feat: integrate OAuth authentication with GitHub and Keycloak

psuet · psuet · commit e7e7cc1ab1e0 · 2026-03-14T16:57:42.000+01:00
This commit adds the option to enable OAuth authentication through Github / Keycloak. This requires additional configuration from the user. This configuration is exposed through a set of new environment variables. It currently does not support any kind of roles / group management. This must be managed either trough the domain allowlist or on the provider side. All newly registered users are normal users and may be promoted though the web portal as necessary. Implements #264
diff --git a/composer.json b/composer.json
@@ -22,6 +22,7 @@
         "php": "^8.2",
         "ext-simplexml": "*",
         "doctrine/dbal": "^3.6",
+        "dutchcodingcompany/filament-socialite": "^3.1",
         "filament/filament": "^4.0",
         "filament/spatie-laravel-settings-plugin": "^4.0",
         "guzzlehttp/guzzle": "^7.8",
@@ -33,6 +34,7 @@
         "illuminate/support": "^11.35.0",
         "laravel/sanctum": "^4.0",
         "nesbot/carbon": "^2.70",
+        "socialiteproviders/keycloak": "^5.3",
         "spatie/laravel-data": "^4.11",
         "spatie/laravel-query-builder": "^5.5",
         "spatie/laravel-settings": "^3.2",
diff --git a/database/migrations/2026_03_13_224342_create_socialite_users_table.php b/database/migrations/2026_03_13_224342_create_socialite_users_table.php
@@ -0,0 +1,31 @@
+<?php
+
+use Illuminate\Support\Facades\Schema;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Migrations\Migration;
+
+return new class extends Migration {
+    public function up()
+    {
+        Schema::create('socialite_users', function (Blueprint $table) {
+            $table->id();
+
+            $table->foreignId('user_id')->constrained()->cascadeOnDelete()->cascadeOnUpdate();
+            $table->string('provider');
+            $table->string('provider_id');
+
+            $table->timestamps();
+
+            $table->unique([
+                'provider',
+                'provider_id',
+            ]);
+        });
+
+    }
+
+    public function down()
+    {
+        Schema::dropIfExists('socialite_users');
+    }
+};
diff --git a/database/migrations/2026_03_13_225342_remove_not_null_from_user_password.php b/database/migrations/2026_03_13_225342_remove_not_null_from_user_password.php
@@ -0,0 +1,22 @@
+<?php
+
+use Illuminate\Support\Facades\Schema;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Migrations\Migration;
+
+return new class extends Migration {
+    public function up()
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->string('password')->nullable()->change();
+        });
+
+    }
+
+    public function down()
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->string('password')->nullable(false)->change();
+        });
+    }
+};
diff --git a/public/build/assets/cachet-BQ3AZC_V.css b/public/build/assets/cachet-BQ3AZC_V.css
diff --git a/public/build/assets/cachet-cq60tD7N.css b/public/build/assets/cachet-cq60tD7N.css
diff --git a/public/build/assets/theme-Bpp5vRLw.css b/public/build/assets/theme-Bpp5vRLw.css
diff --git a/public/build/assets/theme-CA1Ilmhs.css b/public/build/assets/theme-CA1Ilmhs.css
diff --git a/public/build/manifest.json b/public/build/manifest.json
@@ -1,11 +1,11 @@
 {
   "resources/css/cachet.css": {
-    "file": "assets/cachet-BQ3AZC_V.css",
+    "file": "assets/cachet-cq60tD7N.css",
     "src": "resources/css/cachet.css",
     "isEntry": true
   },
   "resources/css/dashboard/theme.css": {
-    "file": "assets/theme-CA1Ilmhs.css",
+    "file": "assets/theme-Bpp5vRLw.css",
     "src": "resources/css/dashboard/theme.css",
     "isEntry": true
   },
diff --git a/src/CachetDashboardServiceProvider.php b/src/CachetDashboardServiceProvider.php
@@ -5,6 +5,8 @@
 use Cachet\Filament\Pages\EditProfile;
 use Cachet\Http\Middleware\SetAppLocale;
 use Cachet\Settings\AppSettings;
+use DutchCodingCompany\FilamentSocialite\FilamentSocialitePlugin;
+use DutchCodingCompany\FilamentSocialite\Provider;
 use Filament\FontProviders\LocalFontProvider;
 use Filament\Http\Middleware\Authenticate;
 use Filament\Http\Middleware\DisableBladeIconComponents;
@@ -106,6 +108,17 @@ public function panel(Panel $panel): Panel
             ->path(Cachet::dashboardPath())
             ->bootUsing(function (): void {
                 Section::configureUsing(fn (Section $section) => $section->columnSpanFull());
-            });
+            })
+            ->plugin(FilamentSocialitePlugin::make()->providers(
+                collect([
+                    config('services.github.client_id') ? Provider::make('github') : null,
+                    config('services.keycloak.client_id') ? Provider::make('keycloak') : null,
+                ])->filter()->values()->all()
+            )
+                ->rememberLogin(config('services.oauth.rememberLogin', false))
+                ->registration(config('services.oauth.registration', false))
+                ->domainAllowList(config('services.oauth.domainAllowlist', []))
+                ->userModelClass(config('cachet.user_model'))
+            );
     }
 }
diff --git a/workbench/.env.example b/workbench/.env.example
@@ -58,3 +58,14 @@ VITE_PUSHER_PORT="${PUSHER_PORT}"
 VITE_PUSHER_SCHEME="${PUSHER_SCHEME}"
 VITE_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
 
