feat(analytics): integrate Langfuse with Keycloak SSO

Add certifai-langfuse OIDC client to Keycloak realm export and configure the Langfuse Docker service with Keycloak SSO env vars (shared realm, account linking, local auth disabled). Replace the iframe-based analytics page with an informational landing since cross-origin SSO breaks in iframes. Users open Langfuse in a new tab where the active Keycloak session authenticates them transparently. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 20:54:47 +01:00
parent c97bacbfe2
commit 789fcd60b2
10 changed files with 333 additions and 26 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -139,6 +139,8 @@ services:
    container_name: certifai-langfuse
    restart: unless-stopped
    depends_on:
+      keycloak:
+        condition: service_healthy
      langfuse-db:
        condition: service_healthy
      langfuse-clickhouse:
@@ -155,6 +157,13 @@ services:
      NEXTAUTH_SECRET: certifai-langfuse-dev-secret
      SALT: certifai-langfuse-dev-salt
      ENCRYPTION_KEY: "0000000000000000000000000000000000000000000000000000000000000000"
+      # Keycloak OIDC SSO - shared realm with CERTifAI dashboard
+      AUTH_KEYCLOAK_CLIENT_ID: certifai-langfuse
+      AUTH_KEYCLOAK_CLIENT_SECRET: certifai-langfuse-secret
+      AUTH_KEYCLOAK_ISSUER: http://keycloak:8080/realms/certifai
+      AUTH_KEYCLOAK_ALLOW_ACCOUNT_LINKING: "true"
+      # Disable local email/password auth (SSO only)
+      AUTH_DISABLE_USERNAME_PASSWORD: "true"
      CLICKHOUSE_URL: http://langfuse-clickhouse:8123
      CLICKHOUSE_MIGRATION_URL: clickhouse://langfuse-clickhouse:9000
      CLICKHOUSE_USER: clickhouse