ci: bump version to v4.48.0

feat: Change log level to warn for OpenID callback in OpenIDController
ci: bump version to v4.47.0
2026-01-21 10:32:39 +00:00 · 2026-01-21 11:30:25 +01:00 · 2026-01-20 20:40:24 +00:00 · 2026-01-20 21:37:50 +01:00 · 2026-01-20 20:14:38 +00:00 · 2026-01-20 21:12:20 +01:00
7 changed files with 70 additions and 37 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -403,3 +403,33 @@
 ### Features

 * Add mainRoute configuration for OpenID in application and environment files ([4f52c1a](https://git.janis-eccarius.de/KnockOutWhist/KnockOutWhist-Web/commit/4f52c1a0f30cf0b917452149a52b53b94d82a7c9))
+##  (2026-01-20)
+
+### Features
+
+* Simplify authorization request creation in OpenIDConnectService and use environment variables for Keycloak configuration ([82a9706](https://git.janis-eccarius.de/KnockOutWhist/KnockOutWhist-Web/commit/82a9706deb97db193015e55a048830d496e76d83))
+##  (2026-01-20)
+
+### Features
+
+* Use environment variables for Keycloak client configuration in staging ([fccd94c](https://git.janis-eccarius.de/KnockOutWhist/KnockOutWhist-Web/commit/fccd94cc11db43f99eded13207cc93fb59d8703e))
+##  (2026-01-20)
+
+### Features
+
+* Add logging for OpenID authentication process in OpenIDController ([b729344](https://git.janis-eccarius.de/KnockOutWhist/KnockOutWhist-Web/commit/b729344d1e79c631146dd988248d033d97e12d93))
+##  (2026-01-20)
+
+### Features
+
+* Add error logging for user info retrieval in OpenIDConnectService ([861f2f1](https://git.janis-eccarius.de/KnockOutWhist/KnockOutWhist-Web/commit/861f2f1184e860fdd164481167f941c11accfedd))
+##  (2026-01-20)
+
+### Features
+
+* Add idClaimName parameter to OpenIDConnectService for flexible ID claim mapping ([2f38855](https://git.janis-eccarius.de/KnockOutWhist/KnockOutWhist-Web/commit/2f388554495d8bd44b4c533baa0f2fc27eea22c2))
+##  (2026-01-21)
+
+### Features
+
+* Change log level to warn for OpenID callback in OpenIDController ([23cdbe9](https://git.janis-eccarius.de/KnockOutWhist/KnockOutWhist-Web/commit/23cdbe9bd127bc26405fd216372bbb2d7e718a77))
--- a/2
+++ b/2
--- a/knockoutwhistweb/app/controllers/OpenIDController.scala
+++ b/knockoutwhistweb/app/controllers/OpenIDController.scala
@@ -2,7 +2,7 @@ package controllers

 import logic.user.{SessionManager, UserManager}
 import model.users.User
-import play.api.Configuration
+import play.api.{Configuration, Logger}
 import play.api.libs.json.Json
 import play.api.mvc.*
 import play.api.mvc.Cookie.SameSite.Lax
@@ -20,6 +20,8 @@ class OpenIDController @Inject()(
                                  val config: Configuration
                                )(implicit ec: ExecutionContext) extends BaseController {

+  private val logger = Logger(this.getClass)
+
  def loginWithProvider(provider: String): Action[AnyContent] = Action.async { implicit request =>
    val state = openIDService.generateState()
    val nonce = openIDService.generateNonce()
@@ -47,8 +49,11 @@ class OpenIDController @Inject()(
    val code = request.getQueryString("code")
    val error = request.getQueryString("error")

