Skip to content

Remove Keycloak auth from MAUI app — replace with no-op LocalAuthService #134

Open
Open
Remove Keycloak auth from MAUI app — replace with no-op LocalAuthService#134
Labels
apppending-epicFinished but waiting for epic branch to merge
@fboucher

Description

@fboucher
fboucher
opened on May 19, 2026

Parent PRD

#110

Depends on

#120 (scaffold — closed, delivered by PR #131)

Summary

Remove the Keycloak OIDC authentication from NoteBookmark.MauiApp and replace it with a no-op LocalAuthService that always returns authenticated. The Android app runs on a personal, locked device — device-level security (PIN/biometric) is the authentication perimeter. Keycloak actively hurts the offline-first goal since expired tokens lock users out.

Context

  • The web app (NoteBookmark.BlazorApp) keeps Keycloak — it's exposed on the internet and needs auth
  • The API (NoteBookmark.Api) has no auth middleware (UseAuthentication/UseAuthorization are not called), so Bearer tokens from the MAUI app were never validated anyway
  • The existing IAuthService interface should be kept as an abstraction for future use (e.g., optional biometric lock)

Tasks

  • Create LocalAuthService : IAuthService — always returns IsAuthenticated = true, Username = device owner or fixed value, no-op for Login/Logout/Initialize
  • Update MauiProgram.cs DI registration: replace KeycloakAuthService with LocalAuthService
  • Remove KeycloakConfig registration and Keycloak section from wwwroot/appsettings.json
  • Remove or simplify Login.razor — no login gate needed (redirect straight to Home, or remove the page entirely)
  • Simplify Home.razor — remove auth check guard that redirects to /login
  • Simplify App.xaml.cs — InitializeAsync becomes a no-op
  • Clean up AndroidManifest.xml — remove the WebAuthenticator callback intent filter (no longer needed)
  • Remove the HttpClient registration for KeycloakAuthService in MauiProgram.cs
  • Keep IAuthService.cs interface (useful abstraction for future biometric auth)
  • Optionally delete KeycloakAuthService.cs and KeycloakConfig.cs (or keep for reference)

Files affected

  • src/NoteBookmark.MauiApp/Auth/LocalAuthService.cs (new)
  • src/NoteBookmark.MauiApp/Auth/KeycloakAuthService.cs (delete or keep)
  • src/NoteBookmark.MauiApp/Auth/KeycloakConfig.cs (delete or keep)
  • src/NoteBookmark.MauiApp/MauiProgram.cs
  • src/NoteBookmark.MauiApp/App.xaml.cs
  • src/NoteBookmark.MauiApp/Components/Pages/Login.razor
  • src/NoteBookmark.MauiApp/Components/Pages/Home.razor
  • src/NoteBookmark.MauiApp/Platforms/Android/AndroidManifest.xml
  • src/NoteBookmark.MauiApp/wwwroot/appsettings.json

Acceptance Criteria

  • App launches directly to the home/content screen without any login prompt
  • IAuthService.IsAuthenticatedAsync() always returns rue
  • No Keycloak configuration required to run the app
  • No WebAuthenticator intent filter in AndroidManifest
  • App works fully offline from first launch (no token expiry blocking access)
  • Web app (BlazorApp) Keycloak auth is completely unaffected

Rationale

User stories 10 and 11 from the PRD are superseded — Android device lock replaces app-level auth.

Metadata

Metadata

Assignees

No one assigned

    Labels

    apppending-epicFinished but waiting for epic branch to merge

    Projects

    NoteBookmark

    Status

    pending

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions