Add demo realm

.github/workflows/pytest.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.11", "3.12"]
+        python-version: ["3.11", "3.14"]
 
     steps:
     - uses: actions/checkout@v2

.gitlab-ci.maxiv.yml

@@ -4,7 +4,7 @@ include:
     file: "/PreCommit.gitlab-ci.yml"
   - project: kits-maxiv/kubernetes/k8s-gitlab-ci
     file: "/Docker-Helm-deploy.gitlab-ci.yml"
-    ref: "0.6"
+    ref: "0.8"
 
 # Override workflow rules to deploy on any branch
 workflow:
@@ -25,28 +25,27 @@ stages:
   - .post
 
 variables:
-  DOCKER_REGISTRY_URL: "harbor.maxiv.lu.se/notify-server"
-  HELM_CHART_REPO: oci://harbor.maxiv.lu.se/notify-server/charts
+  BUILDAH_CACHE: "true"
   HELM_CHART_NAME: notify-server
   HELM_RELEASE_NAMESPACE_TEST: notify
   HELM_RELEASE_NAMESPACE_PROD: notify
   PIPELINES_FF_TOKENIZER: "true"
-  PRODUCTION_BRANCH_NAME: "master"
+  PRODUCTION_BRANCH_NAME: "main"
   PRODUCTION_DEPLOY_ON_TAG: "true"
   HELM_SET_PROD_ingress_host: "notify.maxiv.lu.se"
-  HELM_SET_TEST_ingress_host: "notify-test-${CI_COMMIT_BRANCH}.apps.okdev.maxiv.lu.se"
+  HELM_SET_TEST_ingress_host: "notify-test.apps.okdev.maxiv.lu.se" # This URL needs to be registered on the OIDC provider as valid redirect URI
   HELM_SET_PROD_image_repository: "__from_env_var:REGISTRY_IMAGE_NAME"
   HELM_SET_PROD_image_tag: "__from_env_var:REGISTRY_IMAGE_TAG"
   HELM_SET_TEST_image_repository: "__from_env_var:REGISTRY_IMAGE_NAME"
   HELM_SET_TEST_image_tag: "__from_env_var:REGISTRY_IMAGE_TAG"
   GITLAB_ENVIRONMENT_NAME: notify
 
 # Test with latest versions of requirements
-test-python311:
+test-python314:
   stage: test
   tags:
     - kubernetes
-  image: harbor.maxiv.lu.se/dockerhub/library/python:3.11
+  image: harbor.maxiv.lu.se/dockerhub/library/python:3.14
   before_script:
     - pip install -e .[tests]
   script:

.gitlab-ci.yml

@@ -5,9 +5,9 @@ include:
   - remote: 'https://gitlab.esss.lu.se/ics-infrastructure/gitlab-ci-yml/raw/master/Docker.gitlab-ci.yml'
 
 
-test-python311:
+test-python314:
   stage: test
-  image: python:3.11
+  image: docker.io/library/python:3.14
   before_script:
     - pip install -e .[tests]
   script:

.pre-commit-config.yaml

@@ -1,15 +1,15 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.9.9
+    rev: v0.14.9
     hooks:
       # Run the linter.
-      - id: ruff
+      - id: ruff-check
       # Run the formatter.
       - id: ruff-format
 
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.15.0
+    rev: v1.19.1
     hooks:
       - id: mypy
         additional_dependencies:

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.11-slim as base
+FROM docker.io/library/python:3.14-slim as base
 
 # Install Python dependencies in an intermediate image
 # as some requires a compiler (psycopg2)

README.md

@@ -37,21 +37,90 @@ To be able to login, at least the following variables shall be overwritten:
 - LDAP_HOST
 - LDAP_USER_DN
 
-Refer to the default values defined in the [Ansible role](https://gitlab.esss.lu.se/ics-ansible-galaxy/ics-ans-role-ess-notify-server/-/blob/master/defaults/main.yml)
-and in the [ess_notify_servers](https://csentry.esss.lu.se/network/groups/view/ess_notify_servers) group in CSEntry.
+### OpenID Connect with Automatic Realm Discovery for Mobile Apps
+
+The implementation provides two OIDC-related endpoints used by mobile clients:
+
+- GET /api/v1/realm-discovery/?type=<real|demo> — discover which realm and
+  client to use for a given app "type".
+- POST /api/v1/open_id_connect?realm=<realm> — exchange an OIDC authorization
+  code (server performs token/userinfo calls, validates id_token and issues a
+  local access token).
+
+Exact environment variables used by the implementation
+
+- `OIDC_ENABLED` (bool) — enable OIDC features
+- `OIDC_BASE_URL` (string) — base Keycloak URL (e.g. https://keycloak.example.org/auth)
+- `OIDC_DEFAULT_REALM` (string) — default realm used
+- `OIDC_CLIENT_ID`, `OIDC_CLIENT_SECRET` — default client credentials
+- `OIDC_SCOPE` — scope used when requesting userinfo
+- `OIDC_DEMO_REALM`, `OIDC_DEMO_CLIENT_ID`, `OIDC_DEMO_CLIENT_SECRET` — demo realm/client values
+
+Realm discovery (mobile client)
+
+Request
+```http
+GET /api/v1/realm-discovery/?type=real
+```
+
+Response (implemented schema)
+```json
+{
+  "realm": "company-realm",
+  "authorization_endpoint": "https://keycloak.example.org/auth/realms/company-realm/protocol/openid-connect/auth",
+  "token_endpoint": "https://keycloak.example.org/auth/realms/company-realm/protocol/openid-connect/token",
+  "client_id": "notify",
+  "type": "real"
+}
+```
+
+Notes
+- The endpoint expects the query parameter `type` (alias for the internal
+  `RealmType` enum). The implementation maps types to realms using
+  `deps.REALM_BY_TYPE` and exposes client IDs from `deps.CLIENT_BY_REALM`.
+- The discovery response provides `authorization_endpoint` and `token_endpoint`
+  (not a single discovery URI), and the `client_id` the mobile app should
+  include in the initial authorization request.
+
+OpenID Connect token exchange (mobile -> server)
+
+After the mobile app completes the OIDC authorization code flow (using the
+`client_id` provided and PKCE), the app should POST the authorization code to
+the server which will perform the token/userinfo exchange and create a local
+access token for the app.
+
+Request
+```http
+POST /api/v1/open_id_connect?realm=company-realm
+Content-Type: application/json
+
+{
+  "code": "authorization_code",
+  "code_verifier": "pkce_verifier",
+  "client_id": "notify",
+  "redirect_uri": "app://callback"
+}
+```
+
+Behavior
+- The server posts the code to the realm's token endpoint and validates the
+  returned id_token (using the realm's JWKS).
+- Client secrets for token exchanges are looked up server-side from
+  `deps.CLIENT_BY_REALM_TYPE`; mobile apps MUST NOT embed client secrets.
+
 
 ## Development
 
 ### Virtual environment
 
-Python >= 3.6 is required.
+Python >= 3.11 is required.
 Create a virtual environment and install the requirements:
 
 ```bash
 python3 -m venv .venv
 source .venv/bin/activate
 pip install -r requirements.txt
-pip install -e .[tests]
+pip install -e ".[tests]"
 ```
 
 When using sqlite, it's not possible to run `alembic` for database migration

app/api/login.py

@@ -1,14 +1,14 @@
 import httpx
 from datetime import datetime, timedelta, timezone
-from fastapi import APIRouter, Depends, HTTPException, Response, Request, status
+from fastapi import APIRouter, Depends, HTTPException, Response, Request, status, Query
 from fastapi.security import OAuth2PasswordRequestForm
 from fastapi.logger import logger
 from sqlalchemy.orm import Session
 from .. import deps, crud, utils, auth, schemas
 from ..settings import (
     ACCESS_TOKEN_EXPIRE_MINUTES,
-    OIDC_CLIENT_SECRET,
     OIDC_SCOPE,
+    OIDC_ENABLED,
 )
 
 router = APIRouter()
@@ -51,10 +51,12 @@ async def open_id_connect(
     db: Session = Depends(deps.get_db),
 ):
     """Login using OpenID Connect Authentication Code flow from mobile client"""
-    oidc_config = request.state.oidc_config
+    realm = oidc_auth.realm
+    oidc_config = request.state.oidc_config[realm]
+    jwks_client = request.state.jwks_client[realm]
     data = {
         "client_id": oidc_auth.client_id,
-        "client_secret": OIDC_CLIENT_SECRET,
+        "client_secret": deps.CLIENT_BY_REALM_TYPE[realm]["client_secret"],
         "code": oidc_auth.code,
         "code_verifier": oidc_auth.code_verifier,
         "grant_type": "authorization_code",
@@ -92,8 +94,8 @@ async def open_id_connect(
             utils.validate_id_token(
                 id_token,
                 access_token,
-                request.state.jwks_client,
-                request.state.oidc_config["id_token_signing_alg_values_supported"],
+                jwks_client,
+                oidc_config["id_token_signing_alg_values_supported"],
                 oidc_auth.client_id,
             )
         except Exception as e:
@@ -105,7 +107,7 @@ async def open_id_connect(
         headers = {"Authorization": f"Bearer {access_token}"}
         data = {
             "client_id": oidc_auth.client_id,
-            "client_secret": OIDC_CLIENT_SECRET,
+            "client_secret": deps.CLIENT_BY_REALM_TYPE[realm]["client_secret"],
             "scope": OIDC_SCOPE,
         }
         logger.info("Retrieving user info.")
@@ -131,3 +133,40 @@ async def open_id_connect(
             )
         username = response.json()["preferred_username"].lower()
     return create_access_token(db, username, response)
+
+
+@router.get(
+    "/realm-discovery/",
+    status_code=status.HTTP_200_OK,
+    response_model=schemas.RealmDiscoveryResponse,
+)
+def get_realm(
+    request: Request,
+    realm_type: schemas.RealmType = Query(..., alias="type"),
+) -> schemas.RealmDiscoveryResponse:
+    """
+    Discover the appropriate Keycloak realm for a realm type.
+
+    Mobile apps should call this endpoint first to determine which realm to authenticate against.
+    The response includes all necessary OIDC endpoints and configuration for the discovered realm.
+
+    """
+    if not OIDC_ENABLED:
+        raise HTTPException(
+            status_code=status.HTTP_405_METHOD_NOT_ALLOWED,
+            detail="OIDC is not enabled",
+        )
+
+    # Discover realm
+    realm = deps.REALM_BY_TYPE[realm_type]
+    oidc_config = request.state.oidc_config[realm_type]
+
+    response = schemas.RealmDiscoveryResponse(
+        realm=realm,
+        authorization_endpoint=oidc_config["authorization_endpoint"],
+        token_endpoint=oidc_config["token_endpoint"],
+        client_id=deps.CLIENT_BY_REALM_TYPE[realm_type]["client_id"],
+        type=realm_type,
+    )
+
+    return response

