feat: implement OIDC PKCE flow for Keycloak login with frontend-client

Completed OIDC Authorization Code Flow with PKCE (S256) for JS and JVM platforms. - Added `launchOidcFlow`, `consumePendingOidcCallback`, and `getOidcRedirectUri` with platform-specific implementations. - Integrated SHA-256 and Base64URL helpers for PKCE. - Updated `LoginViewModel` with OIDC logic (key handling, token exchange, state validation). - Enhanced `LoginScreen` with an OIDC login button and loading spinner. - Verified implementation with system hardening roadmap tasks. Includes browser redirects for JS, localhost HTTP callback for JVM, and built-in Keycloak URL construction. Signed-off-by: Stefan Mogeritsch <stefan.mo.co@gmail.com>
2026-03-09 11:54:35 +01:00
parent 2db3fd82c5
commit b9a433f772
12 changed files with 662 additions and 44 deletions
@@ -1,11 +1,22 @@
 package at.mocode.frontend.core.domain
-
 object AppConstants {
  // Keycloak Configuration
  // Note: These defaults are for local development.
  // In production, these should be provided via build config or environment variables.
  const val KEYCLOAK_URL = "http://localhost:8180"
  const val KEYCLOAK_REALM = "meldestelle"
-  const val KEYCLOAK_CLIENT_ID = "web-app"
-  const val KEYCLOAK_CLIENT_SECRET = "" // Public client usually has no secret
+
+  // Native/Desktop KMP client (PKCE Authorization Code Flow, kein Secret)
+  const val KEYCLOAK_CLIENT_ID = "frontend-client"
+  const val KEYCLOAK_CLIENT_SECRET = "" // Public client — kein Secret
+
+  // OIDC Redirect URI für JVM Desktop (loopback callback server)
+  const val OIDC_CALLBACK_PORT = 18080
+  const val OIDC_REDIRECT_URI_JVM = "http://localhost:$OIDC_CALLBACK_PORT/callback"
+
+  // OIDC Redirect URI für JS/Browser (gleiche Origin, Route /auth/callback)
+  const val OIDC_REDIRECT_URI_JS_PATH = "/auth/callback"
+
+  // OIDC Scopes
+  const val OIDC_SCOPES = "openid profile email"
 }