Mikkel Georgsen
c0cb2d25a0
- Add federated logout endpoint that clears Auth.js session AND ends Zitadel SSO session via OIDC end_session endpoint - Move sign-in page from /auth/signin to /login to avoid Auth.js route conflict causing ERR_TOO_MANY_REDIRECTS - Add callbackUrl to all signIn calls so users land on /dashboard - Store id_token in session for federated logout id_token_hint - Fix Zitadel healthcheck using binary ready command (no curl needed) - Update post_logout_redirect_uri in setup script Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
200 lines
6 KiB
Bash
Executable file
200 lines
6 KiB
Bash
Executable file
#!/bin/sh
|
|
#
|
|
# Setup script for Zitadel OIDC application (dev environment only).
|
|
#
|
|
# Creates a "PVM" project and "PVM Dashboard" OIDC application in Zitadel.
|
|
# Idempotent: skips creation if project/app already exist.
|
|
#
|
|
# Usage:
|
|
# ./docker/setup-zitadel.sh
|
|
#
|
|
|
|
set -eu
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
ZITADEL_URL="http://localhost:8080"
|
|
PAT_FILE="${SCRIPT_DIR}/machinekey/admin.pat"
|
|
DASHBOARD_ENV_FILE="${SCRIPT_DIR}/../apps/dashboard/.env"
|
|
|
|
# ---------- helpers ----------
|
|
|
|
log() { printf '[setup-zitadel] %s\n' "$*" >&2; }
|
|
fail() { log "ERROR: $*" >&2; exit 1; }
|
|
|
|
wait_for_zitadel() {
|
|
log "Waiting for Zitadel to be healthy..."
|
|
for _ in $(seq 1 30); do
|
|
if curl -sf "${ZITADEL_URL}/debug/healthz" > /dev/null 2>&1; then
|
|
log "Zitadel is healthy."
|
|
return 0
|
|
fi
|
|
sleep 2
|
|
done
|
|
fail "Zitadel did not become healthy within 60 seconds."
|
|
}
|
|
|
|
wait_for_pat() {
|
|
log "Waiting for PAT file at ${PAT_FILE}..."
|
|
for _ in $(seq 1 15); do
|
|
if [ -s "$PAT_FILE" ]; then
|
|
log "PAT file found."
|
|
return 0
|
|
fi
|
|
sleep 2
|
|
done
|
|
fail "PAT file not found or empty after 30 seconds. Did Zitadel finish init?"
|
|
}
|
|
|
|
# ---------- API calls ----------
|
|
|
|
find_project() {
|
|
RESPONSE=$(curl -sf -X POST "${ZITADEL_URL}/management/v1/projects/_search" \
|
|
-H "Authorization: Bearer ${PAT}" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"queries":[{"nameQuery":{"name":"PVM","method":"TEXT_QUERY_METHOD_EQUALS"}}]}') || return 1
|
|
|
|
PROJECT_ID=$(echo "$RESPONSE" | grep -o '"id":"[^"]*"' | head -1 | cut -d'"' -f4)
|
|
if [ -n "$PROJECT_ID" ]; then
|
|
echo "$PROJECT_ID"
|
|
return 0
|
|
fi
|
|
return 1
|
|
}
|
|
|
|
find_oidc_app() {
|
|
PROJECT_ID="$1"
|
|
RESPONSE=$(curl -sf "${ZITADEL_URL}/management/v1/projects/${PROJECT_ID}/apps/_search" \
|
|
-H "Authorization: Bearer ${PAT}" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{}') || return 1
|
|
|
|
# Look for "PVM Dashboard" in the app list
|
|
if echo "$RESPONSE" | grep -q '"name":"PVM Dashboard"'; then
|
|
CLIENT_ID=$(echo "$RESPONSE" | grep -o '"clientId":"[^"]*"' | head -1 | cut -d'"' -f4)
|
|
if [ -n "$CLIENT_ID" ]; then
|
|
echo "$CLIENT_ID"
|
|
return 0
|
|
fi
|
|
fi
|
|
return 1
|
|
}
|
|
|
|
create_project() {
|
|
log "Creating project 'PVM'..."
|
|
RESPONSE=$(curl -sf -X POST "${ZITADEL_URL}/management/v1/projects" \
|
|
-H "Authorization: Bearer ${PAT}" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"name": "PVM"}') \
|
|
|| fail "Failed to create project."
|
|
|
|
PROJECT_ID=$(echo "$RESPONSE" | grep -o '"id":"[^"]*"' | head -1 | cut -d'"' -f4)
|
|
[ -n "$PROJECT_ID" ] || fail "Could not extract project ID from response: $RESPONSE"
|
|
log "Project created with ID: $PROJECT_ID"
|
|
echo "$PROJECT_ID"
|
|
}
|
|
|
|
create_oidc_app() {
|
|
PROJECT_ID="$1"
|
|
log "Creating OIDC application 'PVM Dashboard' in project $PROJECT_ID..."
