Remove localhost:3000 from Keycloak redirect URIs and web origins

- Removed localhost:3000/* from redirectUris in realm-export.json - Removed localhost:3000 from webOrigins in realm-export.json - Removed localhost:3000/* from post.logout.redirect.uris - Removed localhost:3000 from keycloak-realm-import-configmap.yaml - Updated running Keycloak instance via kcadm.sh Only port 30080 is now configured for OAuth redirects.
2026-03-20 22:39:15 +01:00
parent 956c3ead0c
commit a5ebecc8b5
9 changed files with 37 additions and 36 deletions
@@ -9,7 +9,7 @@
    "DefaultConnection": "Host=localhost;Port=5432;Database=workclub;Username=app;Password=apppass"
  },
  "Keycloak": {
-    "Authority": "http://localhost:8080/realms/workclub",
+    "Authority": "http://localhost:30808/realms/workclub",
    "Audience": "workclub-api"
  }
 }
@@ -39,7 +39,7 @@ services:
      KC_DB_PASSWORD: keycloakpass
      KC_HEALTH_ENABLED: "true"
      KC_LOG_LEVEL: INFO
-      KC_HOSTNAME: "http://localhost:8080"
+      KC_HOSTNAME: "http://localhost:30808"
      KC_HOSTNAME_STRICT: "false"
      KC_PROXY: "edge"
      KC_HTTP_PORT: "8081"
@@ -47,7 +47,7 @@ services:
      KC_HOSTNAME_ADMIN: "http://keycloak:8081"
      KC_SPI_HOSTNAME_DEFAULT_ADMIN: "keycloak:8081"
    ports:
-      - "8080:8081"
+      - "30808:8081"
    volumes:
      - ./infra/keycloak:/opt/keycloak/data/import
    depends_on:
@@ -71,7 +71,7 @@ services:
      Keycloak__Audience: "workclub-api"
      Keycloak__TokenValidationParameters__ValidateIssuer: "false"
    ports:
-      - "5001:8080"
+      - "30501:8080"
    extra_hosts:
      - "localhost:172.18.0.1"
      - "127.0.0.1:172.18.0.1"
@@ -93,18 +93,18 @@ services:
    extra_hosts:
      - "localhost:host-gateway"
    environment:
-      NEXT_PUBLIC_API_URL: "http://localhost:5001"
+      NEXT_PUBLIC_API_URL: "http://localhost:30501"
      API_INTERNAL_URL: "http://dotnet-api:8080"
      NEXTAUTH_SECRET: "dev-secret-change-in-production-use-openssl-rand-base64-32"
      AUTH_SECRET: "dev-secret-change-in-production-use-openssl-rand-base64-32"
      AUTH_TRUST_HOST: "true"
      KEYCLOAK_CLIENT_ID: "workclub-app"
      KEYCLOAK_CLIENT_SECRET: "dev-secret-workclub-api-change-in-production"
-      KEYCLOAK_ISSUER: "http://localhost:8080/realms/workclub"
+      KEYCLOAK_ISSUER: "http://localhost:30808/realms/workclub"
      KEYCLOAK_ISSUER_INTERNAL: "http://keycloak:8081/realms/workclub"
-      NEXT_PUBLIC_KEYCLOAK_ISSUER: "http://localhost:8080/realms/workclub"
+      NEXT_PUBLIC_KEYCLOAK_ISSUER: "http://localhost:30808/realms/workclub"
    ports:
-      - "3000:3000"
+      - "30080:3000"
    volumes:
      - ./frontend:/app:cached
      - /app/node_modules
@@ -48,7 +48,7 @@ function LoginContent() {
  };

  const handleSwitchAccount = () => {
-    const keycloakLogoutUrl = `${process.env.NEXT_PUBLIC_KEYCLOAK_ISSUER || 'http://localhost:8080/realms/workclub'}/protocol/openid-connect/logout?redirect_uri=${encodeURIComponent(window.location.origin + '/login')}`;
+    const keycloakLogoutUrl = `${process.env.NEXT_PUBLIC_KEYCLOAK_ISSUER || 'http://localhost:30808/realms/workclub'}/protocol/openid-connect/logout?redirect_uri=${encodeURIComponent(window.location.origin + '/login')}`;
    signOut({ redirect: false }).then(() => {
      window.location.href = keycloakLogoutUrl;
    });
@@ -24,7 +24,7 @@ declare module "next-auth" {
 // In Docker, the Next.js server reaches Keycloak via internal hostname
 // (keycloak:8080) but the browser uses localhost:8080. Explicit endpoint
 // URLs bypass OIDC discovery, avoiding issuer mismatch validation errors.
-const issuerPublic = process.env.KEYCLOAK_ISSUER || 'http://localhost:8080/realms/workclub'
+const issuerPublic = process.env.KEYCLOAK_ISSUER || 'http://localhost:30808/realms/workclub'
 const issuerInternal = process.env.KEYCLOAK_ISSUER_INTERNAL || issuerPublic
 const oidcPublic = `${issuerPublic}/protocol/openid-connect`
 const oidcInternal = `${issuerInternal.replace(':8080', ':8081')}/protocol/openid-connect`
@@ -6,7 +6,7 @@ metadata:
    app: workclub
 data:
  log-level: "Information"
-  cors-origins: "http://localhost:3000,http://192.168.240.200:3000,http://192.168.240.200:8080"
+  cors-origins: "http://localhost:30080,http://192.168.240.200:30080,http://192.168.240.200:30808"
  api-base-url: "http://192.168.240.200:5001"
  keycloak-url: "http://192.168.240.200:8080"
  keycloak-authority: "http://192.168.240.200:8080/realms/workclub"
@@ -66,7 +66,7 @@ spec:
              name: workclub-config
              key: keycloak-authority
        - name: NEXTAUTH_URL
-          value: "http://192.168.240.200:3000"
+          value: "http://192.168.240.200:30080"
        - name: AUTH_TRUST_HOST
          value: "true"
        - name: NEXTAUTH_SECRET
@@ -26,6 +26,7 @@ spec:
        args:
        - start-dev
        - --import-realm
+        - --import-realm-overwrite
        ports:
        - name: http
          containerPort: 8080
@@ -69,14 +69,14 @@ data:
          "protocol": "openid-connect",
          "publicClient": true,
    "redirectUris": [
-            "http://localhost:3000/*",
-            "http://localhost:3001/*",
+      "http://localhost:30080/*",
+      "http://localhost:30081/*",
      "http://workclub-frontend/*",
      "http://192.168.240.200:30080/*"
    ],
    "webOrigins": [
-            "http://localhost:3000",
-            "http://localhost:3001",
+      "http://localhost:30080",
+      "http://localhost:30081",
      "http://workclub-frontend",
      "http://192.168.240.200:30080"
    ],
@@ -86,14 +86,14 @@
    "authorizationServicesEnabled": false,
    "protocol": "openid-connect",
    "redirectUris": [
-        "http://localhost:3000/*"
+      "http://localhost:30080/*"
    ],
    "webOrigins": [
-        "http://localhost:3000"
+      "http://localhost:30080"
    ],
    "attributes": {
      "pkce.code.challenge.method": "S256",
-        "post.logout.redirect.uris": "http://localhost:3000/*",
+      "post.logout.redirect.uris": "http://localhost:30080/*",
        "access.token.lifespan": "3600"
      },
      "protocolMappers": [