cameleer/cameleer-server
1
0
Fork 0
Code Issues 41 Pull Requests Actions Packages Projects Releases Wiki Activity

Move OIDC config from env vars to database with admin API
All checks were successful
CI / build (push) Successful in 1m9s
Details
CI / docker (push) Successful in 41s
Details
CI / deploy (push) Successful in 2m11s
Details

Browse Source 
OIDC provider settings (issuer, client ID/secret, roles claim) are
now stored in ClickHouse and managed via admin REST API at
/api/v1/admin/oidc. This allows runtime configuration from the UI
without server restarts.

- New oidc_config table (ReplacingMergeTree, singleton row)
- OidcConfig record + OidcConfigRepository interface in core
- ClickHouseOidcConfigRepository implementation
- OidcConfigAdminController: GET/PUT/DELETE config, POST test
  connectivity, client_secret masked in responses
- OidcTokenExchanger: reads config from DB, invalidateCache()
  on config change
- OidcAuthController: always registered (no @ConditionalOnProperty),
  returns 404 when OIDC not configured
- Startup seeder: env vars seed DB on first boot only, then admin
  API takes over
- HOWTO.md updated with admin OIDC config API examples

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-03-14 13:00:13 +01:00
parent a1e1c8f6ff
commit 9d2e6f30a7
12 changed files with 436 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
cameleer3-server-core/src/main/java/com/cameleer3/server/core/security/OidcConfig.java Normal file
View File

@@ -0,0 +1,26 @@
package com.cameleer3.server.core.security;
import java.util.List;
/**
* Persisted OIDC provider configuration.
*
* @param enabled whether OIDC login is active
* @param issuerUri OIDC discovery issuer URL
* @param clientId OAuth2 client ID
* @param clientSecret OAuth2 client secret (stored server-side only)
* @param rolesClaim dot-separated path to roles in the id_token (e.g. {@code realm_access.roles})
* @param defaultRoles fallback roles for new users with no OIDC role claim
*/
public record OidcConfig(
boolean enabled,
String issuerUri,
String clientId,
String clientSecret,
String rolesClaim,
List<String> defaultRoles
) {
public static OidcConfig disabled() {
return new OidcConfig(false, "", "", "", "realm_access.roles", List.of("VIEWER"));
}
}

16
cameleer3-server-core/src/main/java/com/cameleer3/server/core/security/OidcConfigRepository.java Normal file
View File

@@ -0,0 +1,16 @@
package com.cameleer3.server.core.security;
import java.util.Optional;
/**
* Persistence interface for OIDC provider configuration.
* Only one configuration is active at a time (singleton row).
*/
public interface OidcConfigRepository {
Optional<OidcConfig> find();
void save(OidcConfig config);
void delete();
}