OasisLMF · SkylordA · Jan 16, 2026 · Jan 19, 2026 · Feb 17, 2026 · Feb 20, 2026
diff --git a/.env b/.env
@@ -1,4 +1,105 @@
+# ============================================================================
+# KEYCLOAK OIDC AUTHENTICATION CONFIGURATION
+# ============================================================================
+# Uses Keycloak as the identity provider for OIDC authentication
+# Keycloak Admin: http://localhost:8080/auth/admin (keycloak / password)
+
+# Project Configuration
+COMPOSE_PROJECT_NAME=oasispythonui
+OASIS_DEBUG=1
+
+# Docker socket path (Docker Desktop uses ~/.docker/desktop/docker.sock)
+# Standard Docker: /var/run/docker.sock
+DOCKER_SOCK=/var/run/docker.sock
+
+# Hostname Configuration
+OASIS_UI_HOSTNAME=ui.oasis.local
+OASIS_PROTOCOL=http
+
+# Authentication Type
+API_AUTH_TYPE=keycloak
+OASIS_SERVER_ALLOWED_OIDC_AUTH_PROVIDERS=keycloak,authentik
+
+# Image Versions
 SERVER_IMG=coreoasis/api_server
+VERS_API=2.5
 WORKER_IMG=coreoasis/model_worker
-SCENARIOS_UI_IMG=coreoasis/oasis_scenarios
-SCENARIOS_PATH=../Scenarios
+VERS_WORKER=2.5
+PYTHONUI_IMG=coreoasis/oasispythonui_app
+VERS_UI=latest
+VERS_PIWIND=stable/2.5.x
+
+# Database Configuration
+OASIS_SERVER_DB_HOST=server-db
+OASIS_SERVER_DB_PORT=5432
+OASIS_SERVER_DB_NAME=oasis
+OASIS_SERVER_DB_USER=oasis
+OASIS_SERVER_DB_PASS=oasis
+
+OASIS_CELERY_DB_HOST=celery-db
+OASIS_CELERY_DB_PORT=5432
+OASIS_CELERY_DB_NAME=celery
+OASIS_CELERY_DB_USER=celery
+OASIS_CELERY_DB_PASS=password
+
+# Broker & Channel Layer
+RABBITMQ_DEFAULT_USER=rabbit
+RABBITMQ_DEFAULT_PASS=rabbit
+OASIS_CELERY_BROKER_URL=amqp://rabbit:rabbit@broker:5672
+REDIS_HOST=channel-layer
+REDIS_PORT=6379
+OASIS_SERVER_CHANNEL_LAYER_SSL=false
+
+# ============================================================================
+# KEYCLOAK CONFIGURATION
+# ============================================================================
+
+# Keycloak Service
+KEYCLOAK_HOST=keycloak
+KEYCLOAK_PORT=8080
+
+# Keycloak Admin Console Credentials
+KEYCLOAK_ADMIN_USER=keycloak
+KEYCLOAK_ADMIN_PASSWORD=password
+
+# Keycloak Database
+KEYCLOAK_DB_NAME=keycloak
+KEYCLOAK_DB_USER=keycloak
+KEYCLOAK_DB_PASSWORD=password
+
+# OIDC Client Configuration
+# These match the realm configuration in oidc/keycloak/oasis-realm.json.template
+OIDC_KEYCLOAK_CLIENT_NAME=oasis-server
+OIDC_KEYCLOAK_CLIENT_SECRET=e4f4fb25-2250-4210-a7d6-9b16c3d2ab77
+
+# Service Account Client (for service-to-service auth)
+OASIS_SERVICE_CLIENT_NAME=oasis-service
+OASIS_SERVICE_CLIENT_SECRET=serviceNotSoSecret
+
+# Advanced Configuration
+OASIS_PORTFOLIO_UPLOAD_VALIDATION=0
+OASIS_OASISLMF_VERSION=
+OASIS_ODS_VERSION=
+OASIS_ODM_VERSION=
+OASIS_OED_SCHEMA_INFO=
+
+# ============================================================================
+# User Configuration:
+#   - Default users defined in: oidc/keycloak/users.yaml
+#   - Edit that file to add/modify users
+#   - Users: admin (admin), user (non-admin)
+#
+# Quick Start:
+#   1. cp .env.keycloak .env
+#   2. ./install.sh
+#   3. Wait for Keycloak to start (can take 2-3 minutes first time)
+#   4. Access Keycloak Admin: http://localhost:8080/auth/admin
+#   5. Access UI: http://localhost:8501
+#   6. Login via Keycloak
+#
+# OIDC Endpoints (routed through traefik on port 80):
+#   - Authorization: http://localhost/auth/realms/oasis/protocol/openid-connect/auth
+#   - Token: http://localhost/auth/realms/oasis/protocol/openid-connect/token
+#   - UserInfo: http://localhost/auth/realms/oasis/protocol/openid-connect/userinfo
+#   - Keycloak Admin (direct): http://localhost:8080/auth/admin
+# ============================================================================
diff --git a/.env.authentik b/.env.authentik
@@ -0,0 +1,116 @@
+# ============================================================================
+# AUTHENTIK OIDC AUTHENTICATION CONFIGURATION
