feat(keycloak): M4.3 — Admin API adapter + claim resolver
internal/keycloak/ — Adapter interface with two implementations:
HTTPAdapter pgxpool-style real Admin API client with cached client-
credentials token (auto-refresh, 401 retry).
Mock in-process map for unit tests + dev convenience when
KEYCLOAK_ADMIN_URL is empty. Used by the eachStore harness.
Adapter contract (adapter.go):
CreateOrgAndInvite(ctx, InviteInput) (*InviteResult, error)
Creates a KC organization, an IT_ADMIN user, adds the user as a
member, triggers VERIFY_EMAIL + UPDATE_PASSWORD execute-actions
email. Atomic from the caller's PoV; partial failures surface as
typed errors (ErrOrgConflict, ErrUserConflict, ErrUnauthorized,
ErrUnavailable).
SyncClaims(ctx, userID, Claims) error
Pushes tenant_id / tenant_slug / org_roles / products / plan /
tenant_status into the user's KC attributes — the same shape the
realm's protocol mappers project into JWTs.
Health(ctx) error
Pings /admin/serverinfo; wired into readyz.
Wiring:
POST /v1/tenants now accepts admin_email + admin_name. When set, the
adapter creates the org and invites the user. Response wraps the
tenant with the new TenantCreated{tenant, invite_url} shape so dev
testers can use the action-token URL without waiting for the email.
KC failures DO NOT roll the tenant back — they emit a
keycloak.provision_failed audit event so the operator can resend.
Successful invites emit keycloak.invite_sent.
POST /v1/internal/keycloak/claims resolves a tenant's current claim
bundle. Lookup chain: body.tenant_id → body.tenant_slug →
body.user_attrs.tenant_id → body.user_attrs.tenant_slug. The realm's
protocol mapper calls this at token issuance, or operators on demand.
Config: KEYCLOAK_ADMIN_URL / REALM / CLIENT_ID / CLIENT_SECRET; empty
URL falls back to Mock for dev.
OpenAPI: TenantCreated + Claims schemas added; /v1/internal/keycloak/claims
documented. Contract test extended to cover the new endpoint.
Tests:
internal/keycloak/mock_test.go Mock semantics: conflict surfacing,
FailNext hook, SyncClaims persistence.
internal/server/keycloak_test.go KC provisioning end-to-end via
eachStore: invite_url returned,
mock records, invite_sent audit;
failure path emits provision_failed
but tenant still lands; claims
endpoint resolves via tenant_id /
tenant_slug / user_attrs / 404 / 400.
The real-KC integration test (against a testcontainers-spun KC 26)
lands in a follow-up — gating it behind KEYCLOAK_INTEGRATION=1 + a
slower nightly CI is cleaner than baking 30s+ of KC boot into every PR.
Refs: M4.3
This commit is contained in:
+58
-2
@@ -48,15 +48,22 @@ paths:
|
||||
/v1/tenants:
|
||||
post:
|
||||
summary: Create a tenant.
|
||||
description: |
|
||||
Creates the tenant row, and if `admin_email` is provided, also
|
||||
creates a Keycloak organization + invites the user as IT_ADMIN.
|
||||
Keycloak failures DO NOT roll the tenant back — they emit a
|
||||
`keycloak.provision_failed` audit event so the operator can resend
|
||||
the invite from the KC admin UI.
|
||||
requestBody:
|
||||
required: true
|
||||
content:
|
||||
application/json: { schema: { $ref: "#/components/schemas/TenantCreate" } }
|
||||
responses:
|
||||
"201":
|
||||
description: Created.
|
||||
description: Created. `invite_url` is non-empty when an
|
||||
`admin_email` was passed and Keycloak provisioning succeeded.
|
||||
content:
|
||||
application/json: { schema: { $ref: "#/components/schemas/Tenant" } }
|
||||
application/json: { schema: { $ref: "#/components/schemas/TenantCreated" } }
|
||||
"400": { $ref: "#/components/responses/BadRequest" }
|
||||
"409": { $ref: "#/components/responses/Conflict" }
|
||||
|
||||
@@ -243,6 +250,35 @@ paths:
|
||||
description: Revoked.
|
||||
"404": { $ref: "#/components/responses/NotFound" }
|
||||
|
||||
/v1/internal/keycloak/claims:
|
||||
post:
|
||||
summary: Resolve the up-to-date claim bundle for a user/tenant.
|
||||
description: |
|
||||
Called by Keycloak's protocol mapper at token issuance (or by
|
||||
any operator on demand) to fetch the current tenant_id /
|
||||
tenant_slug / org_roles / products / plan / tenant_status
|
||||
claims. Lookup tries tenant_id, then tenant_slug, then
|
||||
user_attrs.tenant_id, then user_attrs.tenant_slug.
|
||||
requestBody:
|
||||
required: true
|
||||
content:
|
||||
application/json:
|
||||
schema:
|
||||
type: object
|
||||
properties:
|
||||
tenant_id: { type: string, format: uuid }
|
||||
tenant_slug: { type: string }
|
||||
user_attrs:
|
||||
type: object
|
||||
additionalProperties: { type: string }
|
||||
responses:
|
||||
"200":
|
||||
description: Resolved claim bundle.
|
||||
content:
|
||||
application/json: { schema: { $ref: "#/components/schemas/Claims" } }
|
||||
"400": { $ref: "#/components/responses/BadRequest" }
|
||||
"404": { $ref: "#/components/responses/NotFound" }
|
||||
|
||||
/v1/internal/api-keys/verify:
|
||||
post:
|
||||
summary: Verify an API key. Used by headless products. Returns
|
||||
@@ -335,6 +371,17 @@ components:
|
||||
application/json: { schema: { $ref: "#/components/schemas/Error" } }
|
||||
|
||||
schemas:
|
||||
Claims:
|
||||
type: object
|
||||
required: [tenant_id, tenant_slug, plan, tenant_status]
|
||||
properties:
|
||||
tenant_id: { type: string, format: uuid }
|
||||
tenant_slug: { type: string }
|
||||
org_roles: { type: array, items: { type: string } }
|
||||
products: { type: array, items: { type: string } }
|
||||
plan: { type: string }
|
||||
tenant_status: { type: string, enum: [demo, trial, active, frozen, archived] }
|
||||
|
||||
Error:
|
||||
type: object
|
||||
required: [error]
|
||||
@@ -370,6 +417,15 @@ components:
|
||||
plan: { type: string, default: starter }
|
||||
kind: { type: string, enum: [customer, demo], default: customer }
|
||||
sales_owner: { type: string }
|
||||
admin_email: { type: string, format: email, description: "IT_ADMIN to invite via Keycloak" }
|
||||
admin_name: { type: string }
|
||||
|
||||
TenantCreated:
|
||||
type: object
|
||||
required: [tenant]
|
||||
properties:
|
||||
tenant: { $ref: "#/components/schemas/Tenant" }
|
||||
invite_url: { type: string, description: "KC action-token URL — present only when admin_email was set and KC provisioning succeeded" }
|
||||
|
||||
TenantActivate:
|
||||
type: object
|
||||
|
||||
Reference in New Issue
Block a user