ORV2-1763 - Refactor Keycloak changes (#1055)

Co-authored-by: Krishnan Subramanian <[email protected]>

charts/onroutebc/values.yaml

@@ -30,8 +30,8 @@ frontend:
           return {
             "VITE_DEPLOY_ENVIRONMENT":"{{.Values.global.zone}}",
             "VITE_API_VEHICLE_URL":"https://{{.Release.Name}}-vehicles.{{.Values.global.domain}}",
-            "VITE_AUTH0_ISSUER_URL":"https://{{ternary ("") (printf "%s." .Values.global.zone) (contains "prod" .Values.global.zone)}}loginproxy.gov.bc.ca/auth/realms/standard",
-            "VITE_AUTH0_AUDIENCE":"on-route-bc-direct-4598",
+            "VITE_KEYCLOAK_ISSUER_URL":"https://{{ternary ("") (printf "%s." .Values.global.zone) (contains "prod" .Values.global.zone)}}loginproxy.gov.bc.ca/auth/realms/standard",
+            "VITE_KEYCLOAK_AUDIENCE":"on-route-bc-direct-4598",
             "VITE_SITEMINDER_LOG_OFF_URL": "https://logontest7.gov.bc.ca/clp-cgi/logoff.cgi",
           };
         })();
@@ -103,7 +103,7 @@ vehicles:
       command:
         - "sh"
         - "-c"
-        - "source /vault/secrets/auth0-{{.Values.global.vault.zone}} && source /vault/secrets/ches-{{.Values.global.vault.zone}} && source /vault/secrets/mssql-{{.Values.global.vault.zone}} && source /vault/secrets/payment-{{.Values.global.vault.zone}} && source /vault/secrets/vehicles-{{.Values.global.vault.zone}} && npm run start:prod"
+        - "source /vault/secrets/keycloak-{{.Values.global.vault.zone}} && source /vault/secrets/ches-{{.Values.global.vault.zone}} && source /vault/secrets/mssql-{{.Values.global.vault.zone}} && source /vault/secrets/payment-{{.Values.global.vault.zone}} && source /vault/secrets/vehicles-{{.Values.global.vault.zone}} && npm run start:prod"
       registry: '{{ .Values.global.registry }}'
       repository: '{{ .Values.global.repository }}' # example, it includes registry and repository
       image: vehicles
@@ -180,7 +180,7 @@ vehicles:
     role: "{{.Values.global.vault.role}}"
     license: "{{.Values.global.license}}"
     secretPaths:
-      - "auth0-{{tpl $.Values.vault.zone $}}"
+      - "keycloak-{{tpl $.Values.vault.zone $}}"
       - "ches-{{tpl $.Values.vault.zone $}}"
       - "mssql-{{tpl $.Values.vault.zone $}}"
       - "payment-{{tpl $.Values.vault.zone $}}"
@@ -206,7 +206,7 @@ dops:
       command:
         - "sh"
         - "-c"
-        - "source /vault/secrets/auth0-{{.Values.global.vault.zone}} && source /vault/secrets/mssql-{{.Values.global.vault.zone}} && source /vault/secrets/cdogs-{{.Values.global.vault.zone}} && source /vault/secrets/dops-{{.Values.global.vault.zone}} && source /vault/secrets/s3-{{.Values.global.vault.zone}} && npm run start:prod"
+        - "source /vault/secrets/keycloak-{{.Values.global.vault.zone}} && source /vault/secrets/mssql-{{.Values.global.vault.zone}} && source /vault/secrets/cdogs-{{.Values.global.vault.zone}} && source /vault/secrets/dops-{{.Values.global.vault.zone}} && source /vault/secrets/s3-{{.Values.global.vault.zone}} && npm run start:prod"
       registry: '{{ .Values.global.registry }}'
       repository: '{{ .Values.global.repository }}' # example, it includes registry and repository
       image: dops
@@ -281,7 +281,7 @@ dops:
     role: "{{.Values.global.vault.role}}"
     license: "{{.Values.global.license}}"
     secretPaths:
-      - "auth0-{{tpl $.Values.vault.zone $}}"
+      - "keycloak-{{tpl $.Values.vault.zone $}}"
       - "mssql-{{tpl $.Values.vault.zone $}}"
       - "cdogs-{{tpl $.Values.vault.zone $}}"
       - "dops-{{tpl $.Values.vault.zone $}}"
@@ -303,7 +303,7 @@ tps-migration:
       command:
         - "sh"
         - "-c"
-        - "source /vault/secrets/auth0-{{.Values.global.vault.zone}} && source /vault/secrets/mssql-{{.Values.global.vault.zone}} && source /vault/secrets/s3-{{.Values.global.vault.zone}} && source /vault/secrets/tps-{{.Values.global.vault.zone}} && npm run start:prod"
+        - "source /vault/secrets/keycloak-{{.Values.global.vault.zone}} && source /vault/secrets/mssql-{{.Values.global.vault.zone}} && source /vault/secrets/s3-{{.Values.global.vault.zone}} && source /vault/secrets/tps-{{.Values.global.vault.zone}} && npm run start:prod"
       registry: '{{ .Values.global.registry }}'
       repository: '{{ .Values.global.repository }}' # example, it includes registry and repository
       image: tps-migration
@@ -372,7 +372,7 @@ tps-migration:
     role: "{{.Values.global.vault.role}}"
     license: "{{.Values.global.license}}"
     secretPaths:
-      - "auth0-{{tpl $.Values.vault.zone $}}"
+      - "keycloak-{{tpl $.Values.vault.zone $}}"
       - "mssql-{{tpl $.Values.vault.zone $}}"      
       - "tps-{{tpl $.Values.vault.zone $}}"
       - "s3-{{tpl $.Values.vault.zone $}}"

docker-compose.yml

@@ -56,9 +56,9 @@ services:
       MSSQL_SA_USER: ${MSSQL_SA_USER}
       MSSQL_SA_PASSWORD: ${MSSQL_SA_PASSWORD}
       MSSQL_ENCRYPT: ${MSSQL_ENCRYPT}
-      AUTH0_ISSUER_URL: ${AUTH0_ISSUER_URL}
-      AUTH0_AUDIENCE: ${AUTH0_AUDIENCE}
-      AUTH0_IGNORE_EXP: ${AUTH0_IGNORE_EXP}
+      KEYCLOAK_ISSUER_URL: ${KEYCLOAK_ISSUER_URL}
+      KEYCLOAK_AUDIENCE: ${KEYCLOAK_AUDIENCE}
+      KEYCLOAK_IGNORE_EXP: ${KEYCLOAK_IGNORE_EXP}
       CHES_TOKEN_URL: ${CHES_TOKEN_URL}
       CHES_CLIENT_ID: ${CHES_CLIENT_ID}
       CHES_CLIENT_SECRET: ${CHES_CLIENT_SECRET}
@@ -104,9 +104,9 @@ services:
       MSSQL_SA_USER: ${MSSQL_SA_USER}
       MSSQL_SA_PASSWORD: ${MSSQL_SA_PASSWORD}
       MSSQL_ENCRYPT: ${MSSQL_ENCRYPT}
-      AUTH0_ISSUER_URL: ${AUTH0_ISSUER_URL}
-      AUTH0_AUDIENCE: ${AUTH0_AUDIENCE}
-      AUTH0_IGNORE_EXP: ${AUTH0_IGNORE_EXP}
+      KEYCLOAK_ISSUER_URL: ${KEYCLOAK_ISSUER_URL}
+      KEYCLOAK_AUDIENCE: ${KEYCLOAK_AUDIENCE}
+      KEYCLOAK_IGNORE_EXP: ${KEYCLOAK_IGNORE_EXP}
       DOPS_CVSE_FORMS_CACHE_TTL_MS: ${DOPS_CVSE_FORMS_CACHE_TTL_MS}
       OCIO_S3_ACCESSKEYID: ${OCIO_S3_ACCESSKEYID}
       OCIO_S3_BUCKET: ${OCIO_S3_BUCKET}
@@ -144,8 +144,8 @@ services:
       args:
         VITE_DEPLOY_ENVIRONMENT: ${VITE_DEPLOY_ENVIRONMENT}
         VITE_API_VEHICLE_URL: ${VITE_API_VEHICLE_URL}
-        VITE_AUTH0_ISSUER_URL: ${VITE_AUTH0_ISSUER_URL}
-        VITE_AUTH0_AUDIENCE: ${VITE_AUTH0_AUDIENCE}
+        VITE_KEYCLOAK_ISSUER_URL: ${VITE_KEYCLOAK_ISSUER_URL}
+        VITE_KEYCLOAK_AUDIENCE: ${VITE_KEYCLOAK_AUDIENCE}
         VITE_SITEMINDER_LOG_OFF_URL: ${VITE_SITEMINDER_LOG_OFF_URL}
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:3000"]
@@ -180,9 +180,9 @@ services:
       MSSQL_SA_USER: ${MSSQL_SA_USER}
       MSSQL_SA_PASSWORD: ${MSSQL_SA_PASSWORD}
       MSSQL_ENCRYPT: ${MSSQL_ENCRYPT}
-      AUTH0_ISSUER_URL: ${AUTH0_ISSUER_URL}
-      AUTH0_AUDIENCE: ${AUTH0_AUDIENCE}
-      AUTH0_IGNORE_EXP: ${AUTH0_IGNORE_EXP}
+      KEYCLOAK_ISSUER_URL: ${KEYCLOAK_ISSUER_URL}
+      KEYCLOAK_AUDIENCE: ${KEYCLOAK_AUDIENCE}
+      KEYCLOAK_IGNORE_EXP: ${KEYCLOAK_IGNORE_EXP}
       DOPS_CVSE_FORMS_CACHE_TTL_MS: ${DOPS_CVSE_FORMS_CACHE_TTL_MS}
       OCIO_S3_ACCESSKEYID: ${OCIO_S3_ACCESSKEYID}
       OCIO_S3_BUCKET: ${OCIO_S3_BUCKET}

dops/Dockerfile

@@ -46,9 +46,9 @@ ENV MSSQL_DB ${MSSQL_DB}
 ENV MSSQL_SA_USER ${MSSQL_SA_USER}
 ENV MSSQL_SA_PASSWORD ${MSSQL_SA_PASSWORD}
 ENV MSSQL_ENCRYPT ${MSSQL_ENCRYPT}
-ENV AUTH0_ISSUER_URL ${AUTH0_ISSUER_URL}
-ENV AUTH0_AUDIENCE ${AUTH0_AUDIENCE}
-ENV AUTH0_IGNORE_EXP ${AUTH0_IGNORE_EXP}
+ENV KEYCLOAK_ISSUER_URL ${KEYCLOAK_ISSUER_URL}
+ENV KEYCLOAK_AUDIENCE ${KEYCLOAK_AUDIENCE}
+ENV KEYCLOAK_IGNORE_EXP ${KEYCLOAK_IGNORE_EXP}
 ENV DOPS_CVSE_FORMS_CACHE_TTL_MS ${DOPS_CVSE_FORMS_CACHE_TTL_MS}
 ENV OCIO_S3_ACCESSKEYID ${OCIO_S3_ACCESSKEYID}
 ENV OCIO_S3_BUCKET ${OCIO_S3_BUCKET}

dops/src/modules/auth/jwt.strategy.ts

@@ -25,13 +25,13 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
         cache: true,
         rateLimit: true,
         jwksRequestsPerMinute: 5,
-        jwksUri: `${process.env.AUTH0_ISSUER_URL}/protocol/openid-connect/certs`,
+        jwksUri: `${process.env.KEYCLOAK_ISSUER_URL}/protocol/openid-connect/certs`,
       }),
 
       jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
-      ignoreExpiration: process.env.AUTH0_IGNORE_EXP === 'true' ? true : false,
-      audience: process.env.AUTH0_AUDIENCE,
-      issuer: `${process.env.AUTH0_ISSUER_URL}`,
+      ignoreExpiration: process.env.KEYCLOAK_IGNORE_EXP === 'true' ? true : false,
+      audience: process.env.KEYCLOAK_AUDIENCE,
+      issuer: `${process.env.KEYCLOAK_ISSUER_URL}`,
       algorithms: ['RS256'],
       passReqToCallback: true,
     });

frontend/Dockerfile

@@ -7,14 +7,14 @@ WORKDIR /app
 #ENV NODE_ENV production
 ARG VITE_DEPLOY_ENVIRONMENT
 ARG VITE_API_VEHICLE_URL
-ARG VITE_AUTH0_ISSUER_URL
-ARG VITE_AUTH0_AUDIENCE
+ARG VITE_KEYCLOAK_ISSUER_URL
+ARG VITE_KEYCLOAK_AUDIENCE
 ARG VITE_SITEMINDER_LOG_OFF_URL
 
 ENV VITE_DEPLOY_ENVIRONMENT $VITE_DEPLOY_ENVIRONMENT
 ENV VITE_API_VEHICLE_URL $VITE_API_VEHICLE_URL
-ENV VITE_AUTH0_ISSUER_URL $VITE_AUTH0_ISSUER_URL
-ENV VITE_AUTH0_AUDIENCE $VITE_AUTH0_AUDIENCE
+ENV VITE_KEYCLOAK_ISSUER_URL $VITE_KEYCLOAK_ISSUER_URL
+ENV VITE_KEYCLOAK_AUDIENCE $VITE_KEYCLOAK_AUDIENCE
 ENV VITE_SITEMINDER_LOG_OFF_URL $VITE_SITEMINDER_LOG_OFF_URL
 
 # Install app dependencies

frontend/README.md

@@ -19,8 +19,8 @@ Create a .env file in the root directory of onRouteBC and add the following vari
 ```conf
 VITE_DEPLOY_ENVIRONMENT=local
 VITE_API_VEHICLE_URL=http://localhost:5000
-VITE_AUTH0_ISSUER_URL=
-VITE_AUTH0_AUDIENCE=
+VITE_KEYCLOAK_ISSUER_URL=
+VITE_KEYCLOAK_AUDIENCE=
 VITE_SITEMINDER_LOG_OFF_URL=
 ```
 

frontend/openshift.deploy.yml

@@ -50,13 +50,13 @@ parameters:
   - name: DATABASE_HOST
     description: Host url/service of database connection
     required: true
-  - name: AUTH0_ISSUER_URL
+  - name: KEYCLOAK_ISSUER_URL
     description: The principal that issued the JWT
     required: true
-  - name: AUTH0_AUDIENCE
+  - name: KEYCLOAK_AUDIENCE
     description: Identifies the recipients that the JWT is intended for
     required: true
-  - name: AUTH0_IGNORE_EXP
+  - name: KEYCLOAK_IGNORE_EXP
     description: The boolean flag to ignore the JWT expiration
     required: true
   - name: SITEMINDER_LOG_OFF_URL
@@ -150,8 +150,8 @@ objects:
           return {
             "VITE_DEPLOY_ENVIRONMENT":"${ZONE}",
             "VITE_API_VEHICLE_URL":"https://${NAME}-${ZONE}-backend-vehicles.${DOMAIN}",
-            "VITE_AUTH0_ISSUER_URL":"${AUTH0_ISSUER_URL}",
-            "VITE_AUTH0_AUDIENCE":"${AUTH0_AUDIENCE}",
+            "VITE_KEYCLOAK_ISSUER_URL":"${KEYCLOAK_ISSUER_URL}",
+            "VITE_KEYCLOAK_AUDIENCE":"${KEYCLOAK_AUDIENCE}",
             "VITE_SITEMINDER_LOG_OFF_URL": "${SITEMINDER_LOG_OFF_URL}",
           };
         })();

frontend/public/config.js

@@ -18,8 +18,8 @@ const envConfig = (() => {
   return {
     VITE_DEPLOY_ENVIRONMENT: "docker",
     VITE_API_VEHICLE_URL: "http://localhost:5000",
-    VITE_AUTH0_ISSUER_URL: "",
-    VITE_AUTH0_AUDIENCE: "",
+    VITE_KEYCLOAK_ISSUER_URL: "",
+    VITE_KEYCLOAK_AUDIENCE: "",
     VITE_SITEMINDER_LOG_OFF_URL: ""
   };
 })();

frontend/src/App.tsx

@@ -25,10 +25,10 @@ import OnRouteBCContext, {
 import { MigratedClient } from "./common/authentication/types";
 
 const authority =
-  import.meta.env.VITE_AUTH0_ISSUER_URL || envConfig.VITE_AUTH0_ISSUER_URL;
+  import.meta.env.VITE_KEYCLOAK_ISSUER_URL || envConfig.VITE_KEYCLOAK_ISSUER_URL;
 
 const client_id =
-  import.meta.env.VITE_AUTH0_AUDIENCE || envConfig.VITE_AUTH0_AUDIENCE;
+  import.meta.env.VITE_KEYCLOAK_AUDIENCE || envConfig.VITE_KEYCLOAK_AUDIENCE;
 
