feat(auth): add OIDC/Keycloak authentication with Minecraft UUID support#78
Open
feat(auth): add OIDC/Keycloak authentication with Minecraft UUID support#78
Conversation
Add /api/health endpoint returning JSON status for Kubernetes liveness and readiness probes in standalone deployment mode. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add ARG/ENV for NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD, NEXT_PUBLIC_OIDC_PROVIDER_ID, and NEXT_PUBLIC_BETTER_AUTH_URL so Next.js can inline them during the build stage - Run prisma generate before next build to ensure the Prisma client is up-to-date with the schema Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Support explicit OIDC_AUTHORIZATION_URL and OIDC_TOKEN_URL as alternative to OIDC_DISCOVERY_URL for split-horizon DNS setups (external auth URL for browser, internal token URL for server) - Make email/password login configurable via DISABLE_EMAIL_PASSWORD - Add preferred_username fallback for email/name fields to support Minecraft-linked accounts without a traditional email - Extract and persist minecraft_uuid from OIDC token claims to the user table (new minecraftUuid field in Prisma schema) - Simplify mapProfileToUser by consolidating duplicate update paths Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Conditionally render the email/password form and divider based on NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD. When set to "true", only the OIDC provider button is shown on the login page. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Run prettier on login-client.tsx and auth.ts - Cast createdUser to any for minecraftUuid access to fix type check until prisma generate runs in CI Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Description
Add full OIDC authentication support via Keycloak, including Minecraft identity provider integration. This enables OIDC-only login mode where the traditional email/password form is hidden, and Minecraft UUIDs from Keycloak tokens are extracted and persisted in the user table.
Type of Change
Related Issues
Testing
Checklist
Changes
lib/auth.tsOIDC_AUTHORIZATION_URL+OIDC_TOKEN_URL) as alternative toOIDC_DISCOVERY_URLfor split-horizon DNS setupsDISABLE_EMAIL_PASSWORDenv varpreferred_usernamefallback for email/name (Minecraft accounts without email)minecraft_uuidfrom OIDC token claims and persist to DBmapProfileToUserupdate pathsprisma/schema.prismaminecraftUuid String? @uniquefield to User modelapp/[lang]/login/login-client.tsxNEXT_PUBLIC_DISABLE_EMAIL_PASSWORD=trueDockerfileARG/ENVforNEXT_PUBLIC_*vars (required at build time for Next.js inlining)prisma generatebeforenext buildapp/api/health/route.ts/api/healthendpoint for Kubernetes liveness/readiness probes