feat(auth): add WorkOS and Keycloak SSO discovery

2026-03-19 21:03:46 -05:00
parent f3e90df2a0
commit cecc90afa7
16 changed files with 695 additions and 176 deletions
--- a/apps/gateway/src/auth/auth.module.ts
+++ b/apps/gateway/src/auth/auth.module.ts
@@ -3,9 +3,11 @@ import { createAuth, type Auth } from '@mosaic/auth';
 import type { Db } from '@mosaic/db';
 import { DB } from '../database/database.module.js';
 import { AUTH } from './auth.tokens.js';
+import { SsoController } from './sso.controller.js';

@Global()
@Module({
+  controllers: [SsoController],
  providers: [
    {
      provide: AUTH,
--- a/apps/gateway/src/auth/sso.controller.spec.ts
+++ b/apps/gateway/src/auth/sso.controller.spec.ts
@@ -0,0 +1,40 @@
+import { afterEach, describe, expect, it, vi } from 'vitest';
+import { SsoController } from './sso.controller.js';
+
+describe('SsoController', () => {
+  afterEach(() => {
+    vi.unstubAllEnvs();
+  });
+
+  it('lists configured OIDC providers', () => {
+    vi.stubEnv('WORKOS_CLIENT_ID', 'workos-client');
+    vi.stubEnv('WORKOS_CLIENT_SECRET', 'workos-secret');
+    vi.stubEnv('WORKOS_ISSUER', 'https://auth.workos.com/sso/client_123');
+
+    const controller = new SsoController();
+    const providers = controller.list();
+
+    expect(providers.find((provider) => provider.id === 'workos')).toMatchObject({
+      configured: true,
+      loginMode: 'oidc',
+      callbackPath: '/api/auth/oauth2/callback/workos',
+      teamSync: { enabled: true, claim: 'organization_id' },
+    });
+  });
+
+  it('prefers SAML fallback for Keycloak when only the SAML login URL is configured', () => {
+    vi.stubEnv('KEYCLOAK_SAML_LOGIN_URL', 'https://sso.example.com/realms/mosaic/protocol/saml');
+
+    const controller = new SsoController();
+    const providers = controller.list();
+
+    expect(providers.find((provider) => provider.id === 'keycloak')).toMatchObject({
+      configured: true,
+      loginMode: 'saml',
+      samlFallback: {
+        configured: true,
+        loginUrl: 'https://sso.example.com/realms/mosaic/protocol/saml',
+      },
+    });
+  });
+});
--- a/apps/gateway/src/auth/sso.controller.ts
+++ b/apps/gateway/src/auth/sso.controller.ts
@@ -0,0 +1,10 @@
+import { Controller, Get } from '@nestjs/common';
+import { buildSsoDiscovery, type SsoProviderDiscovery } from '@mosaic/auth';
+
+@Controller('api/sso/providers')
+export class SsoController {
+  @Get()
+  list(): SsoProviderDiscovery[] {
+    return buildSsoDiscovery();
+  }
+}
--- a/apps/gateway/src/main.ts
+++ b/apps/gateway/src/main.ts
@@ -11,6 +11,7 @@ import { NestFactory } from '@nestjs/core';
 import { Logger, ValidationPipe } from '@nestjs/common';
 import { FastifyAdapter, type NestFastifyApplication } from '@nestjs/platform-fastify';
 import helmet from '@fastify/helmet';
+import { listSsoStartupWarnings } from '@mosaic/auth';
 import { AppModule } from './app.module.js';
 import { mountAuthHandler } from './auth/auth.controller.js';
 import { mountMcpHandler } from './mcp/mcp.controller.js';
@@ -23,13 +24,8 @@ async function bootstrap(): Promise<void> {
    throw new Error('BETTER_AUTH_SECRET is required');
  }

-  if (
-    process.env['AUTHENTIK_CLIENT_ID'] &&
-    (!process.env['AUTHENTIK_CLIENT_SECRET'] || !process.env['AUTHENTIK_ISSUER'])
-  ) {
-    console.warn(
-      '[warn] AUTHENTIK_CLIENT_ID is set but AUTHENTIK_CLIENT_SECRET or AUTHENTIK_ISSUER is missing — Authentik SSO will not work',
-    );
+  for (const warning of listSsoStartupWarnings()) {
+    logger.warn(warning);
  }

  const app = await NestFactory.create<NestFastifyApplication>(