Open
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds support for Keycloak-flavored OIDC/JWT tokens (different typ claim and user-identifying claim like preferred_username) so Joanie can correctly authenticate and synchronize users when Richie is configured with Keycloak.
Changes:
- Introduces a Keycloak-compatible JWT token class and makes SimpleJWT settings configurable for Keycloak (
ISSUER,JWK_URL,TOKEN_TYPE_CLAIM,USER_ID_CLAIM). - Centralizes username extraction from authenticated requests via a new
get_authenticated_usernamehelper and updates multiple endpoints/filters to use it. - Extends the test suite (and perf expectations) to cover Keycloak token shapes and resulting user-sync queries.
Reviewed changes
Copilot reviewed 22 out of 22 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| src/backend/joanie/core/authentication.py | Adds Keycloak token class and tweaks token→user field extraction logic. |
| src/backend/joanie/core/utils/api.py | New helper to read the authenticated username from request/token claims. |
| src/backend/joanie/core/utils/jwt_tokens.py | Generates Keycloak-shaped tokens when an issuer is configured. |
| src/backend/joanie/settings.py | Makes SimpleJWT configurable for Keycloak and allows Keycloak token class. |
| src/backend/joanie/payment/api.py | Uses shared username extraction helper for credit-card ownership operations. |
| src/backend/joanie/core/filters/client/certificate.py | Uses shared username extraction helper in certificate filtering. |
| src/backend/joanie/core/api/client/init.py | Replaces repeated auth-username extraction with the shared helper across many endpoints. |
| src/backend/joanie/tests/base.py | Updates test token generation to support Keycloak token shapes. |
| src/backend/joanie/tests/core/test_api_base.py | Adds coverage for token generation when Keycloak issuer is configured. |
| src/backend/joanie/tests/core/test_models_user.py | Adds Keycloak-oriented user sync tests and settings patches. |
| src/backend/joanie/tests/core/test_models_user.perf.yml | Updates perf expectations for user sync queries (incl. Keycloak case). |
| src/backend/joanie/tests/core/test_authentication_delegated_jwt_authentication.py | Adds a Keycloak-focused test class for delegated JWT auth behavior. |
| src/backend/joanie/tests/core/test_api_courses_contract.perf.yml | Updates perf expectations to include user sync UPDATE query. |
| src/backend/joanie/tests/core/test_api_course_accesses.perf.yml | Updates perf expectations to include user sync UPDATE query. |
| src/backend/joanie/tests/core/test_api_contract.perf.yml | Updates perf expectations to include user sync UPDATE query. |
| src/backend/joanie/tests/core/api/organizations/test_list.perf.yml | Updates perf expectations to include user sync UPDATE query. |
| src/backend/joanie/tests/core/api/organizations/test_api_organizations_contract.perf.yml | Updates perf expectations to include user sync UPDATE query. |
| src/backend/joanie/tests/core/api/organizations/test_api_organizations_agreements.perf.yml | Updates perf expectations to include user sync UPDATE query. |
| src/backend/joanie/tests/core/api/organizations/test_api_organization_accesses.perf.yml | Updates perf expectations to include user sync UPDATE query. |
| src/backend/joanie/tests/core/api/order/test_create.perf.yml | Updates perf expectations to include user sync UPDATE query. |
| env.d/development/common.dist | Documents env vars for Keycloak integration and JWT claim mapping. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
kernicPanel
force-pushed
the
keycloak
branch
2 times, most recently
from
fa37e7a to
499c8fe
Compare
jonathanreveille
approved these changes
Jan 26, 2026
Replaced repetitive username extraction logic across views with a centralized `get_authenticated_username` utility. This improves code readability and reduces duplication.
Added support for Keycloak JWT tokens, including custom claims and a dedicated `KeycloakAccessToken` class.
liamls
approved these changes
Feb 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Now that richie users could login with keycloak openid, we have to support the sent token.