 /**
  * The OIDC Configuration needed for authentication.

frontend/src/common/apiManager/httpRequestHandler.ts

@@ -20,7 +20,7 @@ axios.interceptors.request.use(
 );
 
 // Add environment variables to get the full key.
-// Full key structure: oidc.user:${AUTH0_ISSUER_URL}:${AUTH0_AUDIENCE}
+// Full key structure: oidc.user:${KEYCLOAK_ISSUER_URL}:${KEYCLOAK_AUDIENCE}
 // Full key example:: oidc.user:https://dev.loginproxy.gov.bc.ca/auth/realms/standard:on-route-bc-direct-4598
 const getUserStorageKey = () =>
   Object.keys(sessionStorage).find((key) => key.startsWith("oidc.user"));

tps-migration/Dockerfile

@@ -45,9 +45,9 @@ ENV MSSQL_DB ${MSSQL_DB}
 ENV MSSQL_SA_USER ${MSSQL_SA_USER}
 ENV MSSQL_SA_PASSWORD ${MSSQL_SA_PASSWORD}
 ENV MSSQL_ENCRYPT ${MSSQL_ENCRYPT}
-ENV AUTH0_ISSUER_URL ${AUTH0_ISSUER_URL}
-ENV AUTH0_AUDIENCE ${AUTH0_AUDIENCE}
-ENV AUTH0_IGNORE_EXP ${AUTH0_IGNORE_EXP}
+ENV KEYCLOAK_ISSUER_URL ${KEYCLOAK_ISSUER_URL}
+ENV KEYCLOAK_AUDIENCE ${KEYCLOAK_AUDIENCE}
+ENV KEYCLOAK_IGNORE_EXP ${KEYCLOAK_IGNORE_EXP}
 ENV OCIO_S3_ACCESSKEYID ${OCIO_S3_ACCESSKEYID}
 ENV OCIO_S3_BUCKET ${OCIO_S3_BUCKET}
 ENV OCIO_S3_PRESIGNED_URL_EXPIRY ${OCIO_S3_PRESIGNED_URL_EXPIRY}

vehicles/Dockerfile

@@ -45,9 +45,9 @@ ENV MSSQL_DB ${MSSQL_DB}
 ENV MSSQL_SA_USER ${MSSQL_SA_USER}
 ENV MSSQL_SA_PASSWORD ${MSSQL_SA_PASSWORD}
 ENV MSSQL_ENCRYPT ${MSSQL_ENCRYPT}
-ENV AUTH0_ISSUER_URL ${AUTH0_ISSUER_URL}
-ENV AUTH0_AUDIENCE ${AUTH0_AUDIENCE}
-ENV AUTH0_IGNORE_EXP ${AUTH0_IGNORE_EXP}
+ENV KEYCLOAK_ISSUER_URL ${KEYCLOAK_ISSUER_URL}
+ENV KEYCLOAK_AUDIENCE ${KEYCLOAK_AUDIENCE}
+ENV KEYCLOAK_IGNORE_EXP ${KEYCLOAK_IGNORE_EXP}
 ENV CHES_TOKEN_URL ${CHES_TOKEN_URL}
 ENV CHES_CLIENT_ID ${CHES_CLIENT_ID}
 ENV CHES_CLIENT_SECRET ${CHES_CLIENT_SECRET}

vehicles/src/modules/auth/jwt.strategy.ts

@@ -28,13 +28,13 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
         cache: true,
         rateLimit: true,
         jwksRequestsPerMinute: 5,
-        jwksUri: `${process.env.AUTH0_ISSUER_URL}/protocol/openid-connect/certs`,
+        jwksUri: `${process.env.KEYCLOAK_ISSUER_URL}/protocol/openid-connect/certs`,
       }),
 
       jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
-      ignoreExpiration: process.env.AUTH0_IGNORE_EXP === 'true' ? true : false,
-      audience: process.env.AUTH0_AUDIENCE,
-      issuer: `${process.env.AUTH0_ISSUER_URL}`,
+      ignoreExpiration: process.env.KEYCLOAK_IGNORE_EXP === 'true' ? true : false,
+      audience: process.env.KEYCLOAK_AUDIENCE,
+      issuer: `${process.env.KEYCLOAK_ISSUER_URL}`,
       algorithms: ['RS256'],
       passReqToCallback: true,
     });