feat(auth): add WorkOS + Keycloak SSO providers (P8-001)

- Refactor auth.ts to build OAuth providers array dynamically; extract buildOAuthProviders() for unit-testability - Add WorkOS provider (WORKOS_CLIENT_ID/SECRET/REDIRECT_URI env vars) - Add Keycloak provider with realm-scoped OIDC discovery (KEYCLOAK_URL/REALM/CLIENT_ID/CLIENT_SECRET env vars) - Add genericOAuthClient plugin to web auth-client for signIn.oauth2() - Add WorkOS + Keycloak SSO buttons to login page (NEXT_PUBLIC_*_ENABLED feature flags control visibility) - Update .env.example with SSO provider stanzas - Add 8 unit tests covering all provider inclusion/exclusion paths Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-18 21:17:11 -05:00
parent 25f880416a
commit 254da35300
5 changed files with 235 additions and 31 deletions
--- a/packages/auth/src/auth.ts
+++ b/packages/auth/src/auth.ts
@@ -1,6 +1,7 @@
 import { betterAuth } from 'better-auth';
 import { drizzleAdapter } from 'better-auth/adapters/drizzle';
 import { admin, genericOAuth } from 'better-auth/plugins';
+import type { GenericOAuthConfig } from 'better-auth/plugins';
 import type { Db } from '@mosaic/db';

 export interface AuthConfig {
@@ -9,35 +10,62 @@ export interface AuthConfig {
  secret?: string;
 }

+/** Builds the list of enabled OAuth providers from environment variables. Exported for testing. */
+export function buildOAuthProviders(): GenericOAuthConfig[] {
+  const providers: GenericOAuthConfig[] = [];
+
+  const authentikClientId = process.env['AUTHENTIK_CLIENT_ID'];
+  if (authentikClientId) {
+    const authentikIssuer = process.env['AUTHENTIK_ISSUER'];
+    providers.push({
+      providerId: 'authentik',
+      clientId: authentikClientId,
+      clientSecret: process.env['AUTHENTIK_CLIENT_SECRET'] ?? '',
+      discoveryUrl: authentikIssuer
+        ? `${authentikIssuer}/.well-known/openid-configuration`
+        : undefined,
+      authorizationUrl: authentikIssuer ? `${authentikIssuer}/application/o/authorize/` : undefined,
+      tokenUrl: authentikIssuer ? `${authentikIssuer}/application/o/token/` : undefined,
+      userInfoUrl: authentikIssuer ? `${authentikIssuer}/application/o/userinfo/` : undefined,
+      scopes: ['openid', 'email', 'profile'],
+    });
+  }
+
+  const workosClientId = process.env['WORKOS_CLIENT_ID'];
+  if (workosClientId) {
+    providers.push({
+      providerId: 'workos',
+      clientId: workosClientId,
+      clientSecret: process.env['WORKOS_CLIENT_SECRET'] ?? '',
+      authorizationUrl: 'https://api.workos.com/sso/authorize',
+      tokenUrl: 'https://api.workos.com/sso/token',
+      userInfoUrl: 'https://api.workos.com/sso/profile',
+      scopes: ['openid', 'email', 'profile'],
+    });
+  }
+
+  const keycloakClientId = process.env['KEYCLOAK_CLIENT_ID'];
+  if (keycloakClientId) {
+    const keycloakUrl = process.env['KEYCLOAK_URL'] ?? '';
+    const keycloakRealm = process.env['KEYCLOAK_REALM'] ?? '';
+    providers.push({
+      providerId: 'keycloak',
+      clientId: keycloakClientId,
+      clientSecret: process.env['KEYCLOAK_CLIENT_SECRET'] ?? '',
+      discoveryUrl: `${keycloakUrl}/realms/${keycloakRealm}/.well-known/openid-configuration`,
+      scopes: ['openid', 'email', 'profile'],
+    });
+  }
+
+  return providers;
+}
+
 export function createAuth(config: AuthConfig) {
  const { db, baseURL, secret } = config;
-  const authentikIssuer = process.env['AUTHENTIK_ISSUER'];
-  const authentikClientId = process.env['AUTHENTIK_CLIENT_ID'];
-  const authentikClientSecret = process.env['AUTHENTIK_CLIENT_SECRET'];
-  const plugins = authentikClientId
-    ? [
-        genericOAuth({
-          config: [
-            {
-              providerId: 'authentik',
-              clientId: authentikClientId,
-              clientSecret: authentikClientSecret ?? '',
-              discoveryUrl: authentikIssuer
-                ? `${authentikIssuer}/.well-known/openid-configuration`
-                : undefined,
-              authorizationUrl: authentikIssuer
-                ? `${authentikIssuer}/application/o/authorize/`
-                : undefined,
-              tokenUrl: authentikIssuer ? `${authentikIssuer}/application/o/token/` : undefined,
-              userInfoUrl: authentikIssuer
-                ? `${authentikIssuer}/application/o/userinfo/`
-                : undefined,
-              scopes: ['openid', 'email', 'profile'],
-            },
-          ],
-        }),
-      ]
-    : undefined;
+
+  const oauthProviders = buildOAuthProviders();
+  const plugins =
+    oauthProviders.length > 0 ? [genericOAuth({ config: oauthProviders })] : undefined;

  const corsOrigin = process.env['GATEWAY_CORS_ORIGIN'] ?? 'http://localhost:3000';
  const trustedOrigins = corsOrigin.split(',').map((o) => o.trim());