refactor(keycloak): remove authentik naming and switch to keycloak-only paths
This commit is contained in:
Chris
@@ -1,7 +1,7 @@
|
||||
# Backend TaskPlan
|
||||
|
||||
## 待辦
|
||||
- [ ] 補 Authentik SMTP 通知流程(密碼設定/重設寄信)
|
||||
- [ ] 補 Keycloak SMTP 通知流程(密碼設定/重設寄信)
|
||||
- [ ] 補 `/admin/members` 關鍵操作審計日誌
|
||||
- [ ] 補更多 API 測試(members username/password reset 路徑)
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
## 已完成
|
||||
- [x] `/admin/*` 改為 Bearer + admin 群組管控(`ADMIN_REQUIRED_GROUPS`)
|
||||
- [x] 管理 API 完成 systems/modules/companies/sites/members/permission-groups CRUD
|
||||
- [x] 會員 upsert/update 可同步 Authentik
|
||||
- [x] 會員 upsert/update 可同步 Keycloak
|
||||
- [x] 會員資料新增 `username` 欄位,與 `display_name` 分離
|
||||
- [x] 新增 `POST /admin/members/{user_sub}/password/reset`
|
||||
- [x] DB 新增 `users.username`(含 migration 腳本)
|
||||
|
||||
@@ -111,7 +111,7 @@ Response:
|
||||
"items": [
|
||||
{
|
||||
"id": "uuid",
|
||||
"user_sub": "authentik-uid",
|
||||
"user_sub": "idp-uid",
|
||||
"username": "chris",
|
||||
"email": "chris@ose.tw",
|
||||
"display_name": "Chris",
|
||||
@@ -128,7 +128,7 @@ Response:
|
||||
Request:
|
||||
```json
|
||||
{
|
||||
"user_sub": "authentik-uid",
|
||||
"user_sub": "idp-uid",
|
||||
"username": "chris",
|
||||
"email": "chris@ose.tw",
|
||||
"display_name": "Chris",
|
||||
@@ -140,7 +140,7 @@ Response:
|
||||
```json
|
||||
{
|
||||
"id": "uuid",
|
||||
"user_sub": "authentik-uid",
|
||||
"user_sub": "idp-uid",
|
||||
"idp_user_id": "idp-user-id-or-uuid",
|
||||
"username": "chris",
|
||||
"email": "chris@ose.tw",
|
||||
@@ -153,7 +153,7 @@ Response:
|
||||
Response:
|
||||
```json
|
||||
{
|
||||
"user_sub": "authentik-uid",
|
||||
"user_sub": "idp-uid",
|
||||
"permissions": [
|
||||
{
|
||||
"scope_type": "site",
|
||||
@@ -167,11 +167,11 @@ Response:
|
||||
```
|
||||
|
||||
### POST `/internal/idp/users/ensure`
|
||||
(相容路徑:`/internal/authentik/users/ensure`)
|
||||
(相容路徑:`/internal/idp/users/ensure`)
|
||||
Request:
|
||||
```json
|
||||
{
|
||||
"user_sub": "authentik-uid",
|
||||
"user_sub": "idp-uid",
|
||||
"email": "user@example.com",
|
||||
"username": "user1",
|
||||
"display_name": "User One",
|
||||
|
||||
@@ -16,16 +16,15 @@ npm run dev
|
||||
## 3) 重要環境變數
|
||||
- `backend/.env.development`
|
||||
- `ADMIN_REQUIRED_GROUPS=member-admin`
|
||||
- 優先使用 `KEYCLOAK_*`(若有設定 `KEYCLOAK_BASE_URL + KEYCLOAK_REALM`)
|
||||
- 未設定 Keycloak 時,才使用 `AUTHENTIK_*` 備援
|
||||
- `KEYCLOAK_*`
|
||||
|
||||
## 4) 基本檢查
|
||||
- `GET http://127.0.0.1:8000/healthz`
|
||||
- 登入後打 `GET /admin/members` 應可回資料
|
||||
- 登入後打 `GET /me` 應可回資料
|
||||
- 非 admin 群組帳號打 `/admin/*` 應回 `403`
|
||||
|
||||
## 5) 會員流程驗收
|
||||
1. 新增會員(username/email/display_name,開啟 sync_to_authentik;此旗標目前代表「同步到外部 IdP」)
|
||||
1. 新增會員(開啟 `sync_to_idp`)
|
||||
2. 確認列表可看到新會員與 `user_sub`
|
||||
3. 點「重設密碼」,取得臨時密碼
|
||||
4. 到 Keycloak(或 Authentik)驗證該會員可用新密碼登入
|
||||
4. 到 Keycloak 驗證該會員可用新密碼登入
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
## 目前狀態
|
||||
- 架構:公司/站台/會員 + 系統/模組 + 群組整合權限(已定版)
|
||||
- 後台安全:Auth token + admin 群組檢查(`ADMIN_REQUIRED_GROUPS`)
|
||||
- 會員流程:member 新增/更新可同步 Authentik,並支援重設密碼
|
||||
- 會員流程:member 新增/更新可同步 Keycloak,並支援重設密碼
|
||||
|
||||
## 單一真實來源
|
||||
- DB SQL:`backend/scripts/init_schema.sql`
|
||||
|
||||
Reference in New Issue
Block a user