mosaicstack/stack
1
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases 11 Wiki Activity
Files
b89503fa8c5fb8c94f006257e4cbb439c8e776b7
stack/docs/scratchpads/p8-001-sso-providers.md
Jason Woltje b89503fa8c chore: fix prettier formatting on scratchpad files 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 20:18:59 -05:00

63 lines
3.0 KiB
Markdown
Raw Blame History

# P8-001 — WorkOS + Keycloak SSO Providers
**Branch:** feat/p8-001-sso-providers
**Started:** 2026-03-18
**Mode:** Delivery
## Objective
Add WorkOS and Keycloak as optional SSO providers to the BetterAuth configuration, following the existing Authentik pattern.
## Scope
| Surface | Change |
| ---------------------------------------- | ----------------------------------------------------------------------- |
| `packages/auth/src/auth.ts` | Refactor provider array, add WorkOS + Keycloak conditional registration |
| `apps/web/src/lib/auth-client.ts` | Add `genericOAuthClient()` plugin |
| `apps/web/src/app/(auth)/login/page.tsx` | WorkOS + Keycloak SSO buttons gated by `NEXT_PUBLIC_*` env vars |
| `.env.example` | Document WorkOS + Keycloak env vars |
| `packages/auth/src/auth.test.ts` | Unit tests verifying env-var gating |
## Plan
1. ✅ Refactor `createAuth` to build `oauthProviders[]` conditionally
2. ✅ Add WorkOS provider (explicit URLs, no discovery)
3. ✅ Add Keycloak provider (discoveryUrl pattern)
4. ✅ Add `genericOAuthClient()` to auth-client.ts
5. ✅ Add SSO buttons to login page gated by `NEXT_PUBLIC_WORKOS_ENABLED` / `NEXT_PUBLIC_KEYCLOAK_ENABLED`
6. ✅ Update `.env.example`
7. ⏳ Write `auth.test.ts` with env-var gating tests
8. ⏳ Quality gates: typecheck + lint + format:check + test
9. ⏳ Commit + push + PR
## Decisions
- **WorkOS**: Uses explicit `authorizationUrl`, `tokenUrl`, `userInfoUrl` (no discovery endpoint available)
- **Keycloak**: Uses `discoveryUrl` pattern (`{URL}/realms/{REALM}/.well-known/openid-configuration`)
- **UI gating**: Login page uses `NEXT_PUBLIC_WORKOS_ENABLED` / `NEXT_PUBLIC_KEYCLOAK_ENABLED` feature flags (safer than exposing secret env var names client-side)
- **Refactor**: Authentik moved into same `oauthProviders[]` array pattern — cleaner, more extensible
- **Feature flag design**: `NEXT_PUBLIC_*` flags are opt-in alongside credentials (prevents accidental button render when creds not set)
## Assumptions
- `ASSUMPTION:` WorkOS OIDC discovery URL is not publicly documented; using direct URL pattern from WorkOS SSO docs.
- `ASSUMPTION:` `NEXT_PUBLIC_WORKOS_ENABLED=true` must be explicitly set — this is intentional (credential presence alone doesn't enable the button since NEXT_PUBLIC vars are baked at build time).
## Tests
- `auth.test.ts`: Mocks betterAuth stack, verifies WorkOS included/excluded based on env var
- `auth.test.ts`: Verifies Keycloak discoveryUrl constructed correctly
## Quality Gate Results
| Gate | Status |
| ------------------- | ------ |
| typecheck | ⏳ |
| lint | ⏳ |
| format:check | ⏳ |
| test (@mosaic/auth) | ⏳ |
## Verification Evidence
⏳ Pending
Reference in New Issue View Git Blame Copy Permalink