Skip to content

Migrate from Keycloak to internal OAuth2 authorization server #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
phongphongg merged 8 commits into from
Apr 27, 2026
Merged

Migrate from Keycloak to internal OAuth2 authorization server #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
594210e
chore(platform): scaffold multi-module platform root
phongphongg Apr 26, 2026
cb2f9df
chore(quality): add repository automation and style checks
phongphongg Apr 26, 2026
adeef45
feat(core): add shared infrastructure module
phongphongg Apr 26, 2026
9b64d9a
feat(migration): add Flyway-based migration service
phongphongg Apr 26, 2026
87e19e4
feat(console): add authenticated principal endpoint
phongphongg Apr 26, 2026
3c81e7a
feat(iam): add JDBC-backed authorization server
phongphongg Apr 26, 2026
5f4efaa
feat(oidc): enrich user profile claims and token subject
phongphongg Apr 26, 2026
ced3206
ci(sql): lint migrations and publish SARIF results
phongphongg Apr 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 0 additions & 10 deletions .docker/database/01-create-keycloak.sql
View file
Open in desktop

This file was deleted.

5 changes: 5 additions & 0 deletions .docker/database/01-create-workastra.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
CREATE DATABASE workastra_db;

CREATE USER workastra_user WITH ENCRYPTED PASSWORD 'workastra_password' ;
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Avoid hardcoding the database password in the bootstrap script.

workastra_password is checked into source control. Even for local dev, prefer parameterizing via environment variables (e.g., a .sh initdb script that reads ${WORKASTRA_DB_PASSWORD}) so the same script can be safely reused beyond local dev. Also, the trailing whitespace before ; on lines 3 and 5 is cosmetic noise.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.docker/database/01-create-workastra.sql at line 3, The SQL currently
hardcodes the password for user workastra_user; change the bootstrapping so the
password is provided from an environment variable (e.g., read
${WORKASTRA_DB_PASSWORD} in an init-shell script and pass it into the CREATE
USER statement) instead of embedding 'workastra_password', and remove the
trailing spaces before the semicolons to tidy the SQL; ensure the init script
validates the env var is set and fails fast with a clear message if not.


GRANT ALL PRIVILEGES ON DATABASE workastra_db TO workastra_user ;
Comment on lines +1 to +5
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

find . -type d -name "migration" | head -20

Repository: workastra/platform

Length of output: 168

🏁 Script executed:

find . -type d -name "db" -path "*/migration/*" | head -20

Repository: workastra/platform

Length of output: 96

🏁 Script executed:

fd "flyway\|migration" -t d | head -20

Repository: workastra/platform

Length of output: 44

🏁 Script executed:

git ls-files | grep -i migration | head -20

Repository: workastra/platform

Length of output: 451

🏁 Script executed:

cat -n "./migration/src/main/resources/db/migration/postgresql/V0_1_0__2026-04-23 - Hello World.sql"

Repository: workastra/platform

Length of output: 6635

🏁 Script executed:

cat -n "./migration/src/main/resources/application.yaml"

Repository: workastra/platform

Length of output: 325

🏁 Script executed:

find . -name "docker-compose*" -type f

Repository: workastra/platform

Length of output: 44

🏁 Script executed:

cat "./migration/Dockerfile"

Repository: workastra/platform

Length of output: 836

🏁 Script executed:

cat "./migration/jvm.Dockerfile"

Repository: workastra/platform

Length of output: 797

🏁 Script executed:

wc -l "./migration/src/main/resources/application.yaml"

Repository: workastra/platform

Length of output: 113

🏁 Script executed:

cat -n "./migration/src/main/resources/application.yaml" | tail -50

Repository: workastra/platform

Length of output: 325

🏁 Script executed:

find . -name "docker-compose.yml" -o -name "docker-compose.yaml" | head -10

Repository: workastra/platform

Length of output: 44

🏁 Script executed:

find . -name "Dockerfile" -path "*database*" | head -10

Repository: workastra/platform

Length of output: 44

🏁 Script executed:

cat "./.docker/database/Dockerfile" 2>/dev/null || echo "Not found"

Repository: workastra/platform

Length of output: 72

🏁 Script executed:

ls -la ./.docker/

Repository: workastra/platform

Length of output: 231

🏁 Script executed:

find . -name "application-*.yaml" -o -name "application-*.yml" | head -20

Repository: workastra/platform

Length of output: 44

🏁 Script executed:

find . -name "docker-compose*" | xargs ls -la 2>/dev/null || echo "No docker-compose files found"

Repository: workastra/platform

Length of output: 1795

🏁 Script executed:

ls -la .docker/database/

Repository: workastra/platform

Length of output: 243

🏁 Script executed:

cat .docker/database/Dockerfile 2>/dev/null || echo "No Dockerfile in database"

Repository: workastra/platform

Length of output: 88

🏁 Script executed:

cat compose.yaml

Repository: workastra/platform

Length of output: 420

🏁 Script executed:

cat migration/build.gradle.kts

Repository: workastra/platform

Length of output: 772

🏁 Script executed:

grep -r "datasource" . --include="*.yaml" --include="*.yml" --include="*.gradle.kts" 2>/dev/null | head -20

Repository: workastra/platform

Length of output: 44

🏁 Script executed:

grep -r "flyway" . --include="*.yaml" --include="*.yml" --include="*.gradle.kts" 2>/dev/null | head -30

Repository: workastra/platform

Length of output: 420

🏁 Script executed:

grep -r "workastra_user\|SPRING_DATASOURCE" . --include="*.yaml" --include="*.yml" --include="*.sh" --include="*.gradle.kts" 2>/dev/null