+    logger.warn(s"Received callback from $provider with state $sessionState, nonce $sessionNonce, provider $sessionProvider, returned state $returnedState, code $code, error $error")
+
    error match {
      case Some(err) =>
+        logger.error(s"Authentication failed: $err")
        Future.successful(Redirect("/login").flashing("error" -> s"Authentication failed: $err"))
      case None =>
        (for {
@@ -63,6 +68,7 @@ class OpenIDController @Inject()(
                  // Check if user already exists
                  userManager.authenticateOpenID(provider, userInfo.id) match {
                    case Some(user) =>
+                      logger.info(s"User ${userInfo.name} (${userInfo.id}) already exists, logging them in")
                      // User already exists, log them in
                      val sessionToken = sessionManager.createSession(user)
                      Future.successful(Redirect(config.getOptional[String]("openid.mainRoute").getOrElse("/"))
@@ -75,6 +81,7 @@ class OpenIDController @Inject()(
                        ))
                        .removingFromSession("oauth_state", "oauth_nonce", "oauth_provider", "oauth_access_token"))
                    case None =>
+                      logger.info(s"User ${userInfo.name} (${userInfo.id}) not found, creating new user")
                      // New user, redirect to username selection
                      Future.successful(Redirect(config.get[String]("openid.selectUserRoute"))
                        .withSession(
@@ -84,12 +91,15 @@ class OpenIDController @Inject()(
                        ))
                  }
                case None =>
+                  logger.error("Failed to retrieve user information")
                  Future.successful(Redirect("/login").flashing("error" -> "Failed to retrieve user information"))
              }
            case None =>
+              logger.error("Failed to exchange authorization code")
              Future.successful(Redirect("/login").flashing("error" -> "Failed to exchange authorization code"))
          }
        }).getOrElse {
+          logger.error("Invalid state parameter")
          Future.successful(Redirect("/login").flashing("error" -> "Invalid state parameter"))
        }
    }
--- a/knockoutwhistweb/app/services/OpenIDConnectService.scala
+++ b/knockoutwhistweb/app/services/OpenIDConnectService.scala
@@ -2,7 +2,7 @@ package services

 import com.typesafe.config.Config
 import play.api.libs.ws.WSClient
-import play.api.Configuration
+import play.api.{Configuration, Logger}
 import play.api.libs.json.*

 import java.net.URI
@@ -11,7 +11,6 @@ import scala.concurrent.{ExecutionContext, Future}
 import com.nimbusds.oauth2.sdk.*
 import com.nimbusds.oauth2.sdk.id.*
 import com.nimbusds.openid.connect.sdk.*
-
 import play.api.libs.ws.DefaultBodyWritables.*

 case class OpenIDUserInfo(
@@ -36,7 +35,8 @@ case class OpenIDProvider(
  authorizationEndpoint: String,
  tokenEndpoint: String,
  userInfoEndpoint: String,
-  scopes: Set[String] = Set("openid", "profile", "email")
+  scopes: Set[String] = Set("openid", "profile", "email"),
+  idClaimName: String = "id"
 )

 case class TokenResponse(
@@ -50,6 +50,8 @@ case class TokenResponse(
@Singleton
 class OpenIDConnectService@Inject(ws: WSClient, config: Configuration)(implicit ec: ExecutionContext) {

+  private val logger = Logger(this.getClass)
+
  private val providers = Map(
    "discord" -> OpenIDProvider(
      name = "Discord",
@@ -69,36 +71,22 @@ class OpenIDConnectService@Inject(ws: WSClient, config: Configuration)(implicit
      authorizationEndpoint = config.get[String]("openid.keycloak.authUrl") + "/protocol/openid-connect/auth",
      tokenEndpoint = config.get[String]("openid.keycloak.authUrl") + "/protocol/openid-connect/token",
      userInfoEndpoint = config.get[String]("openid.keycloak.authUrl") + "/protocol/openid-connect/userinfo",
-      scopes = Set("openid", "profile", "email")
+      scopes = Set("openid", "profile", "email"),
+      idClaimName = "sub"
    )
  )

  def getAuthorizationUrl(providerName: String, state: String, nonce: String): Option[String] = {
    providers.get(providerName).map { provider =>
-      val authRequest = if (provider.scopes.contains("openid")) {
-        // Use OpenID Connect AuthenticationRequest for OpenID providers
-        new AuthenticationRequest.Builder(
-          new ResponseType(ResponseType.Value.CODE),
-          new com.nimbusds.oauth2.sdk.Scope(provider.scopes.mkString(" ")),
-          new com.nimbusds.oauth2.sdk.id.ClientID(provider.clientId),
-          URI.create(provider.redirectUri)
-        )
-          .state(new com.nimbusds.oauth2.sdk.id.State(state))
-          .nonce(new Nonce(nonce))
-          .endpointURI(URI.create(provider.authorizationEndpoint))
-          .build()
-      } else {
-        // Use standard OAuth2 AuthorizationRequest for non-OpenID providers (like Discord)
-        new AuthorizationRequest.Builder(
-          new ResponseType(ResponseType.Value.CODE),
-          new com.nimbusds.oauth2.sdk.id.ClientID(provider.clientId)
-        )
-          .scope(new com.nimbusds.oauth2.sdk.Scope(provider.scopes.mkString(" ")))
-          .state(new com.nimbusds.oauth2.sdk.id.State(state))
-          .redirectionURI(URI.create(provider.redirectUri))
-          .endpointURI(URI.create(provider.authorizationEndpoint))
-          .build()
-      }
+      val authRequest = new AuthorizationRequest.Builder(
+        new ResponseType(ResponseType.Value.CODE),
+        new com.nimbusds.oauth2.sdk.id.ClientID(provider.clientId)
+      )
+        .scope(new com.nimbusds.oauth2.sdk.Scope(provider.scopes.mkString(" ")))
+        .state(new com.nimbusds.oauth2.sdk.id.State(state))
+        .redirectionURI(URI.create(provider.redirectUri))
+        .endpointURI(URI.create(provider.authorizationEndpoint))
+        .build()

