feat(ui): add keycloak theme (#1881)

Signed-off-by: Petr Kadlec <[email protected]>

Author: kapetr

.github/workflows/release.yml

@@ -81,7 +81,7 @@ jobs:
     environment: release
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      HELM_EXPERIMENTAL_OCI: '1'
+      HELM_EXPERIMENTAL_OCI: "1"
     steps:
       - uses: actions/checkout@v4
       - id: version
@@ -137,10 +137,27 @@ jobs:
           file: ./apps/supergateway/Dockerfile
           push: true
           platforms: linux/amd64,linux/arm64
-          tags: ghcr.io/${{ github.repository }}/supergateway:latest
+          tags: ghcr.io/${{ github.repository }}/supergateway:${{ github.sha }}
           cache-from: type=registry,ref=ghcr.io/${{ github.repository }}/supergateway:cache
           cache-to: type=registry,ref=ghcr.io/${{ github.repository }}/supergateway:cache,mode=max
 
+      - run: mise run 'keycloak-theme:build:*'
+      - id: keycloak-version
+        run: |
+          KEYCLOAK_VERSION=$(grep -oP 'FROM quay.io/keycloak/keycloak:\K[0-9.]+' ./apps/keycloak-theme/Dockerfile)
+          echo "version=$KEYCLOAK_VERSION" >> $GITHUB_OUTPUT
+      - uses: docker/build-push-action@v6
+        with:
+          context: ./apps/keycloak-theme
+          file: ./apps/keycloak-theme/Dockerfile
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            ghcr.io/${{ github.repository }}/keycloak-themed:${{ github.sha }}
+            ghcr.io/${{ github.repository }}/keycloak-themed:${{ steps.keycloak-version.outputs.version }}
+          cache-from: type=registry,ref=ghcr.io/${{ github.repository }}/keycloak-themed:cache
+          cache-to: type=registry,ref=ghcr.io/${{ github.repository }}/keycloak-themed:cache,mode=max
+
       - run: mise run 'agentstack-ui:build:*'
       - uses: docker/build-push-action@v6
         with:
@@ -178,5 +195,5 @@ jobs:
           git fetch origin
           git checkout -B install origin/main
           git push --force --set-upstream origin install
-      
+
       - run: uv cache prune --ci

agentstack.code-workspace

@@ -1,75 +1,76 @@
 {
-    "folders": [
-        {
-            "name": "root",
-            "path": "."
-        },
-        {
-            "name": "agentstack-server",
-            "path": "apps/agentstack-server"
-        },
-        {
-            "name": "agentstack-sdk-py",
-            "path": "apps/agentstack-sdk-py"
-        },
-        {
-            "name": "agentstack-sdk-ts",
-            "path": "apps/agentstack-sdk-ts"
-        },
-        {
-            "name": "agentstack-cli",
-            "path": "apps/agentstack-cli"
-        },
-        {
-            "name": "agentstack-ui",
-            "path": "apps/agentstack-ui",
-        },
-        {
-            "name": "beeai-web",
-            "path": "apps/beeai-web",
-        },
-        {
-            "name": "agent-chat",
-            "path": "agents/chat"
-        },
-        {
-            "name": "agent-form",
-            "path": "agents/form"
-        },
-        {
-            "name": "agent-rag",
-            "path": "agents/rag"
-        },
-        {
-            "name": "agent-canvas",
-            "path": "agents/canvas"
-        },
-        {
-            "name": "helm",
-            "path": "helm"
-        }
+  "folders": [
+    {
+      "name": "root",
+      "path": ".",
+    },
+    {
+      "name": "agentstack-server",
+      "path": "apps/agentstack-server",
+    },
+    {
+      "name": "agentstack-sdk-py",
+      "path": "apps/agentstack-sdk-py",
+    },
+    {
+      "name": "agentstack-sdk-ts",
+      "path": "apps/agentstack-sdk-ts",
+    },
+    {
+      "name": "agentstack-cli",
+      "path": "apps/agentstack-cli",
+    },
+    {
+      "name": "agentstack-ui",
+      "path": "apps/agentstack-ui",
+    },
+    {
+      "name": "beeai-web",
+      "path": "apps/beeai-web",
+    },
+    {
+      "name": "keycloak-theme",
+      "path": "apps/keycloak-theme",
+    },
+    {
+      "name": "agent-chat",
+      "path": "agents/chat",
+    },
+    {
+      "name": "agent-form",
+      "path": "agents/form",
+    },
+    {
+      "name": "agent-rag",
+      "path": "agents/rag",
+    },
+    {
+      "name": "agent-canvas",
+      "path": "agents/canvas",
+    },
+    {
+      "name": "helm",
+      "path": "helm",
+    },
+  ],
+  "settings": {
+    "python.analysis.extraPaths": [
+      "${workspaceFolder}/apps/agentstack-sdk-py/src",
     ],
-    "settings": {
-        "python.analysis.extraPaths": [
-            "${workspaceFolder}/apps/agentstack-sdk-py/src"
-        ],
-        "python.analysis.diagnosticMode": "openFilesOnly",
-        "python.analysis.typeCheckingMode": "basic",
-        "files.associations": {
-            "**/helm/templates/**/*.yaml": "helm",
-            "**/helm/templates/**/*.tpl": "helm"
-        },
-        "basedpyright.analysis.diagnosticMode": "openFilesOnly",
-        "cursorpyright.analysis.diagnosticMode": "openFilesOnly",
-        "cursorpyright.analysis.extraPaths": [
-            "${workspaceFolder}/apps/agentstack-sdk-py/src"
-        ],
-        "cursorpyright.analysis.typeCheckingMode": "basic"
+    "python.analysis.diagnosticMode": "openFilesOnly",
+    "python.analysis.typeCheckingMode": "basic",
+    "files.associations": {
+      "**/helm/templates/**/*.yaml": "helm",
+      "**/helm/templates/**/*.tpl": "helm",
     },
-    "extensions": {
-        "recommendations": [
-            "detachhead.basedpyright",
-            "charliermarsh.ruff"
-        ]
-    }
-}
+    "basedpyright.analysis.diagnosticMode": "openFilesOnly",
+    "cursorpyright.analysis.diagnosticMode": "openFilesOnly",
+    "cursorpyright.analysis.extraPaths": [
+      "${workspaceFolder}/apps/agentstack-sdk-py/src",
+    ],
+    "cursorpyright.analysis.typeCheckingMode": "basic",
+  },
+  "extensions": {
+    "recommendations": ["detachhead.basedpyright", "charliermarsh.ruff"],
+  },
+}

