feat: add Keycloak authentication for dashboard and API endpoints (#2)

Dashboard: OAuth2/OIDC login flow with PKCE, session-based auth middleware protecting all server function endpoints, check-auth server function for frontend auth state, login page gate in AppShell, user info in sidebar. Agent API: JWT validation middleware using Keycloak JWKS endpoint, conditionally enabled when KEYCLOAK_URL and KEYCLOAK_REALM are set. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com> Reviewed-on: #2
2026-03-07 23:50:56 +00:00
parent 42cabf0582
commit 0cb06d3d6d
21 changed files with 741 additions and 13 deletions
--- a/compliance-core/src/config.rs
+++ b/compliance-core/src/config.rs
@@ -24,6 +24,8 @@ pub struct AgentConfig {
    pub scan_schedule: String,
    pub cve_monitor_schedule: String,
    pub git_clone_base_path: String,
+    pub keycloak_url: Option<String>,
+    pub keycloak_realm: Option<String>,
 }

 #[derive(Clone, Debug, Serialize, Deserialize)]
--- a/compliance-core/src/models/auth.rs
+++ b/compliance-core/src/models/auth.rs
@@ -0,0 +1,14 @@
+use serde::{Deserialize, Serialize};
+
+/// Authentication state returned by the `check_auth` server function.
+///
+/// When no valid session exists, `authenticated` is `false` and all
+/// other fields are empty strings.
+#[derive(Debug, Clone, Serialize, Deserialize, Default, PartialEq)]
+pub struct AuthInfo {
+    pub authenticated: bool,
+    pub sub: String,
+    pub email: String,
+    pub name: String,
+    pub avatar_url: String,
+}
--- a/compliance-core/src/models/mod.rs
+++ b/compliance-core/src/models/mod.rs
@@ -1,3 +1,4 @@
+pub mod auth;
 pub mod chat;
 pub mod cve;
 pub mod dast;
@@ -9,6 +10,7 @@ pub mod repository;
 pub mod sbom;
 pub mod scan;

+pub use auth::AuthInfo;
 pub use chat::{ChatMessage, ChatRequest, ChatResponse, SourceReference};
 pub use cve::{CveAlert, CveSource};
 pub use dast::{