Repository: workastra/platform

Length of output: 44

🏁 Script executed:

find . -name "*.yaml" -o -name "*.yml" | xargs grep -l "spring:" 2>/dev/null

Repository: workastra/platform

Length of output: 152

🏁 Script executed:

cat ./iam/src/main/resources/application.yaml

Repository: workastra/platform

Length of output: 209

🏁 Script executed:

find . -path "*/src/main/resources/application*.yaml" -o -path "*/src/main/resources/application*.yml" | xargs cat

Repository: workastra/platform

Length of output: 420

🏁 Script executed:

cat ./config/* 2>/dev/null || echo "No config files"

Repository: workastra/platform

Length of output: 78

🏁 Script executed:

find ./core -name "application*.yaml" -o -name "application*.yml"

Repository: workastra/platform

Length of output: 44

🏁 Script executed:

find . -name "docker-compose*" -o -name "compose*.yaml" -o -name "compose*.yml" | xargs cat 2>/dev/null

Repository: workastra/platform

Length of output: 420

🏁 Script executed:

grep -r "SPRING_DATASOURCE\|DATABASE_" . --include="Dockerfile*" --include="*.sh" --include="*.yaml" 2>/dev/null

Repository: workastra/platform

Length of output: 44

🏁 Script executed:

find . -name "*.sh" -type f | xargs grep -l "java\|flyway\|migration" 2>/dev/null

Repository: workastra/platform

Length of output: 46

🏁 Script executed:

find . -path "*/.github/workflows/*" -name "*.yaml" -o -name "*.yml" | head -5

Repository: workastra/platform

Length of output: 148

🏁 Script executed:

cat ./.github/workflows/workastra_platform.yaml

Repository: workastra/platform

Length of output: 3666

🏁 Script executed:

cat migration/build.gradle.kts | head -40

Repository: workastra/platform

Length of output: 772

🏁 Script executed:

find . -name "MigrationApplication.java" | xargs cat

Repository: workastra/platform

Length of output: 388

🏁 Script executed:

grep -r "spring.datasource\|SPRING_DATASOURCE" . --include="*.java" 2>/dev/null | head -20

Repository: workastra/platform

Length of output: 44

🏁 Script executed:

find . -name "application*.properties" 2>/dev/null | xargs cat 2>/dev/null

Repository: workastra/platform

Length of output: 44

🏁 Script executed:

cat core/build.gradle.kts

Repository: workastra/platform

Length of output: 665

🏁 Script executed:

find . -type f \( -name "*.sh" -o -name "Dockerfile*" \) | xargs grep -l "migration\|flyway" 2>/dev/null

Repository: workastra/platform

Length of output: 123

🏁 Script executed:

grep -r "MigrationApplication\|SpringApplication" . --include="*.java" -A 5 -B 2 2>/dev/null | head -40

Repository: workastra/platform

Length of output: 3470

🏁 Script executed:

find . -path "*/.docker/*" -type f | xargs cat 2>/dev/null

Repository: workastra/platform

Length of output: 234

🏁 Script executed:

cat build.gradle.kts | grep -A 20 -B 5 "migration"

Repository: workastra/platform

Length of output: 44

workastra_user cannot create objects in the public schema on PostgreSQL 18.

GRANT ALL PRIVILEGES ON DATABASE grants only database-level privileges (CONNECT, CREATE schema, TEMPORARY) — not schema-level privileges. PostgreSQL 15+ revokes the CREATE privilege on the public schema from non-owner roles. When Flyway attempts to create the schema history table in the public schema, it will fail with a permission error if executed as workastra_user.

Either make workastra_user the database owner or explicitly grant schema privileges:

🔧 Suggested fix 
-CREATE DATABASE workastra_db;
-
 CREATE USER workastra_user WITH ENCRYPTED PASSWORD 'workastra_password' ;
+
+CREATE DATABASE workastra_db OWNER workastra_user;

 GRANT ALL PRIVILEGES ON DATABASE workastra_db TO workastra_user ;
+
+\connect workastra_db
+GRANT ALL ON SCHEMA public TO workastra_user;

Alternatively, keep ownership with postgres and grant explicitly:

\connect workastra_db
GRANT CREATE, USAGE ON SCHEMA public TO workastra_user;
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
CREATE DATABASE workastra_db;
CREATE USER workastra_user WITH ENCRYPTED PASSWORD 'workastra_password' ;
GRANT ALL PRIVILEGES ON DATABASE workastra_db TO workastra_user ;
CREATE USER workastra_user WITH ENCRYPTED PASSWORD 'workastra_password' ;
CREATE DATABASE workastra_db OWNER workastra_user;
GRANT ALL PRIVILEGES ON DATABASE workastra_db TO workastra_user ;
\connect workastra_db
GRANT ALL ON SCHEMA public TO workastra_user;
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.docker/database/01-create-workastra.sql around lines 1 - 5, The
CREATE/GRANT statements create workastra_db and workastra_user but do not allow
workastra_user to create objects in the public schema, so Flyway (when run as
workastra_user) will fail to create the schema history table; fix by either
making workastra_user the owner of workastra_db (so it has schema CREATE rights)
or explicitly granting schema-level privileges on public to workastra_user
(e.g., connect to workastra_db and GRANT CREATE, USAGE ON SCHEMA public TO
workastra_user), and ensure these changes are applied after the CREATE DATABASE
and CREATE USER steps so workastra_user can create schemas/objects.

10 changes: 0 additions & 10 deletions .docker/database/02-create-workastra.sql
View file
Open in desktop

This file was deleted.

Loading
Loading