started on adding openid login

2026-01-28 12:13:04 -05:00
parent c6ff651f21
commit e03b291ca6
8 changed files with 191 additions and 47 deletions
--- a/app/api/auth/[...nextauth]/route.ts
+++ b/app/api/auth/[...nextauth]/route.ts
@@ -1,5 +1,6 @@
 import NextAuth, { type NextAuthOptions } from 'next-auth'
 import CredentialsProvider from 'next-auth/providers/credentials'
+import KeycloakProvider from 'next-auth/providers/keycloak'
 import { PrismaClient } from '@prisma/client'
 import bcrypt from 'bcrypt'

@@ -44,6 +45,31 @@ export const authOptions: NextAuthOptions = {
        }
      },
    }),
+    ...(process.env.OIDC_CLIENT_ID && process.env.OIDC_CLIENT_SECRET && process.env.OIDC_ISSUER 
+      ? [
+          {
+            id: 'oidc',
+            name: process.env.OIDC_PROVIDER_NAME || 'PocketID',
+            type: 'oauth' as const, // Use const assertion here
+            wellKnown: `${process.env.OIDC_ISSUER}/.well-known/openid-configuration`,
+            authorization: { params: { scope: 'openid email profile' } },
+            clientId: process.env.OIDC_CLIENT_ID,
+            clientSecret: process.env.OIDC_CLIENT_SECRET,
+            idToken: true,
+            checks: ['pkce', 'state'] as any,
+            profile(profile: any) {
+              return {
+                id: profile.sub,
+                name: profile.name || profile.preferred_username || profile.email,
+                email: profile.email,
+                image: profile.picture,
+                role: mapPocketIDRoleToAppRole(profile),
+              }
+            },
+          } as any
+        ]
+      : []
+    ),
  ],
  session: {
    strategy: 'jwt',
@@ -69,5 +95,21 @@ export const authOptions: NextAuthOptions = {
  secret: process.env.NEXTAUTH_SECRET,
 }

+function mapPocketIDRoleToAppRole(profile: any): "COUPLE" | "PLANNER" | "GUEST" {
+  const roles = profile.roles || 
+                profile.groups || 
+                profile.realm_access?.roles || 
+                profile.resource_access?.[process.env.OIDC_CLIENT_ID || '']?.roles || 
+                []
+  
+  if (roles.includes('admin') || roles.includes('planner')) {
+    return 'PLANNER'
+  } else if (roles.includes('couple') || roles.includes('user')) {
+    return 'COUPLE'
+  } else {
+    return 'GUEST'
+  }
+}
+
 const handler = NextAuth(authOptions)
 export { handler as GET, handler as POST }