app/api/services.py

@@ -12,6 +12,7 @@
 from sqlalchemy.orm import Session
 from typing import List, Optional
 from .. import deps, crud, models, schemas, utils
+from ..settings import DEMO_ACCOUNT_USERNAME
 
 router = APIRouter()
 
@@ -22,7 +23,7 @@ def read_services(
     current_user: models.User = Depends(deps.get_current_user),
 ):
     """Read all services"""
-    if current_user.username == "demo":
+    if current_user.username == DEMO_ACCOUNT_USERNAME:
         db_services = crud.get_services(db, demo=True)
     else:
         db_services = crud.get_services(db)

app/auth.py

@@ -12,12 +12,12 @@
     LDAP_BASE_DN,
     LDAP_USER_DN,
 )
-from .settings import DEMO_ACCOUNT_PASSWORD
+from .settings import DEMO_ACCOUNT_PASSWORD, DEMO_ACCOUNT_USERNAME
 
 
 def authenticate_user(username: str, password: str) -> bool:
     """Return True if the authentication is successful, False otherwise"""
-    if username == "demo" and password == str(DEMO_ACCOUNT_PASSWORD):
+    if username == DEMO_ACCOUNT_USERNAME and password == str(DEMO_ACCOUNT_PASSWORD):
         return True
     if AUTHENTICATION_METHOD == "ldap":
         return ldap_authenticate_user(username, password)

app/crud.py

@@ -5,7 +5,7 @@
 from sqlalchemy.orm import Session
 from typing import List, Optional
 from . import models, schemas
-from .settings import ADMIN_USERS, DEMO_ACCOUNT_SERVICE
+from .settings import ADMIN_USERS, DEMO_ACCOUNT_SERVICE, DEMO_ACCOUNT_USERNAME
 
 
 def get_users(db: Session):
@@ -136,7 +136,7 @@ def delete_service(db: Session, service: models.Service) -> None:
 
 def get_user_services(db: Session, user: models.User) -> List[schemas.UserService]:
     """Return all services for the user sorted by category"""
-    if user.username == "demo":
+    if user.username == DEMO_ACCOUNT_USERNAME:
         services = get_services(db, demo=True)
     else:
         services = get_services(db)

app/deps.py

@@ -9,19 +9,40 @@
 from .database import SessionLocal
 from .settings import (
     OIDC_NAME,
-    OIDC_SERVER_URL,
+    OIDC_BASE_URL,
     OIDC_CLIENT_ID,
     OIDC_CLIENT_SECRET,
     OIDC_SCOPE,
+    OIDC_DEFAULT_REALM,
+    OIDC_DEMO_REALM,
+    OIDC_DEMO_CLIENT_ID,
+    OIDC_DEMO_CLIENT_SECRET,
 )
+from . import schemas
+
+
+REALM_BY_TYPE = {
+    schemas.RealmType.demo: OIDC_DEMO_REALM,
+    schemas.RealmType.real: OIDC_DEFAULT_REALM,
+}
+CLIENT_BY_REALM_TYPE = {
+    schemas.RealmType.demo: {
+        "client_id": OIDC_DEMO_CLIENT_ID,
+        "client_secret": OIDC_DEMO_CLIENT_SECRET,
+    },
+    schemas.RealmType.real: {
+        "client_id": OIDC_CLIENT_ID,
+        "client_secret": OIDC_CLIENT_SECRET,
+    },
+}
 
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="login")
 oauth = OAuth()
 oauth.register(
     OIDC_NAME,
     client_id=OIDC_CLIENT_ID,
     client_secret=str(OIDC_CLIENT_SECRET),
-    server_metadata_url=OIDC_SERVER_URL,
+    server_metadata_url=f"{OIDC_BASE_URL}/realms/{OIDC_DEFAULT_REALM}/.well-known/openid-configuration",
     client_kwargs={"scope": OIDC_SCOPE},
 )