feat(deployment): add keycloak client secret

kubernetes/loculus/templates/_config-processor.tpl

@@ -15,6 +15,11 @@
         secretKeyRef:
           name: smtp-password
           key: secretKey
+    - name: LOCULUSSUB_backendKeycloakClientSecret
+      valueFrom:
+        secretKeyRef:
+          name: backend-keycloak-client-secret
+          key: backendKeycloakClientSecret
 {{- end }}
 
 

kubernetes/loculus/templates/loculus-website-config.yaml

@@ -36,7 +36,8 @@ data:
         },
         "public": {
           {{- template "loculus.publicRuntimeConfig" dict "Values" .Values "externalLapisUrlConfig" $externalLapisUrlConfig -}}
-        }
+        },
+        "backendKeycloakClientSecret" : "[[backendKeycloakClientSecret]]"
     }
 
 

website/src/types/runtimeConfig.ts

@@ -19,6 +19,7 @@ export const serverConfig = serviceUrls.merge(
 export const runtimeConfig = z.object({
     public: serviceUrls,
     serverSide: serverConfig,
+    backendKeycloakClientSecret: z.string().min(5),
     devMode: z.boolean(),
 });
 export type RuntimeConfig = z.infer<typeof runtimeConfig>;

website/src/utils/KeycloakClientManager.ts

@@ -3,7 +3,7 @@ import { type BaseClient, Issuer } from 'openid-client';
 import { realmPath } from './realmPath.ts';
 import { getRuntimeConfig } from '../config.ts';
 import { getInstanceLogger } from '../logger.ts';
-import { clientMetadata } from '../utils/clientMetadata.ts';
+import { getClientMetadata } from '../utils/clientMetadata.ts';
 
 export class KeycloakClientManager {
     private static _keycloakClient: BaseClient | undefined;
@@ -22,7 +22,7 @@ export class KeycloakClientManager {
         try {
             const keycloakIssuer = await Issuer.discover(issuerUrl);
             this.logger.info(`Keycloak issuer discovered: ${keycloakIssuer}`);
-            this._keycloakClient = new keycloakIssuer.Client(clientMetadata);
+            this._keycloakClient = new keycloakIssuer.Client(getClientMetadata());
         } catch (error: any) {
             if (error.code !== 'ECONNREFUSED') {
                 this.logger.error(`Error discovering keycloak issuer: ${error}`);

website/src/utils/clientMetadata.ts

@@ -1,7 +1,23 @@
-// TODO: #1337 Move to config
-export const clientMetadata = {
+import { getRuntimeConfig } from '../config';
+
+const clientMetadata = {
     client_id: 'backend-client',
     response_types: ['code', 'id_token'],
-    client_secret: 'someSecret',
     public: true,
 };
+
+export const getClientMetadata = () => {
+    return { ...clientMetadata, client_secret: getClientSecret() };
+};
+
+const getClientSecret = () => {
+    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
+    if (import.meta.env === undefined) {
+        return 'dummySecret';
+    }
+    const configDir = import.meta.env.CONFIG_DIR;
+    if (typeof configDir !== 'string' || configDir === '') {
+        return 'dummySecret';
+    }
+    return getRuntimeConfig().backendKeycloakClientSecret;
+};

website/tests/e2e.fixture.ts

@@ -19,7 +19,7 @@ import { ACCESS_TOKEN_COOKIE, REFRESH_TOKEN_COOKIE } from '../src/middleware/aut
 import { BackendClient } from '../src/services/backendClient';
 import { GroupManagementClient } from '../src/services/groupManagementClient.ts';
 import { type DataUseTerms, type NewGroup, openDataUseTermsType } from '../src/types/backend.ts';
-import { clientMetadata } from '../src/utils/clientMetadata.ts';
+import { getClientMetadata } from '../src/utils/clientMetadata.ts';
 import { realmPath } from '../src/utils/realmPath.ts';
 
 type E2EFixture = {
@@ -93,7 +93,7 @@ const testUserTokens: Record<string, TokenCookie> = {};
 export async function getToken(username: string, password: string) {
     const issuerUrl = `${keycloakUrl}${realmPath}`;
     const keycloakIssuer = await Issuer.discover(issuerUrl);
-    const client = new keycloakIssuer.Client(clientMetadata);
+    const client = new keycloakIssuer.Client(getClientMetadata());
 
     if (username in testUserTokens) {
         const accessToken = testUserTokens[username].accessToken;

website/vitest.setup.ts

@@ -30,6 +30,7 @@ export const testConfig = {
         keycloakUrl: 'http://authentication.dummy',
     },
     devMode: true,
+    backendKeycloakClientSecret: 'dummy',
 } as RuntimeConfig;
 
 export const metadataKey = 'originalMetaDataField';