Skip to content

feat(management-api): Integrate Keycloak Auth and CDA Token Passthrough#10

Draft
vairav wants to merge 2 commits intomainfrom
feature/management-api-keycloak-integration
Draft

feat(management-api): Integrate Keycloak Auth and CDA Token Passthrough#10
vairav wants to merge 2 commits intomainfrom
feature/management-api-keycloak-integration

Conversation

@vairav
Copy link
Contributor

@vairav vairav commented Feb 2, 2026

Summary

  • Integrates Keycloak OIDC authentication into the Management API
  • Adds CDA service for fetching users/roles from CWMS Data API
  • Implements token passthrough from Management API to CDA
  • Adds comprehensive unit tests for CLI modules

Changes

Management API

  • KeycloakAuthService (new): Handles login, logout, refresh, and JWKS-based token validation
  • CdaService (new): Fetches users and roles from CWMS Data API with auth token passthrough
  • auth.middleware.ts: Updated to validate tokens via Keycloak JWKS instead of placeholder logic
  • auth.ts routes: Updated login/logout/refresh endpoints to use Keycloak
  • users.ts/roles.ts routes: Added token extraction and passthrough to CdaService

CLI

  • cwms-admin.sh: New wrapper script for running CLI via tsx during development
  • project.json: Updated build configuration

Configuration

  • docker-compose.podman.yml: Added Keycloak environment variables (KEYCLOAK_URL, KEYCLOAK_REALM, KEYCLOAK_CLIENT_ID) and fixed CDA_API_URL

Tests

  • validation.test.ts: 32 unit tests for createRoleSchema and createUserSchema
  • config.test.ts: 11 unit tests for getConfig, saveConfig, and clearConfig

Test Plan

  • All 64 CLI unit tests pass
  • Login endpoint returns valid Keycloak token
  • Token validation works via JWKS
  • Users/roles endpoints pass token to CDA service

Notes

The CWMS Data API may return 401 if its issuer configuration doesn't match the Keycloak container network URL. This is a deployment configuration issue, not a code issue.

vairav added 2 commits February 2, 2026 10:41
@vairav
feat(management-api): integrate Keycloak auth and CDA token passthrough
a9e3287 
- Add KeycloakAuthService for OIDC authentication (login, logout, refresh, JWKS validation)
- Add CdaService for fetching users/roles from CWMS Data API
- Update auth middleware to validate tokens via Keycloak JWKS
- Update routes to extract and pass auth tokens to CDA service
- Add Keycloak environment variables to docker-compose
- Add CLI wrapper script for development (tsx-based)
- Add 43 unit tests for CLI validation and config modules
@vairav
refactor: improve code quality and add integration tests
e05e0f4 
- Extract shared extractAuthToken utility to reduce duplication
- Simplify routes that return 501 by removing unnecessary try/catch
- Remove trivial unit tests that test framework behavior
- Add integration test suite for management-api authentication flow
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vairav