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+
+KEYCLOAK_CLIENT_ID=
+KEYCLOAK_CLIENT_SECRET=
+KEYCLOAK_REALM="master"
+KEYCLOAK_BASE_URL=
+
+OAUTH_REMEMBER_LOGIN=
+OAUTH_REGISTRATION=
+OAUTH_DOMAIN_ALLOWLIST=
diff --git a/workbench/app/Providers/WorkbenchServiceProvider.php b/workbench/app/Providers/WorkbenchServiceProvider.php
@@ -2,6 +2,8 @@
 
 namespace Workbench\App\Providers;
 
+use Cachet\Cachet;
+use Illuminate\Support\Facades\Event;
 use Illuminate\Support\ServiceProvider;
 use Workbench\App\User;
 
@@ -16,13 +18,21 @@ public function register(): void
             'cachet.path' => '/',
             'cachet.user_model' => User::class,
         ]);
+
+        // Reinitialize the redirect URIs to ensure they use the correct path for the workbench environment.
+        config([
+            'services.keycloak.redirect' => env('KEYCLOAK_REDIRECT_URI', Cachet::dashboardPath().'/oauth/callback/keycloak'),
+            'services.github.redirect' => env('GITHUB_REDIRECT_URI', Cachet::dashboardPath().'/oauth/callback/github'),
+        ]);
     }
 
     /**
      * Bootstrap services.
      */
     public function boot(): void
     {
-        //
+        Event::listen(function (\SocialiteProviders\Manager\SocialiteWasCalled $event) {
+            $event->extendSocialite('keycloak', \SocialiteProviders\Keycloak\Provider::class);
+        });
     }
 }
diff --git a/workbench/config/services.php b/workbench/config/services.php
@@ -0,0 +1,68 @@
+<?php
+
+use Cachet\Cachet;
+use Illuminate\Support\Facades\Route;
+
+config('app.url', 'http://localhost:8000');
+
+return [
+
+    /*
+    |--------------------------------------------------------------------------
+    | Socialite OAuth Configuration
+    |--------------------------------------------------------------------------
+    |
+    | These options configure the behavior of OAuth authentication in Cachet.
+    |
+    | NOTE: It is highly discouraged to enable the 'registration' option in a
+    | production environment without also configuring the 'domainAllowlist'
+    | option, as otherwise anyone with an account on any of the providers
+    | can register an account on your Cachet instance and gain access to it.
+    |
+    */
+
+   'oauth' => [
+        /*
+        * Whether to remember the user once they have logged in using a social provider.
+        */
+        'rememberLogin' => env('OAUTH_REMEMBER_LOGIN', false),
+        /*
+        * Whether to allow users who authenticate via a social provider to be automatically
+        * registered, if no account already exists for them.
+        */
+        'registration' => env('OAUTH_REGISTRATION', false),
+        /*
+        * An allowlist of email domains which are permitted to authenticate via social providers.
+        * If empty or not set, there is no restriction on email domains.
+        */
+        'domainAllowlist' => explode(',', env('OAUTH_DOMAIN_ALLOWLIST', 'does_not_exists.local')),
+    ],
+
+    /*
+    |--------------------------------------------------------------------------
+    | Socialite Providers
+    |--------------------------------------------------------------------------
+    |
+    | Configuration for Laravel Socialite providers. This is used to configure the providers which
+    | users can use to authenticate with Cachet. The default providers are GitHub and Keycloak.
+    |
+    | Only the providers which have a client_id configured here will be offered as authentication
+    | options to users.
+    |
+    */
+
+    'github' => [
+        'client_id' => env('GITHUB_CLIENT_ID'),
+        'client_secret' => env('GITHUB_CLIENT_SECRET'),
+        'redirect' => env('GITHUB_REDIRECT_URI', Cachet::dashboardPath().'/oauth/callback/github'),
+    ],
+
+    'keycloak' => [
+        'client_id' => env('KEYCLOAK_CLIENT_ID'),
+        'client_secret' => env('KEYCLOAK_CLIENT_SECRET'),
+        'redirect' => env('KEYCLOAK_REDIRECT_URI', Cachet::dashboardPath().'/oauth/callback/keycloak'),
+        'base_url' => env('KEYCLOAK_BASE_URL'),
+        'realms' => env('KEYCLOAK_REALM', 'master'),
+    ],
+
+];
