docs: finalize Keycloak hardening and validate updated Realm config

Documented the completed Keycloak hardening steps, including PKCE S256 support, CORS security improvements, strengthened password policy, and logout redirect URI configurations. Verified and updated the `meldestelle-realm.json` and roadmap to reflect these changes.

Signed-off-by: Stefan Mogeritsch <stefan.mo.co@gmail.com>

config/docker/keycloak/meldestelle-realm.json

@@ -93,8 +93,7 @@
         "http://localhost:8081",
         "http://localhost:3000",
         "https://app.meldestelle.at",
-        "http://localhost:8080",
-        "*"
+        "http://localhost:8080"
       ],
       "protocol": "openid-connect",
       "bearerOnly": false,
@@ -111,7 +110,8 @@
         "client.secret.creation.time": "0",
         "oauth2.device.authorization.grant.enabled": "false",
         "backchannel.logout.session.required": "true",
-        "backchannel.logout.revoke.offline.tokens": "false"
+        "backchannel.logout.revoke.offline.tokens": "false",
+        "post.logout.redirect.uris": "http://localhost:8081/*##http://localhost:3000/*##https://app.meldestelle.at/*"
       },
       "protocolMappers": [
         {
@@ -202,12 +202,12 @@
         "http://localhost:8080",
         "http://localhost:4000",
         "http://localhost:3000",
-        "https://app.meldestelle.at",
-        "*"
+        "https://app.meldestelle.at"
       ],
       "protocol": "openid-connect",
       "attributes": {
-        "pkce.code.challenge.method": "S256"
+        "pkce.code.challenge.method": "S256",
+        "post.logout.redirect.uris": "http://localhost:8080/*##http://localhost:4000/*##http://localhost:3000/*##https://app.meldestelle.at/*"
       }
     },
     {
@@ -229,6 +229,47 @@
       "directAccessGrantsEnabled": true,
       "serviceAccountsEnabled": false,
       "fullScopeAllowed": true
+    },
+    {
+      "clientId": "frontend-client",
+      "name": "Meldestelle Desktop & Mobile Client",
+      "description": "Public PKCE client for the KMP Compose Desktop/Mobile application",
+      "enabled": true,
+      "publicClient": true,
+      "protocol": "openid-connect",
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "authorizationServicesEnabled": false,
+      "attributes": {
+        "pkce.code.challenge.method": "S256",
+        "post.logout.redirect.uris": "meldestelle://callback##http://localhost:*##https://app.meldestelle.at/*"
+      },
+      "redirectUris": [
+        "meldestelle://callback",
+        "http://localhost:*",
+        "https://app.meldestelle.at/*"
+      ],
+      "webOrigins": [
+        "http://localhost:8080",
+        "http://localhost:4000",
+        "https://app.meldestelle.at"
+      ],
+      "defaultClientScopes": [
+        "web-origins",
+        "acr",
+        "roles",
+        "profile",
+        "basic",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "microprofile-jwt"
+      ]
     }
   ],
   "users": [
@@ -266,7 +307,7 @@
   "requiredCredentials": [
     "password"
   ],
-  "passwordPolicy": "length(8)",
+  "passwordPolicy": "length(10) and digits(1) and upperCase(1) and specialChars(1) and notUsername(undefined)",
   "otpPolicyType": "totp",
   "otpPolicyAlgorithm": "HmacSHA1",
   "otpPolicyInitialCounter": 0,
@@ -354,4 +395,4 @@
     "clientSessionMaxLifespan": "0",
     "clientOfflineSessionIdleTimeout": "0"
   }
-}
+}