenbank eingerichtet, die Kodierbox API und Web-Site ansprechbar.
Ein Zugriff auf den Server über einen Browser sollte dann sofort möglich sein.
Expand Down
Loading