apps/agentstack-ui/package.json

@@ -14,13 +14,13 @@
     "@a2a-js/sdk": "^0.3.7",
     "@bprogress/next": "^3.2.12",
     "@carbon/icons-react": "catalog:",
-    "@carbon/layout": "^11.44.0",
+    "@carbon/layout": "catalog:",
     "@carbon/motion": "^11.38.0",
     "@carbon/react": "catalog:",
-    "@carbon/styles": "^1.96.0",
+    "@carbon/styles": "catalog:",
     "@floating-ui/react": "^0.27.16",
     "@hookform/resolvers": "^5.2.2",
-    "@ibm/plex": "^6.4.1",
+    "@ibm/plex": "catalog:",
     "@next/bundle-analyzer": "16.1.3",
     "@radix-ui/react-slot": "^1.2.4",
     "@tanstack/react-query": "catalog:",

apps/agentstack-ui/src/app/(auth)/auth.ts

@@ -7,7 +7,6 @@ import NextAuth from 'next-auth';
 import type { OIDCConfig } from 'next-auth/providers';
 
 import { runtimeConfig } from '#contexts/App/runtime-config.ts';
-import type { AuthProvider } from '#modules/auth/types.ts';
 import { routes } from '#utils/router.ts';
 
 import type { ProviderConfig, ProviderWithId } from './types';
@@ -18,14 +17,6 @@ export const AUTH_COOKIE_NAME = 'agentstack';
 
 const { isAuthEnabled } = runtimeConfig;
 
-export function getAuthProviders(): AuthProvider[] {
-  return getProviders()
-    .filter((provider) => provider.id !== 'credentials')
-    .map((provider) => {
-      return { id: provider.id, name: provider.name };
-    });
-}
-
 function createOIDCProvider(config: ProviderConfig): OIDCConfig<unknown> {
   const options = {
     clientId: config.client_id,
@@ -53,11 +44,11 @@ function createOIDCProvider(config: ProviderConfig): OIDCConfig<unknown> {
   };
 }
 
-function getProviders(): ProviderWithId[] {
+export function getProvider(): ProviderWithId | null {
   const { isAuthEnabled } = runtimeConfig;
 
   if (!isAuthEnabled) {
-    return [];
+    return null;
   }
 
   try {
@@ -86,25 +77,27 @@ function getProviders(): ProviderWithId[] {
     // Validate using the schema
     const validatedConfig = providerConfigSchema.parse(providerConfig);
 