|
|
RESPONSE=$(curl -sf -X POST "${ZITADEL_URL}/management/v1/projects/${PROJECT_ID}/apps/oidc" \
|
|
-H "Authorization: Bearer ${PAT}" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{
|
|
"name": "PVM Dashboard",
|
|
"redirectUris": ["http://localhost:5173/auth/callback/zitadel"],
|
|
"postLogoutRedirectUris": ["http://localhost:5173", "http://localhost:5173/login"],
|
|
"responseTypes": ["OIDC_RESPONSE_TYPE_CODE"],
|
|
"grantTypes": ["OIDC_GRANT_TYPE_AUTHORIZATION_CODE"],
|
|
"appType": "OIDC_APP_TYPE_WEB",
|
|
"authMethodType": "OIDC_AUTH_METHOD_TYPE_BASIC",
|
|
"devMode": true,
|
|
"accessTokenType": "OIDC_TOKEN_TYPE_BEARER",
|
|
"accessTokenRoleAssertion": true,
|
|
"idTokenRoleAssertion": true,
|
|
"idTokenUserinfoAssertion": true
|
|
}') \
|
|
|| fail "Failed to create OIDC app."
|
|
|
|
CLIENT_ID=$(echo "$RESPONSE" | grep -o '"clientId":"[^"]*"' | head -1 | cut -d'"' -f4)
|
|
CLIENT_SECRET=$(echo "$RESPONSE" | grep -o '"clientSecret":"[^"]*"' | head -1 | cut -d'"' -f4)
|
|
|
|
[ -n "$CLIENT_ID" ] || fail "Could not extract client ID from response: $RESPONSE"
|
|
log "OIDC app created."
|
|
log " Client ID: $CLIENT_ID"
|
|
[ -n "$CLIENT_SECRET" ] && log " Client Secret: $CLIENT_SECRET"
|
|
|
|
echo "${CLIENT_ID}|${CLIENT_SECRET}"
|
|
}
|
|
|
|
write_dashboard_env() {
|
|
CLIENT_ID="$1"
|
|
CLIENT_SECRET="$2"
|
|
|
|
AUTH_SECRET=$(openssl rand -base64 32)
|
|
|
|
log "Writing dashboard .env to ${DASHBOARD_ENV_FILE}..."
|
|
cat > "$DASHBOARD_ENV_FILE" <<EOF
|
|
# Zitadel OIDC Configuration (generated by setup-zitadel.sh)
|
|
AUTH_ZITADEL_ISSUER=http://localhost:8080
|
|
AUTH_ZITADEL_CLIENT_ID=${CLIENT_ID}
|
|
AUTH_ZITADEL_CLIENT_SECRET=${CLIENT_SECRET}
|
|
|
|
# Auth.js secret
|
|
AUTH_SECRET=${AUTH_SECRET}
|
|
|
|
# Backend API URL
|
|
PUBLIC_API_URL=http://localhost:3001
|
|
|
|
# Zitadel account management URL
|
|
PUBLIC_ZITADEL_ACCOUNT_URL=http://localhost:8080/ui/console
|
|
|
|
# App URL (for OIDC redirects)
|
|
ORIGIN=http://localhost:5173
|
|
EOF
|
|
|
|
log "Dashboard .env written successfully."
|
|
}
|
|
|
|
# ---------- main ----------
|
|
|
|
main() {
|
|
wait_for_zitadel
|
|
wait_for_pat
|
|
PAT=$(cat "$PAT_FILE")
|
|
[ -n "$PAT" ] || fail "PAT is empty."
|
|
log "PAT obtained successfully."
|
|
|
|
# Idempotent: check if project already exists
|
|
if PROJECT_ID=$(find_project); then
|
|
log "Project 'PVM' already exists with ID: $PROJECT_ID"
|
|
else
|
|
PROJECT_ID=$(create_project)
|
|
fi
|
|
|
|
# Idempotent: check if OIDC app already exists
|
|
if EXISTING_CLIENT_ID=$(find_oidc_app "$PROJECT_ID"); then
|
|
log "OIDC app 'PVM Dashboard' already exists with client ID: $EXISTING_CLIENT_ID"
|
|
if [ -f "$DASHBOARD_ENV_FILE" ]; then
|
|
log "Dashboard .env already exists — skipping overwrite."
|
|
log "Delete apps/dashboard/.env and re-run to regenerate."
|
|
else
|
|
log "WARNING: OIDC app exists but no .env file found."
|
|
log "You may need to recreate the app (delete it in Zitadel console, then re-run)."
|
|
fi
|
|
else
|
|
RESULT=$(create_oidc_app "$PROJECT_ID")
|
|
CLIENT_ID=$(echo "$RESULT" | cut -d'|' -f1)
|
|
CLIENT_SECRET=$(echo "$RESULT" | cut -d'|' -f2)
|
|
write_dashboard_env "$CLIENT_ID" "$CLIENT_SECRET"
|
|
fi
|
|
|
|
log ""
|
|
log "=== Setup complete ==="
|
|
log ""
|
|
log "Zitadel Console: ${ZITADEL_URL}/ui/console"
|
|
log "Admin login: admin@zitadel.localhost / Admin1234!"
|
|
log "Dashboard: http://localhost:5173"
|
|
log ""
|
|
}
|
|
|
|
main
|