OPC # 0007: Patch FDEV provisioning for local aspire development

Co-authored-by: Copilot <copilot@github.com>
2026-04-26 12:48:07 -04:00
parent e8ac7b017c
commit b9f0f6dd5f
7 changed files with 137 additions and 31 deletions
@@ -41,6 +41,17 @@ public class KeycloakStep(
        }, cancellationToken);

        // clarity-web-app: public OIDC client used by the React frontend.
+        // fdev is a developer dogfood environment — allow localhost redirect URIs so that a
+        // local Aspire dev loop (any port) can complete the OIDC flow against the shared
+        // OPC infra Keycloak without any post-provisioning patching.
+        var isFdev = string.Equals(context.Job.Environment, "fdev", StringComparison.OrdinalIgnoreCase);
+        var redirectUris = isFdev
+            ? new[] { $"{tenantOrigin}/*", "http://localhost:*/*", "http://*.dev.localhost:*/*" }
+            : new[] { $"{tenantOrigin}/*" };
+        var webOrigins = isFdev
+            ? "+"          // match all valid redirect URI origins
+            : tenantOrigin;
+
        await adminClient.CreateClientAsync(realmId, new
        {
            clientId                  = "clarity-web-app",
@@ -51,8 +62,8 @@ public class KeycloakStep(
            directAccessGrantsEnabled = false,
            rootUrl                   = tenantOrigin,
            baseUrl                   = "/",
-            redirectUris              = new[] { $"{tenantOrigin}/*" },
-            webOrigins                = new[] { tenantOrigin },
+            redirectUris,
+            webOrigins                = new[] { webOrigins },
        }, cancellationToken);

        // Ensure tokens issued by clarity-web-app include "clarity-rest-api" in the `aud` claim