+# ============================================================================
+# Uses Authentik as the identity provider for OIDC authentication
+# Authentik Admin: http://localhost:9000/authentik/if/admin (akadmin / password)
+
+# Project Configuration
+COMPOSE_PROJECT_NAME=oasispythonui
+OASIS_DEBUG=1
+
+# Docker socket path (Docker Desktop uses ~/.docker/desktop/docker.sock)
+# Standard Docker: /var/run/docker.sock
+DOCKER_SOCK=/var/run/docker.sock
+
+# Hostname Configuration
+OASIS_UI_HOSTNAME=ui.oasis.local
+OASIS_PROTOCOL=http
+
+# Authentication Type
+API_AUTH_TYPE=authentik
+OASIS_SERVER_ALLOWED_OIDC_AUTH_PROVIDERS=keycloak,authentik
+
+# Image Versions
+SERVER_IMG=coreoasis/api_server
+VERS_API=2.5
+WORKER_IMG=coreoasis/model_worker
+VERS_WORKER=2.5
+PYTHONUI_IMG=coreoasis/oasispythonui_app
+VERS_UI=latest
+VERS_PIWIND=stable/2.5.x
+
+# Database Configuration
+OASIS_SERVER_DB_HOST=server-db
+OASIS_SERVER_DB_PORT=5432
+OASIS_SERVER_DB_NAME=oasis
+OASIS_SERVER_DB_USER=oasis
+OASIS_SERVER_DB_PASS=oasis
+
+OASIS_CELERY_DB_HOST=celery-db
+OASIS_CELERY_DB_PORT=5432
+OASIS_CELERY_DB_NAME=celery
+OASIS_CELERY_DB_USER=celery
+OASIS_CELERY_DB_PASS=password
+
+# Broker & Channel Layer
+RABBITMQ_DEFAULT_USER=rabbit
+RABBITMQ_DEFAULT_PASS=rabbit
+OASIS_CELERY_BROKER_URL=amqp://rabbit:rabbit@broker:5672
+REDIS_HOST=channel-layer
+REDIS_PORT=6379
+OASIS_SERVER_CHANNEL_LAYER_SSL=false
+
+# ============================================================================
+# AUTHENTIK CONFIGURATION
+# ============================================================================
+
+# Authentik Service
+AUTHENTIK_HOST=authentik
+AUTHENTIK_PORT=9000
+
+# Authentik Bootstrap Configuration (initial setup)
+AUTHENTIK_BOOTSTRAP_USER=akadmin
+AUTHENTIK_BOOTSTRAP_EMAIL=akadmin@example.com
+AUTHENTIK_BOOTSTRAP_PASSWORD=password
+AUTHENTIK_BOOTSTRAP_TOKEN=my-demo-token-abc123
+
+# Authentik Secret Key (for encryption)
+# CHANGE THIS IN PRODUCTION!
+AUTHENTIK_SECRET_KEY=notsosecretkey
+
+# Authentik Database
+AUTHENTIK_DB_NAME=authentik
+AUTHENTIK_DB_USER=authentik
+AUTHENTIK_DB_PASSWORD=password
+
+# OIDC Client Configuration
+# These match the blueprint configuration in oidc/authentik/oasis-blueprint.yaml.template
+OIDC_AUTHENTIK_CLIENT_NAME=oasis-server
+OIDC_AUTHENTIK_CLIENT_SECRET=EfNMUM3GG1bd1CYUvNfiBGWKfvbGFiNAdutEqHSarZ9H7oL0sZfKLvPT1ujaqVm2839Vka8Ky0elliMQ6yWKN8Jv8dzh3BeVFn0F7LPquGkIus6JJ9nGH1vtfCt7AhtO
+
+# Service Account Client (for service-to-service auth)
+OASIS_SERVICE_CLIENT_NAME=oasis-service
+OASIS_SERVICE_CLIENT_SECRET=serviceNotSoSecret
+
+# Advanced Configuration
+OASIS_PORTFOLIO_UPLOAD_VALIDATION=0
+OASIS_OASISLMF_VERSION=
+OASIS_ODS_VERSION=
+OASIS_ODM_VERSION=
+OASIS_OED_SCHEMA_INFO=
+
+# ============================================================================
+# User Configuration:
+#   - Default users defined in: oidc/authentik/users.yaml
+#   - Edit that file to add/modify users
+#   - Users: admin (admin), user (non-admin)
+#
+# Quick Start:
+#   1. cp .env.authentik .env
+#   2. ./install.sh
+#   3. Wait for Authentik to start (can take 2-3 minutes first time)
+#   4. Access Authentik Admin: http://localhost:9000/authentik/if/admin
+#   5. Access UI: http://localhost:8501
+#   6. Login via Authentik
+#
+# OIDC Endpoints (routed through traefik on port 80):
+#   - Authorization: http://localhost/authentik/application/o/authorize/
+#   - Token: http://localhost/authentik/application/o/token/
+#   - UserInfo: http://localhost/authentik/application/o/userinfo/
+#   - Authentik Admin (direct): http://localhost:9000/authentik/if/admin
+#
+# Security Notes:
+#   - AUTHENTIK_SECRET_KEY must be changed in production!
+#   - This key is used for encrypting sensitive data
+#   - Generate a secure random key for production use
+# ============================================================================