Skip to content

Comments

feat: add Keycloak OIDC integration#3340

Draft
boehlke wants to merge 4 commits intoOpenSlides:feature/relational-dbfrom
kryptance:feature/keycloak-oidc
Draft

feat: add Keycloak OIDC integration#3340
boehlke wants to merge 4 commits intoOpenSlides:feature/relational-dbfrom
kryptance:feature/keycloak-oidc

Conversation

@boehlke
Copy link

@boehlke boehlke commented Feb 19, 2026
edited
Loading

Summary

  • OIDC token validator with JWKS verification and Keycloak admin client factory
  • oidc-provision and who-am-i endpoints for OIDC session management
  • Redis session invalidation for OIDC backchannel logout
  • Sync user CRUD operations to Keycloak via Admin API
  • Migration 0101: migrate existing users to Keycloak with Argon2 password hashes
  • Migration 0102: add keycloak_id to user view
  • Comprehensive integration tests (backchannel logout, user migration, user sync)

Context

This is the largest PR in the Keycloak OIDC integration series. Structured as 3 commits:

  1. Core: HTTP endpoints, OIDC validator, Keycloak admin client, auth adapter, schema
  2. User sync + migrations: Keycloak sync mixin, user actions, migrations 0101/0102
  3. Tests: Integration tests for all Keycloak functionality

Related PRs:

  • openslides-auth-service: #918 (osauthlib with OIDC)
  • openslides-go: #170 (Go OIDC auth)
  • openslides-proxy: #35 (Traefik middleware)

🤖 Generated with Claude Code

boehlke and others added 3 commits February 19, 2026 07:58
@boehlke @claude
feat: add Keycloak OIDC integration core
c65d782 
- OIDC token validator with JWKS verification
- Keycloak admin client factory for Admin API operations
- oidc-provision and who-am-i endpoints
- Redis session invalidation for OIDC backchannel logout
- Auth adapter extensions for OIDC token validation
- PostgreSQL schema updates for keycloak_id column

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@boehlke @claude
feat: add Keycloak user sync and migration
8d55cd1 
- Sync user CRUD operations to Keycloak via Admin API (keycloak_sync_mixin)
- Save Keycloak account action for user provisioning
- Migration 0101: migrate existing users to Keycloak with Argon2 password hashes
- Migration 0102: add keycloak_id to user view

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@boehlke @claude
test: add Keycloak integration tests
c57c16e 
- Backchannel logout tests
- User migration tests (Argon2 hash import)
- User sync tests (CRUD operations to Keycloak)
- Update existing system tests for Keycloak-aware base classes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This was referenced Feb 19, 2026
Draft
Closed
@boehlke @claude
feat: add public theme endpoint to presenter view
63ce527 
Move theme color serving from autoupdate-service to backend presenter,
as it's a simple DB query that doesn't use autoupdate-specific features.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@boehlke boehlke mentioned this pull request Feb 19, 2026
Open
@hjanott hjanott deleted the branch OpenSlides:feature/relational-db February 20, 2026 18:40
@hjanott hjanott closed this Feb 20, 2026
@hjanott hjanott reopened this Feb 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@boehlke @hjanott