feat(idp): add keycloak-first support with authentik fallback

2026-04-01 00:41:38 +08:00
parent febfafc55c
commit 34ba57034d
22 changed files with 458 additions and 123 deletions
--- a/backend/app/core/config.py
+++ b/backend/app/core/config.py
@@ -27,6 +27,20 @@ class Settings(BaseSettings):
    authentik_client_secret: str = ""
    authentik_token_endpoint: str = ""
    authentik_userinfo_endpoint: str = ""
+    # Keycloak (preferred when configured)
+    keycloak_base_url: str = ""
+    keycloak_realm: str = ""
+    keycloak_verify_tls: bool = True
+    keycloak_issuer: str = ""
+    keycloak_jwks_url: str = ""
+    keycloak_audience: str = ""
+    keycloak_client_id: str = ""
+    keycloak_client_secret: str = ""
+    keycloak_token_endpoint: str = ""
+    keycloak_userinfo_endpoint: str = ""
+    keycloak_admin_client_id: str = ""
+    keycloak_admin_client_secret: str = ""
+    keycloak_admin_realm: str = ""

    public_frontend_origins: Annotated[list[str], NoDecode] = ["https://member.ose.tw"]
    internal_shared_secret: str = ""
@@ -57,6 +71,80 @@ class Settings(BaseSettings):
            f"{self.db_user}:{self.db_password}@{self.db_host}:{self.db_port}/{self.db_name}"
        )

+    @property
+    def use_keycloak(self) -> bool:
+        return bool(self.keycloak_base_url and self.keycloak_realm)
+
+    @property
+    def idp_base_url(self) -> str:
+        if self.use_keycloak:
+            return self.keycloak_base_url.rstrip("/")
+        return self.authentik_base_url.rstrip("/")
+
+    @property
+    def idp_verify_tls(self) -> bool:
+        if self.use_keycloak:
+            return self.keycloak_verify_tls
+        return self.authentik_verify_tls
+
+    @property
+    def idp_issuer(self) -> str:
+        if self.use_keycloak:
+            if self.keycloak_issuer:
+                return self.keycloak_issuer.rstrip("/")
+            return f"{self.idp_base_url}/realms/{self.keycloak_realm}"
+        return self.authentik_issuer.rstrip("/")
+
+    @property
+    def idp_jwks_url(self) -> str:
+        if self.use_keycloak:
+            if self.keycloak_jwks_url:
+                return self.keycloak_jwks_url
+            return f"{self.idp_issuer}/protocol/openid-connect/certs"
+        return self.authentik_jwks_url
+
+    @property
+    def idp_audience(self) -> str:
+        if self.use_keycloak:
+            return self.keycloak_audience or self.keycloak_client_id
+        return self.authentik_audience or self.authentik_client_id
+
+    @property
+    def idp_client_id(self) -> str:
+        if self.use_keycloak:
+            return self.keycloak_client_id
+        return self.authentik_client_id
+
+    @property
+    def idp_client_secret(self) -> str:
+        if self.use_keycloak:
+            return self.keycloak_client_secret
+        return self.authentik_client_secret
+
+    @property
+    def idp_token_endpoint(self) -> str:
+        if self.use_keycloak:
+            if self.keycloak_token_endpoint:
+                return self.keycloak_token_endpoint
+            return f"{self.idp_issuer}/protocol/openid-connect/token"
+        return self.authentik_token_endpoint or (f"{self.idp_base_url}/application/o/token/" if self.idp_base_url else "")
+
+    @property
+    def idp_userinfo_endpoint(self) -> str:
+        if self.use_keycloak:
+            if self.keycloak_userinfo_endpoint:
+                return self.keycloak_userinfo_endpoint
+            return f"{self.idp_issuer}/protocol/openid-connect/userinfo"
+        return self.authentik_userinfo_endpoint or (
+            f"{self.idp_base_url}/application/o/userinfo/" if self.idp_base_url else ""
+        )
+
+    @property
+    def idp_authorize_endpoint(self) -> str:
+        if self.use_keycloak:
+            return f"{self.idp_issuer}/protocol/openid-connect/auth"
+        return f"{self.idp_base_url}/application/o/authorize/" if self.idp_base_url else ""
+

@lru_cache
 def get_settings() -> Settings: