From a5ebecc8b5db1a6bfad3d2983b9792d5f4b929db Mon Sep 17 00:00:00 2001
From: WorkClub Automation <automation@workclub.local>
Date: Fri, 20 Mar 2026 22:39:15 +0100
Subject: [PATCH] Remove localhost:3000 from Keycloak redirect URIs and web
 origins

- Removed localhost:3000/* from redirectUris in realm-export.json
- Removed localhost:3000 from webOrigins in realm-export.json
- Removed localhost:3000/* from post.logout.redirect.uris
- Removed localhost:3000 from keycloak-realm-import-configmap.yaml
- Updated running Keycloak instance via kcadm.sh

Only port 30080 is now configured for OAuth redirects.
---
 .../WorkClub.Api/appsettings.Development.json |  2 +-
 docker-compose.yml                            | 14 +++++------
 frontend/src/app/login/page.tsx               |  2 +-
 frontend/src/auth/auth.ts                     |  2 +-
 infra/k8s/base/configmap.yaml                 |  2 +-
 infra/k8s/base/frontend-deployment.yaml       |  2 +-
 infra/k8s/base/keycloak-deployment.yaml       |  1 +
 .../base/keycloak-realm-import-configmap.yaml | 24 +++++++++----------
 infra/keycloak/realm-export.json              | 24 +++++++++----------
 9 files changed, 37 insertions(+), 36 deletions(-)

diff --git a/backend/WorkClub.Api/appsettings.Development.json b/backend/WorkClub.Api/appsettings.Development.json
index 65b20af..37b14c3 100644
--- a/backend/WorkClub.Api/appsettings.Development.json
+++ b/backend/WorkClub.Api/appsettings.Development.json
@@ -9,7 +9,7 @@
     "DefaultConnection": "Host=localhost;Port=5432;Database=workclub;Username=app;Password=apppass"
   },
   "Keycloak": {
-    "Authority": "http://localhost:8080/realms/workclub",
+    "Authority": "http://localhost:30808/realms/workclub",
     "Audience": "workclub-api"
   }
 }
diff --git a/docker-compose.yml b/docker-compose.yml
index 77bcb3f..cb58e46 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -39,7 +39,7 @@ services:
       KC_DB_PASSWORD: keycloakpass
       KC_HEALTH_ENABLED: "true"
       KC_LOG_LEVEL: INFO
-      KC_HOSTNAME: "http://localhost:8080"
+      KC_HOSTNAME: "http://localhost:30808"
       KC_HOSTNAME_STRICT: "false"
       KC_PROXY: "edge"
       KC_HTTP_PORT: "8081"
@@ -47,7 +47,7 @@ services:
       KC_HOSTNAME_ADMIN: "http://keycloak:8081"
       KC_SPI_HOSTNAME_DEFAULT_ADMIN: "keycloak:8081"
     ports:
-      - "8080:8081"
+      - "30808:8081"
     volumes:
       - ./infra/keycloak:/opt/keycloak/data/import
     depends_on:
@@ -71,7 +71,7 @@ services:
       Keycloak__Audience: "workclub-api"
       Keycloak__TokenValidationParameters__ValidateIssuer: "false"
     ports:
-      - "5001:8080"
+      - "30501:8080"
     extra_hosts:
       - "localhost:172.18.0.1"
       - "127.0.0.1:172.18.0.1"
@@ -93,18 +93,18 @@ services:
     extra_hosts:
       - "localhost:host-gateway"
     environment:
-      NEXT_PUBLIC_API_URL: "http://localhost:5001"
+      NEXT_PUBLIC_API_URL: "http://localhost:30501"
       API_INTERNAL_URL: "http://dotnet-api:8080"
       NEXTAUTH_SECRET: "dev-secret-change-in-production-use-openssl-rand-base64-32"
       AUTH_SECRET: "dev-secret-change-in-production-use-openssl-rand-base64-32"
       AUTH_TRUST_HOST: "true"
       KEYCLOAK_CLIENT_ID: "workclub-app"
       KEYCLOAK_CLIENT_SECRET: "dev-secret-workclub-api-change-in-production"
-      KEYCLOAK_ISSUER: "http://localhost:8080/realms/workclub"
+      KEYCLOAK_ISSUER: "http://localhost:30808/realms/workclub"
       KEYCLOAK_ISSUER_INTERNAL: "http://keycloak:8081/realms/workclub"
-      NEXT_PUBLIC_KEYCLOAK_ISSUER: "http://localhost:8080/realms/workclub"
+      NEXT_PUBLIC_KEYCLOAK_ISSUER: "http://localhost:30808/realms/workclub"
     ports:
-      - "3000:3000"
+      - "30080:3000"
     volumes:
       - ./frontend:/app:cached
       - /app/node_modules
diff --git a/frontend/src/app/login/page.tsx b/frontend/src/app/login/page.tsx
index 12aa556..31cee63 100644
--- a/frontend/src/app/login/page.tsx
+++ b/frontend/src/app/login/page.tsx
@@ -48,7 +48,7 @@ function LoginContent() {
   };
 
   const handleSwitchAccount = () => {
-    const keycloakLogoutUrl = `${process.env.NEXT_PUBLIC_KEYCLOAK_ISSUER || 'http://localhost:8080/realms/workclub'}/protocol/openid-connect/logout?redirect_uri=${encodeURIComponent(window.location.origin + '/login')}`;
+    const keycloakLogoutUrl = `${process.env.NEXT_PUBLIC_KEYCLOAK_ISSUER || 'http://localhost:30808/realms/workclub'}/protocol/openid-connect/logout?redirect_uri=${encodeURIComponent(window.location.origin + '/login')}`;
     signOut({ redirect: false }).then(() => {
       window.location.href = keycloakLogoutUrl;
     });
diff --git a/frontend/src/auth/auth.ts b/frontend/src/auth/auth.ts
index 5af27f2..c5d69ed 100644
--- a/frontend/src/auth/auth.ts
+++ b/frontend/src/auth/auth.ts
@@ -24,7 +24,7 @@ declare module "next-auth" {
 // In Docker, the Next.js server reaches Keycloak via internal hostname
 // (keycloak:8080) but the browser uses localhost:8080. Explicit endpoint
 // URLs bypass OIDC discovery, avoiding issuer mismatch validation errors.
-const issuerPublic = process.env.KEYCLOAK_ISSUER || 'http://localhost:8080/realms/workclub'
+const issuerPublic = process.env.KEYCLOAK_ISSUER || 'http://localhost:30808/realms/workclub'
 const issuerInternal = process.env.KEYCLOAK_ISSUER_INTERNAL || issuerPublic
 const oidcPublic = `${issuerPublic}/protocol/openid-connect`
 const oidcInternal = `${issuerInternal.replace(':8080', ':8081')}/protocol/openid-connect`
diff --git a/infra/k8s/base/configmap.yaml b/infra/k8s/base/configmap.yaml
index 4df80d9..efc2291 100644
--- a/infra/k8s/base/configmap.yaml
+++ b/infra/k8s/base/configmap.yaml
@@ -6,7 +6,7 @@ metadata:
     app: workclub
 data:
   log-level: "Information"
-  cors-origins: "http://localhost:3000,http://192.168.240.200:3000,http://192.168.240.200:8080"
+  cors-origins: "http://localhost:30080,http://192.168.240.200:30080,http://192.168.240.200:30808"
   api-base-url: "http://192.168.240.200:5001"
   keycloak-url: "http://192.168.240.200:8080"
   keycloak-authority: "http://192.168.240.200:8080/realms/workclub"
diff --git a/infra/k8s/base/frontend-deployment.yaml b/infra/k8s/base/frontend-deployment.yaml
index ee8c1bd..066aa7c 100644
--- a/infra/k8s/base/frontend-deployment.yaml
+++ b/infra/k8s/base/frontend-deployment.yaml
@@ -66,7 +66,7 @@ spec:
               name: workclub-config
               key: keycloak-authority
         - name: NEXTAUTH_URL
-          value: "http://192.168.240.200:3000"
+          value: "http://192.168.240.200:30080"
         - name: AUTH_TRUST_HOST
           value: "true"
         - name: NEXTAUTH_SECRET
diff --git a/infra/k8s/base/keycloak-deployment.yaml b/infra/k8s/base/keycloak-deployment.yaml
index db8b87f..dc2e0bd 100644
--- a/infra/k8s/base/keycloak-deployment.yaml
+++ b/infra/k8s/base/keycloak-deployment.yaml
@@ -26,6 +26,7 @@ spec:
         args:
         - start-dev
         - --import-realm
+        - --import-realm-overwrite
         ports:
         - name: http
           containerPort: 8080
diff --git a/infra/k8s/base/keycloak-realm-import-configmap.yaml b/infra/k8s/base/keycloak-realm-import-configmap.yaml
index 4bc7cdf..ee271bc 100644
--- a/infra/k8s/base/keycloak-realm-import-configmap.yaml
+++ b/infra/k8s/base/keycloak-realm-import-configmap.yaml
@@ -68,18 +68,18 @@ data:
           "enabled": true,
           "protocol": "openid-connect",
           "publicClient": true,
-          "redirectUris": [
-            "http://localhost:3000/*",
-            "http://localhost:3001/*",
-            "http://workclub-frontend/*",
-            "http://192.168.240.200:30080/*"
-          ],
-          "webOrigins": [
-            "http://localhost:3000",
-            "http://localhost:3001",
-            "http://workclub-frontend",
-            "http://192.168.240.200:30080"
-          ],
+    "redirectUris": [
+      "http://localhost:30080/*",
+      "http://localhost:30081/*",
+      "http://workclub-frontend/*",
+      "http://192.168.240.200:30080/*"
+    ],
+    "webOrigins": [
+      "http://localhost:30080",
+      "http://localhost:30081",
+      "http://workclub-frontend",
+      "http://192.168.240.200:30080"
+    ],
           "directAccessGrantsEnabled": true,
           "standardFlowEnabled": true,
           "implicitFlowEnabled": false,
diff --git a/infra/keycloak/realm-export.json b/infra/keycloak/realm-export.json
index c13fdc6..a66f2c8 100644
--- a/infra/keycloak/realm-export.json
+++ b/infra/keycloak/realm-export.json
@@ -82,18 +82,18 @@
       "standardFlowEnabled": true,
       "implicitFlowEnabled": false,
       "directAccessGrantsEnabled": true,
-      "serviceAccountsEnabled": false,
-      "authorizationServicesEnabled": false,
-      "protocol": "openid-connect",
-      "redirectUris": [
-        "http://localhost:3000/*"
-      ],
-      "webOrigins": [
-        "http://localhost:3000"
-      ],
-      "attributes": {
-        "pkce.code.challenge.method": "S256",
-        "post.logout.redirect.uris": "http://localhost:3000/*",
+"serviceAccountsEnabled": false,
+    "authorizationServicesEnabled": false,
+    "protocol": "openid-connect",
+    "redirectUris": [
+      "http://localhost:30080/*"
+    ],
+    "webOrigins": [
+      "http://localhost:30080"
+    ],
+    "attributes": {
+      "pkce.code.challenge.method": "S256",
+      "post.logout.redirect.uris": "http://localhost:30080/*",
         "access.token.lifespan": "3600"
       },
       "protocolMappers": [