chore(workspace): merge main - resolve feature flag conflict

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: FelixTJDietrich

.ai/todo.md

@@ -0,0 +1,71 @@
+# Account Linking Plan
+
+## Problem
+Self-hosted GitLab (gitlab.lrz.de) has different emails than GitHub. Keycloak can't auto-link. Need custom UI.
+
+## Approach
+Backend generates link URLs via Keycloak's legacy broker link endpoint (KC 26.0). Frontend shows linked accounts in settings page.
+
+## Backend Changes
+
+### 1. New DTO: `LinkedAccountDTO.java` (in account package)
+```java
+public record LinkedAccountDTO(
+    String providerAlias,    // "github", "gitlab-lrz"
+    String providerName,     // "GitHub", "GitLab LRZ"
+    boolean connected,
+    @Nullable String linkedUsername
+) {}
+```
+
+### 2. New service: `LinkedAccountsService.java`
+- Inject `Keycloak`, `KeycloakProperties`
+- `getLinkedAccounts(keycloakUserId)`:
+  - Get federated identities via admin API
+  - Get available IdPs from realm config
+  - Return merged list with connected status
+- `buildLinkUrl(keycloakUserId, provider, redirectUri, token)`:
+  - Extract sessionState + azp from JWT
+  - Compute hash = Base64Url(SHA256(nonce + sessionState + clientId + provider))
+  - Return `{keycloakUrl}/realms/{realm}/broker/{provider}/link?client_id=...&redirect_uri=...&nonce=...&hash=...`
+- `unlinkAccount(keycloakUserId, provider)`:
+  - Remove federated identity via admin API
+  - Guard: count existing identities, reject if last one
+
+### 3. New endpoints on `AccountController.java`
+- `GET /user/linked-accounts` → List<LinkedAccountDTO>
+- `GET /user/linked-accounts/{provider}/link-url?redirectUri=...` → String (URL)
+- `DELETE /user/linked-accounts/{provider}` → 204
+
+## Frontend Changes
+
+### 4. New component: `LinkedAccountsSection.tsx`
+- Query `GET /user/linked-accounts`
+- Each provider card: icon + name + status + action button
+- Connected: username badge + "Disconnect" (with AlertDialog)
+- Not connected: "Connect" → fetches link URL → `window.location.href = url`
+- Guard: disable disconnect on last provider
+
+### 5. Modify `SettingsPage.tsx`
+- Add LinkedAccountsSection before AccountSection
+- Show when GitLab IdP is configured (from linked-accounts response having gitlab-lrz)
+
+### 6. Handle redirect callback in `settings.tsx`
+- After Keycloak broker link redirect, user returns to settings page
+- Show toast on success/error based on URL params
+
+## Files
+
+### New
+- `server/.../account/LinkedAccountDTO.java`
+- `server/.../account/LinkedAccountsService.java`
+- `webapp/src/components/settings/LinkedAccountsSection.tsx`
+
+### Modified
+- `server/.../account/AccountController.java` — 3 endpoints
+- `webapp/src/components/settings/SettingsPage.tsx` — add section
+- `webapp/src/routes/_authenticated/settings.tsx` — callback handling
+- Regenerate OpenAPI + API client
+
+## No feature flag
+Show linked accounts whenever multiple IdPs exist (detected from backend response).

docker/.env.example

@@ -38,6 +38,20 @@ KEYCLOAK_GITHUB_CLIENT_SECRET=
 # GitHub username that should receive Keycloak admin rights on first login
 KEYCLOAK_GITHUB_ADMIN_USERNAME=
 
+# Keycloak GitLab OIDC (for user login via GitLab)
+# Create OAuth Application at: https://gitlab.lrz.de/admin/applications
+# Required scopes: openid, profile, email
+# Redirect URI: https://<hostname>/keycloak/realms/hephaestus/broker/gitlab-lrz/endpoint
+KEYCLOAK_GITLAB_ENABLED=true
+KEYCLOAK_GITLAB_CLIENT_ID=
+KEYCLOAK_GITLAB_CLIENT_SECRET=
+
+# Base URL of the GitLab instance used for login (default: https://gitlab.lrz.de)
+# KEYCLOAK_GITLAB_BASE_URL=https://gitlab.lrz.de
+
+# GitLab username that should receive Keycloak admin rights on first login
+KEYCLOAK_GITLAB_ADMIN_USERNAME=
+
 # Client secret for the hephaestus-confidential client (used by application-server)
 # Generate with: openssl rand -base64 32
 KEYCLOAK_HEPHAESTUS_CONFIDENTIAL_CLIENT_SECRET=

docker/compose.core.yaml

@@ -68,7 +68,7 @@ services:
         max-file: "3"
 
   keycloak:
-    image: quay.io/keycloak/keycloak:26.0
+    image: quay.io/keycloak/keycloak:26.5
     restart: unless-stopped
     depends_on:
       keycloak-postgres:
@@ -99,6 +99,11 @@ services:
       - KEYCLOAK_GITHUB_CLIENT_ID=${KEYCLOAK_GITHUB_CLIENT_ID}
       - KEYCLOAK_GITHUB_CLIENT_SECRET=${KEYCLOAK_GITHUB_CLIENT_SECRET}
       - KEYCLOAK_GITHUB_ADMIN_USERNAME=${KEYCLOAK_GITHUB_ADMIN_USERNAME}
+      - KEYCLOAK_GITLAB_ENABLED=${KEYCLOAK_GITLAB_ENABLED:-false}
+      - KEYCLOAK_GITLAB_CLIENT_ID=${KEYCLOAK_GITLAB_CLIENT_ID}
+      - KEYCLOAK_GITLAB_CLIENT_SECRET=${KEYCLOAK_GITLAB_CLIENT_SECRET}
+      - KEYCLOAK_GITLAB_BASE_URL=${KEYCLOAK_GITLAB_BASE_URL:-https://gitlab.lrz.de}
+      - KEYCLOAK_GITLAB_ADMIN_USERNAME=${KEYCLOAK_GITLAB_ADMIN_USERNAME}
     labels:
       - "traefik.enable=true"
       - "traefik.http.middlewares.gzip.compress=true"
@@ -213,6 +218,44 @@ configs:
               "display.on.consent.screen": "false",
               "token.response.type.bearer.lower-case": "false"
             },
+            "protocolMappers": [
+              {
+                "name": "github_id",
+                "protocol": "openid-connect",
+                "protocolMapper": "oidc-usermodel-attribute-mapper",
+                "config": {
+                  "user.attribute": "github_id",
+                  "claim.name": "github_id",
+                  "id.token.claim": "true",
+                  "access.token.claim": "true",
+                  "jsonType.label": "long"
+                }
+              },
+              {
+                "name": "gitlab_id",
+                "protocol": "openid-connect",
+                "protocolMapper": "oidc-usermodel-attribute-mapper",
+                "config": {
+                  "user.attribute": "gitlab_id",
+                  "claim.name": "gitlab_id",
+                  "id.token.claim": "true",
+                  "access.token.claim": "true",
+                  "jsonType.label": "long"
+                }
+              },
+              {
+                "name": "identity_provider",
+                "protocol": "openid-connect",
+                "protocolMapper": "oidc-usersessionmodel-note-mapper",
+                "config": {
+                  "user.session.note": "identity_provider",
+                  "claim.name": "identity_provider",
+                  "id.token.claim": "true",
+                  "access.token.claim": "true",
+                  "jsonType.label": "String"
+                }
+              }
+            ],
             "authenticationFlowBindingOverrides": {},
             "fullScopeAllowed": true,
             "nodeReRegistrationTimeout": -1,
@@ -339,7 +382,7 @@ configs:
             "displayName": "GitHub",
             "providerId": "github",
             "enabled": true,
-            "updateProfileFirstLoginMode": "on",
+            "updateProfileFirstLoginMode": "off",
             "trustEmail": true,
             "storeToken": false,
             "addReadTokenRoleOnCreate": false,
@@ -352,6 +395,80 @@ configs:
               "clientId": "${KEYCLOAK_GITHUB_CLIENT_ID}",
               "guiOrder": "1"
             }
+          },
+          {
+            "alias": "gitlab-lrz",
+            "displayName": "GitLab LRZ",
+            "providerId": "oidc",
+            "enabled": ${KEYCLOAK_GITLAB_ENABLED:-false},
+            "updateProfileFirstLoginMode": "off",
+            "trustEmail": true,
+            "storeToken": false,
+            "addReadTokenRoleOnCreate": false,
+            "authenticateByDefault": false,
+            "linkOnly": false,
+            "hideOnLogin": false,
+            "firstBrokerLoginFlowAlias": "first broker login",
+            "config": {
+              "syncMode": "IMPORT",
+              "clientSecret": "${KEYCLOAK_GITLAB_CLIENT_SECRET}",
+              "clientId": "${KEYCLOAK_GITLAB_CLIENT_ID}",
+              "issuer": "${KEYCLOAK_GITLAB_BASE_URL}",
+              "authorizationUrl": "${KEYCLOAK_GITLAB_BASE_URL}/oauth/authorize",
+              "tokenUrl": "${KEYCLOAK_GITLAB_BASE_URL}/oauth/token",
+              "userInfoUrl": "${KEYCLOAK_GITLAB_BASE_URL}/oauth/userinfo",
+              "jwksUrl": "${KEYCLOAK_GITLAB_BASE_URL}/oauth/discovery/keys",
+              "logoutUrl": "",
+              "defaultScope": "openid profile email",
+              "validateSignature": "true",
+              "useJwksUrl": "true",
+              "guiOrder": "2",
+              "clientAuthMethod": "client_secret_post"
+            }
+          }
+        ],
+        "identityProviderMappers": [
+          {
+            "name": "github-id-attribute",
+            "identityProviderAlias": "github",
+            "identityProviderMapper": "github-user-attribute-mapper",
+            "config": {
+              "syncMode": "FORCE",
+              "jsonField": "id",
+              "userAttribute": "github_id"
+            }
+          },
+          {
+            "name": "gitlab-id-attribute",
+            "identityProviderAlias": "gitlab-lrz",
+            "identityProviderMapper": "oidc-user-attribute-idp-mapper",
+            "config": {
+              "syncMode": "FORCE",
+              "claim": "sub",
+              "user.attribute": "gitlab_id"
+            }
+          },
+          {
+            "name": "github-admin-realm-role",
+            "identityProviderAlias": "github",
+            "identityProviderMapper": "oidc-advanced-role-idp-mapper",
+            "config": {
+              "syncMode": "FORCE",
+              "claims": "[{\"key\":\"login\",\"value\":\"(?i)^${KEYCLOAK_GITHUB_ADMIN_USERNAME}$\"}]",
+              "are.claim.values.regex": "true",
+              "role": "admin"
+            }
+          },
+          {
+            "name": "gitlab-admin-realm-role",
+            "identityProviderAlias": "gitlab-lrz",
+            "identityProviderMapper": "oidc-advanced-role-idp-mapper",
+            "config": {
+              "syncMode": "FORCE",
+              "claims": "[{\"key\":\"preferred_username\",\"value\":\"(?i)^${KEYCLOAK_GITLAB_ADMIN_USERNAME}$\"}]",
+              "are.claim.values.regex": "true",
+              "role": "admin"
+            }
           }
         ],
         "roles" : {
@@ -434,10 +551,27 @@ configs:
                   "realm-management": [
                       "view-users",
                       "query-users",
-                      "manage-users"
+                      "manage-users",
+                      "view-identity-providers"
                   ]
               },
               "notBefore": 0,
               "groups": []
+          }],
+        "authenticatorConfig": [
+          {
+            "alias": "review profile config",
+            "config": {
+              "update.profile.on.first.login": "off"
+            }
+          }
+        ],
+        "components": {
+          "org.keycloak.userprofile.UserProfileProvider": [{
+            "providerId": "declarative-user-profile",
+            "config": {
+              "kc.user.profile.config": ["{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"validations\":{\"length\":{\"min\":3,\"max\":255},\"username-prohibited-characters\":{},\"up-username-not-idn-homograph\":{}}},{\"name\":\"email\",\"displayName\":\"${email}\",\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"validations\":{\"email\":{},\"length\":{\"max\":255}}},{\"name\":\"firstName\",\"displayName\":\"${firstName}\",\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"validations\":{\"length\":{\"max\":255}}},{\"name\":\"lastName\",\"displayName\":\"${lastName}\",\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"validations\":{\"length\":{\"max\":255}}}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}]}"]
+            }
           }]
+        }
       }

docker/preview/compose.shared-infra.yaml

@@ -105,7 +105,7 @@ services:
   # Configure domain in Coolify UI: https://example.com/keycloak:8080
   # ---------------------------------------------------------------------------
   keycloak:
-    image: quay.io/keycloak/keycloak:26.0
+    image: quay.io/keycloak/keycloak:26.5
     restart: unless-stopped
     depends_on:
       keycloak-db:
@@ -286,7 +286,7 @@ configs:
             "displayName": "GitHub",
             "providerId": "github",
             "enabled": true,
-            "updateProfileFirstLoginMode": "on",
+            "updateProfileFirstLoginMode": "off",
             "trustEmail": true,
             "storeToken": false,
             "addReadTokenRoleOnCreate": false,
@@ -318,7 +318,23 @@ configs:
             "enabled": true,
             "serviceAccountClientId": "hephaestus-confidential",
             "realmRoles": ["default-roles-hephaestus"],
-            "clientRoles": {"realm-management": ["view-users", "query-users", "manage-users"]}
+            "clientRoles": {"realm-management": ["view-users", "query-users", "manage-users", "view-identity-providers"]}
           }
-        ]
+        ],
+        "authenticatorConfig": [
+          {
+            "alias": "review profile config",
+            "config": {
+              "update.profile.on.first.login": "off"
+            }
+          }
+        ],
+        "components": {
+          "org.keycloak.userprofile.UserProfileProvider": [{
+            "providerId": "declarative-user-profile",
+            "config": {
+              "kc.user.profile.config": ["{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"validations\":{\"length\":{\"min\":3,\"max\":255},\"username-prohibited-characters\":{},\"up-username-not-idn-homograph\":{}}},{\"name\":\"email\",\"displayName\":\"${email}\",\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"validations\":{\"email\":{},\"length\":{\"max\":255}}},{\"name\":\"firstName\",\"displayName\":\"${firstName}\",\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"validations\":{\"length\":{\"max\":255}}},{\"name\":\"lastName\",\"displayName\":\"${lastName}\",\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"validations\":{\"length\":{\"max\":255}}}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}]}"]
+            }
+          }]
+        }
       }

server/application-server/.env.example

@@ -53,5 +53,24 @@ KEYCLOAK_GITHUB_ADMIN_USERNAME=replace-with-github-username-with-admin-access
 # For PRODUCTION: Generate a secure random secret and update both this file and Keycloak.
 KEYCLOAK_CLIENT_SECRET=hephaestus-dev-secret
 
+# =============================================================================
+# GITLAB IDENTITY PROVIDER (optional)
+# =============================================================================
+# To enable GitLab LRZ login alongside GitHub:
+#
+# 1. Create an OAuth application on your GitLab instance
+#    (e.g. https://gitlab.lrz.de/-/user_settings/applications) with:
+#      - Redirect URI: http://localhost:8081/realms/hephaestus/broker/gitlab-lrz/endpoint
+#        (replace 8081 with your KEYCLOAK_PORT if overridden)
+#      - Scopes: openid, profile, email
+# 2. Uncomment and fill in the values below
+# 3. Run `docker compose down -v && mvn spring-boot:run` to re-import the realm
+#
+#KEYCLOAK_GITLAB_ENABLED=true
+#KEYCLOAK_GITLAB_BASE_URL=https://gitlab.lrz.de
+#KEYCLOAK_GITLAB_CLIENT_ID=replace-with-gitlab-client-id
+#KEYCLOAK_GITLAB_CLIENT_SECRET=replace-with-gitlab-client-secret
+#KEYCLOAK_GITLAB_ADMIN_USERNAME=replace-with-gitlab-username-with-admin-access
+
 # GITHUB_PAT for GitHub API authentication (as alternative for env variable)
 #GITHUB_PAT=replace-with-github-pat

server/application-server/compose.yaml

@@ -18,14 +18,20 @@ services:
       - ./postgres-data:/var/lib/postgresql/data
 
   keycloak:
-    image: quay.io/keycloak/keycloak:26.0.0
+    image: quay.io/keycloak/keycloak:26.5
     environment:
       KC_BOOTSTRAP_ADMIN_USERNAME: admin
       KC_BOOTSTRAP_ADMIN_PASSWORD: admin
       # GitHub OAuth credentials for identity provider (resolved by Keycloak during realm import)
       KEYCLOAK_GITHUB_CLIENT_ID: '${KEYCLOAK_GITHUB_CLIENT_ID:?Set GitHub OAuth client ID}'
       KEYCLOAK_GITHUB_CLIENT_SECRET: '${KEYCLOAK_GITHUB_CLIENT_SECRET:?Set GitHub OAuth client secret}'
       KEYCLOAK_GITHUB_ADMIN_USERNAME: '${KEYCLOAK_GITHUB_ADMIN_USERNAME:?Set GitHub admin username}'
+      # GitLab OAuth credentials (optional — IdP is disabled by default)
+      KEYCLOAK_GITLAB_ENABLED: '${KEYCLOAK_GITLAB_ENABLED:-false}'
+      KEYCLOAK_GITLAB_CLIENT_ID: '${KEYCLOAK_GITLAB_CLIENT_ID:-unused}'
+      KEYCLOAK_GITLAB_CLIENT_SECRET: '${KEYCLOAK_GITLAB_CLIENT_SECRET:-unused}'
+      KEYCLOAK_GITLAB_BASE_URL: '${KEYCLOAK_GITLAB_BASE_URL:-https://gitlab.example.com}'
+      KEYCLOAK_GITLAB_ADMIN_USERNAME: '${KEYCLOAK_GITLAB_ADMIN_USERNAME:-unused}'
       # Confidential client secret - must match what the application server uses
       # Default: hephaestus-dev-secret (for local development only)
       KEYCLOAK_CONFIDENTIAL_CLIENT_SECRET: '${KEYCLOAK_CLIENT_SECRET:-hephaestus-dev-secret}'