Keycloak SPI for Builtin Users Authentication

[GPortas]

What this PR does / why we need it:

This PR implements changes to enable authentication with OIDC using Dataverse Builtin users. A User Storage SPI has been implemented in Keycloak to access the Dataverse database.

AuthenticationServiceBean

Introduced a new feature flag, API_BEARER_AUTH_USE_BUILTIN_USER_ON_ID_MATCH, which enables a new behavior in the lookupUserByOIDCBearerToken method. This behavior first checks whether the username from the bearer token belongs to a built-in user in AuthenticatedUser before querying AuthenticatedUserLookup.

For tokens issued by Keycloak for users authenticated through the SPI, impersonation is not a concern since these users are directly linked. However, as we currently do not differentiate tokens based on the IdP they originate from, this new behavior could lead to impersonation issues. To mitigate this risk, the feature flag has been introduced, along with docs explaining the risk.

In a future iteration, this implementation could be evolved to better handle impersonation issues, potentially removing the feature flag if necessary.

SPI

The SPI implementation follows the Keycloak User Storage SPI documentation.

Installation and containers

A custom Keycloak Docker image has been created using a new Dockerfile that builds the SPI Maven artifact and installs it in Keycloak. Currently, the artifact is not pushed to any Maven registry, but this could be done in a future iteration to simplify installation in Keycloak instances. The image is used directly from docker-compose-dev, along with a new keycloak-initializer container that configures the SPI in the test realm, as no option was found to configure it through test-realm.json parameters.

Could we publish this image in the GDCC GitHub registry to enable its use in other development environments, such as dataverse-frontend? I would appreciate some assistance with this step to successfully register the image in the GDCC registry.

Which issue(s) this PR closes:

• Closes Implement OIDC flow/integration for builtin Dataverse users #11197
• Closes Update Keycloak version #11314

Special notes for your reviewer:

This PR is part of an incremental development process. We still need to better understand how to manage duplicate accounts for the same user across multiple identity providers, as well as potential impersonation issues. For now, and before moving further in that direction, I believe it is valuable to review the current implementation and merge it if no objections are found. There should be no risks of merging this PR, as the associated logic is only activated through a feature flag.

To use the implemented mechanism in the beta environment, we will need to configure a remote Keycloak instance.

Suggestions on how to test this:

Run the containerized environment by using the docker-compose-dev.yml file present in /conf/keycloak

Once the containers are up and running:

curl -X POST \
  http://localhost:8090/realms/test/protocol/openid-connect/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id=test" \
  -d "client_secret=94XHrfNRwXsjqTqApRrwWmhDLDHpIYV8" \
  -d "grant_type=password" \
  -d "username=dataverseAdmin" \
  -d "password=admin1" \
  -d "scope=openid"

You should be able to successfully obtain the OIDC tokens.

You can also create a different builtin user and test the same login call for its associated credentials.

Does this PR introduce a user interface change? If mockups are available, please link/include them here:

No

Is there a release notes update needed for this change?:

Yes, attached.

Additional documentation:

https://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi

[coveralls]

coverage: 23.006% (+0.3%) from 22.729%
when pulling e52b5af on 11157-builtin-users-oidc-auth
into 6e08455 on develop.

[ofahimIQSS]

Hello, when I build the environment using the docker-compose-yml file, I get an error at the end that says:

[+] Running 0/0
[+] Running 0/1keycloak Building 0.1s
⠹ Service dev_keycloak Building 0.2s
unable to prepare context: path "/Users/omerfahim/github/dataverse/conf/keycloak/conf/keycloak" not found

[GPortas]

@ofahimIQSS Can you try it now please? I just pushed a fix.

[ofahimIQSS]

Getting a different error now:
dev_keycloak | 2025-04-07 14:41:41,158 WARN [org.keycloak.events] (executor-thread-1) type="LOGIN_ERROR", realmId="f537ad01-5203-4542-a10e-17211368d32c", realmName="master", clientId="security-admin-console", userId="null", ipAddress="172.18.0.1", error="user_not_found", auth_method="openid-connect", auth_type="code", redirect_uri="http://localhost:8090/admin/master/console/", code_id="6c5c730e-7a3d-49e7-8c9e-f2c3c661ad45", username="dataverseAdmin"

[ofahimIQSS]

getting error when running the curl command:

[ofahimIQSS]

didnt get instances booted successfully message :(

[github-actions]

📦 Pushed preview images as

ghcr.io/gdcc/dataverse:11157-builtin-users-oidc-auth

ghcr.io/gdcc/configbaker:11157-builtin-users-oidc-auth

🚢 See on GHCR. Use by referencing with full name as printed above, mind the registry name.

[ofahimIQSS]

Merging and will test in upper environments as there are constraints on my local environment