feat(auth): add WorkOS and Keycloak SSO providers (P8-001) #210

jason.woltje · 2026-03-19T02:18:20Z

jason.woltje commented

2026-03-19 02:18:20 +00:00

Closes #53

Summary

add WorkOS and Keycloak SSO provider registration in @mosaic/auth alongside the existing Authentik flow
surface WorkOS and Keycloak login entry points in the web app with a dedicated /auth/provider/[provider] redirect route
document required environment variables and setup details for WorkOS and Keycloak deployments

Verification

pnpm install
pnpm typecheck
pnpm lint
pnpm test

Notes

verification passed in an isolated worktree on feat/p8-001-sso-providers
live end-to-end provider callback validation still requires real WorkOS/Keycloak credentials in a deployed environment

Closes #53 ## Summary - add WorkOS and Keycloak SSO provider registration in `@mosaic/auth` alongside the existing Authentik flow - surface WorkOS and Keycloak login entry points in the web app with a dedicated `/auth/provider/[provider]` redirect route - document required environment variables and setup details for WorkOS and Keycloak deployments ## Verification - `pnpm install` - `pnpm typecheck` - `pnpm lint` - `pnpm test` ## Notes - verification passed in an isolated worktree on `feat/p8-001-sso-providers` - live end-to-end provider callback validation still requires real WorkOS/Keycloak credentials in a deployed environment

jason.woltje added 2 commits 2026-03-19 02:18:21 +00:00

feat(auth): add WorkOS + Keycloak SSO providers (P8-001) ccdad96cbe

- Refactor auth.ts to build OAuth providers array dynamically; extract
  buildOAuthProviders() for unit-testability
- Add WorkOS provider (WORKOS_CLIENT_ID/SECRET/REDIRECT_URI env vars)
- Add Keycloak provider with realm-scoped OIDC discovery
  (KEYCLOAK_URL/REALM/CLIENT_ID/CLIENT_SECRET env vars)
- Add genericOAuthClient plugin to web auth-client for signIn.oauth2()
- Add WorkOS + Keycloak SSO buttons to login page (NEXT_PUBLIC_*_ENABLED
  feature flags control visibility)
- Update .env.example with SSO provider stanzas
- Add 8 unit tests covering all provider inclusion/exclusion paths

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

chore: fix prettier formatting on scratchpad files

ci/woodpecker/pr/ci Pipeline failed

Details

ci/woodpecker/push/ci Pipeline failed

Details

c54ee4c8d1

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

jason.woltje added 1 commit 2026-03-19 02:18:59 +00:00

chore: add P8-001 scratchpad

ci/woodpecker/push/ci Pipeline was successful

Details

ci/woodpecker/pr/ci Pipeline was successful

Details

70d7ea3be4

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

jason.woltje force-pushed feat/p8-001-sso-providers from 70d7ea3be4 to 77ba13b41b

2026-03-20 01:30:59 +00:00

Compare

jason.woltje changed title from ~~feat(auth): add WorkOS + Keycloak SSO providers (P8-001)~~ to feat: SSO providers — WorkOS + Keycloak (#53)

2026-03-20 01:31:44 +00:00

jason.woltje changed title from ~~feat: SSO providers — WorkOS + Keycloak (#53)~~ to feat(auth): add WorkOS and Keycloak SSO providers (P8-001)

2026-03-20 02:03:05 +00:00

jason.woltje merged commit cfb491e127 into main

2026-03-21 12:27:49 +00:00

jason.woltje deleted branch feat/p8-001-sso-providers

2026-03-21 12:27:49 +00:00

jason.woltje referenced this issue from a commit

2026-03-21 12:27:51 +00:00

Merge pull request 'feat(auth): add WorkOS and Keycloak SSO providers (P8-001)' (#210) from feat/p8-001-sso-providers into main

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaicstack/stack#210