      authRequest.toURI.toString
    }
@@ -150,7 +138,7 @@ class OpenIDConnectService@Inject(ws: WSClient, config: Configuration)(implicit
            if (response.status == 200) {
              val json = response.json
              Some(OpenIDUserInfo(
-                id = (json \ "id").as[String],
+                id = (json \ provider.idClaimName).as[String],
                email = (json \ "email").asOpt[String],
                name = (json \ "name").asOpt[String].orElse((json \ "login").asOpt[String]),
                picture = (json \ "picture").asOpt[String].orElse((json \ "avatar_url").asOpt[String]),
@@ -158,10 +146,15 @@ class OpenIDConnectService@Inject(ws: WSClient, config: Configuration)(implicit
                providerName = provider.name
              ))
            } else {
+              logger.error(s"Failed to retrieve user info from ${provider.userInfoEndpoint}, status code ${response.status}")
              None
            }
          }
-          .recover { case _ => None }
+          .recover { case e => {
+            logger.error(s"Failed to retrieve user info from ${provider.userInfoEndpoint}", e)
+            None
+          }
+          }
      case None => Future.successful(None)
    }
  }
--- a/knockoutwhistweb/conf/prod.conf
+++ b/knockoutwhistweb/conf/prod.conf
@@ -28,8 +28,8 @@ openid {
  }
  
  keycloak {
-    clientId = "your-keycloak-client-id"
-    clientSecret = "your-keycloak-client-secret"
+    clientId = ${?KEYCLOAK_CLIENT_ID}
+    clientSecret = ${?KEYCLOAK_CLIENT_SECRET}
    redirectUri = "https://knockout.janis-eccarius.de/api/auth/keycloak/callback"
    authUrl = ${?KEYCLOAK_AUTH_URL}
    authUrl = "https://identity.janis-eccarius.de/realms/master"
--- a/knockoutwhistweb/conf/staging.conf
+++ b/knockoutwhistweb/conf/staging.conf
@@ -25,8 +25,8 @@ openid {
  }
  
  keycloak {
-    clientId = "your-keycloak-client-id"
-    clientSecret = "your-keycloak-client-secret"
+    clientId = ${?KEYCLOAK_CLIENT_ID}
+    clientSecret = ${?KEYCLOAK_CLIENT_SECRET}
    redirectUri = "https://st.knockout.janis-eccarius.de/api/auth/keycloak/callback"
    authUrl = ${?KEYCLOAK_AUTH_URL}
    authUrl = "https://identity.janis-eccarius.de/realms/master"
--- a/versions.env
+++ b/versions.env
@@ -1,3 +1,3 @@
 MAJOR=4
-MINOR=42
+MINOR=48
 PATCH=0
Author	SHA1	Message	Date
TeamCity	b278f755b4	ci: bump version to v4.48.0	2026-01-21 10:32:39 +00:00
Janis	23cdbe9bd1	feat: Change log level to warn for OpenID callback in OpenIDController	2026-01-21 11:30:25 +01:00
TeamCity	416baebab5	ci: bump version to v4.47.0	2026-01-20 20:40:24 +00:00
Janis	2f38855449	feat: Add idClaimName parameter to OpenIDConnectService for flexible ID claim mapping	2026-01-20 21:37:50 +01:00
TeamCity	1a3cb5044f	ci: bump version to v4.46.0	2026-01-20 20:14:38 +00:00
Janis	861f2f1184	feat: Add error logging for user info retrieval in OpenIDConnectService	2026-01-20 21:12:20 +01:00
TeamCity	773b760bc1	ci: bump version to v4.45.0	2026-01-20 20:06:17 +00:00
Janis	b729344d1e	feat: Add logging for OpenID authentication process in OpenIDController	2026-01-20 21:03:47 +01:00
TeamCity	9a194a9fd7	ci: bump version to v4.44.0	2026-01-20 19:50:33 +00:00
Janis	fccd94cc11	feat: Use environment variables for Keycloak client configuration in staging	2026-01-20 20:48:18 +01:00
TeamCity	27da1327c1	ci: bump version to v4.43.0	2026-01-20 19:42:30 +00:00
Janis	82a9706deb	feat: Simplify authorization request creation in OpenIDConnectService and use environment variables for Keycloak configuration	2026-01-20 20:39:56 +01:00