-    return [createOIDCProvider(validatedConfig)];
+    return createOIDCProvider(validatedConfig);
   } catch (err) {
     console.error('Unable to parse OIDC provider configuration environment variables.', err);
 
-    return [];
+    return null;
   }
 }
 
-const providers = getProviders();
+const provider = getProvider();
+
+// Prevents nextauth errors when authentication is disabled and NEXTAUTH_SECRET is not provided
+export const AUTH_SECRET = isAuthEnabled ? process.env.NEXTAUTH_SECRET : 'dummy_secret';
 
 export const { handlers, signIn, signOut, auth } = NextAuth({
-  providers,
+  providers: provider ? [provider] : [],
   pages: {
     signIn: routes.signIn(),
   },
   session: { strategy: 'jwt' },
   trustHost: true,
-  // Prevents nextauth errors when authentication is disabled and NEXTAUTH_SECRET is not provided
-  secret: isAuthEnabled ? process.env.NEXTAUTH_SECRET : 'dummy_secret',
+  secret: AUTH_SECRET,
   cookies: {
     sessionToken: {
       name: AUTH_COOKIE_NAME,
@@ -135,8 +128,12 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
       }
 
       try {
+        if (!provider) {
+          return null;
+        }
+
         const proactiveTokenRefresh = trigger === 'update' && Boolean(session?.proactiveTokenRefresh);
-        return await jwtWithRefresh(token, providers, proactiveTokenRefresh);
+        return await jwtWithRefresh(token, provider, proactiveTokenRefresh);
       } catch (error) {
         console.error('Error while refreshing jwt token:', error);
 
@@ -163,10 +160,11 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
         const clientSecret = process.env.OIDC_PROVIDER_CLIENT_SECRET;
 
         if (refreshToken && issuer && clientId && clientSecret) {
-          const params = new URLSearchParams();
-          params.append('client_id', clientId);
-          params.append('client_secret', clientSecret);
-          params.append('refresh_token', refreshToken as string);
+          const params = new URLSearchParams({
+            client_id: clientId,
+            client_secret: clientSecret,
+            refresh_token: refreshToken,
+          });
 
           try {
             await fetch(`${issuer}/protocol/openid-connect/logout`, {

apps/agentstack-ui/src/app/(auth)/rsc.tsx

@@ -14,7 +14,7 @@ import { logErrorDetails } from '#api/utils.ts';
 import { runtimeConfig } from '#contexts/App/runtime-config.ts';
 import { routes } from '#utils/router.ts';
 
-import { auth, AUTH_COOKIE_NAME } from './auth';
+import { auth, AUTH_COOKIE_NAME, AUTH_SECRET } from './auth';
 
 export async function ensureToken(request: Request) {
   const { isAuthEnabled } = runtimeConfig;
@@ -34,7 +34,7 @@ export async function ensureToken(request: Request) {
     request.headers.set('cookie', cookieStore.toString());
   }
 
-  const token = await getToken({ req: request, cookieName: AUTH_COOKIE_NAME, secret: process.env.NEXTAUTH_SECRET });
+  const token = await getToken({ req: request, cookieName: AUTH_COOKIE_NAME, secret: AUTH_SECRET });
 
   return token;
 }

apps/agentstack-ui/src/app/(auth)/utils.ts

@@ -20,7 +20,7 @@ interface OIDCProviderOptions {
 
 export async function jwtWithRefresh(
   token: JWT,
-  providers: ProviderWithId[],
+  tokenProvider: ProviderWithId,
   proactiveTokenRefresh: boolean = false,
 ): Promise<JWT> {
   const triggerProactiveRefresh =
@@ -30,17 +30,12 @@ export async function jwtWithRefresh(
     // Subsequent requests, `accessToken` is still valid
     return token;
   } else {
-    const { refreshToken, provider } = token;
+    const { refreshToken } = token;
     // Subsequent requests, `accessToken` has expired, try to refresh it
     if (!refreshToken) {
       throw new TypeError('Missing refreshToken');
     }
 
-    const tokenProvider = providers.find(({ id }) => id === provider);
-    if (!tokenProvider) {
-      throw new TypeError('No matching provider found');
-    }
-
     // Type assertion to ensure we have the OIDC options
     const providerOptions = tokenProvider.options as OIDCProviderOptions | undefined;
 

apps/agentstack-ui/src/modules/auth/components/AuthErrorPage.module.scss

@@ -0,0 +1,11 @@
+/**
+ * Copyright 2025 © BeeAI a Series of LF Projects, LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+.root {
+  display: flex;
+  flex-direction: column;
+  gap: $spacing-06;
+  max-inline-size: rem(540px);
+}