From f0dae529bce437439d450e766bef8c67217ca7c5 Mon Sep 17 00:00:00 2001 From: Anthony LC Date: Wed, 10 Dec 2025 22:36:31 +0100 Subject: [PATCH 1/7] =?UTF-8?q?=E2=99=BB=EF=B8=8F(frontend)=20replace=20au?= =?UTF-8?q?th=20redirect=20logic=20for=20home?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit To be intercepted by ingress redirects, we need to redirect using window.location instead of using Next.js router. The Next.js router does not trigger a full page reload, so the ingress redirect logic is not executed. --- .../apps/impress/src/features/auth/components/Auth.tsx | 2 +- src/frontend/apps/impress/src/features/auth/conf.ts | 2 +- src/frontend/apps/impress/src/pages/login/index.tsx | 5 +---- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/src/frontend/apps/impress/src/features/auth/components/Auth.tsx b/src/frontend/apps/impress/src/features/auth/components/Auth.tsx index 414ac51b61..ea079d1f9d 100644 --- a/src/frontend/apps/impress/src/features/auth/components/Auth.tsx +++ b/src/frontend/apps/impress/src/features/auth/components/Auth.tsx @@ -44,7 +44,7 @@ export const Auth = ({ children }: PropsWithChildren) => { if (config?.FRONTEND_HOMEPAGE_FEATURE_ENABLED) { if (pathname !== HOME_URL) { setIsRedirecting(true); - void replace(HOME_URL).then(() => setIsRedirecting(false)); + window.location.replace(HOME_URL); } return; diff --git a/src/frontend/apps/impress/src/features/auth/conf.ts b/src/frontend/apps/impress/src/features/auth/conf.ts index c44fe01884..4e58db0fd6 100644 --- a/src/frontend/apps/impress/src/features/auth/conf.ts +++ b/src/frontend/apps/impress/src/features/auth/conf.ts @@ -1,6 +1,6 @@ import { baseApiUrl } from '@/api'; -export const HOME_URL = '/home'; +export const HOME_URL = '/home/'; export const LOGIN_URL = `${baseApiUrl()}authenticate/`; export const LOGOUT_URL = `${baseApiUrl()}logout/`; export const PATH_AUTH_LOCAL_STORAGE = 'docs-path-auth'; diff --git a/src/frontend/apps/impress/src/pages/login/index.tsx b/src/frontend/apps/impress/src/pages/login/index.tsx index f76bb8969a..2e06f82628 100644 --- a/src/frontend/apps/impress/src/pages/login/index.tsx +++ b/src/frontend/apps/impress/src/pages/login/index.tsx @@ -1,10 +1,7 @@ -import { useRouter } from 'next/router'; - import { HOME_URL } from '@/features/auth'; const Page = () => { - const { replace } = useRouter(); - void replace(HOME_URL); + window.location.replace(HOME_URL); }; export default Page; From 6be997840f491a0058239dcfa89d4337b89b1aa2 Mon Sep 17 00:00:00 2001 From: Anthony LC Date: Thu, 11 Dec 2025 09:58:59 +0100 Subject: [PATCH 2/7] =?UTF-8?q?=E2=9C=A8(helm)=20create=20ingress-redirect?= =?UTF-8?q?s=20template?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Create a new Helm template for ingress redirects and update the values.yaml file accordingly. We will be able to manage ingress redirects through Helm charts easily. --- CHANGELOG.md | 1 + .../impress/templates/ingress-redirects.yaml | 49 +++++++++++++++++++ src/helm/impress/values.yaml | 6 +++ 3 files changed, 56 insertions(+) create mode 100644 src/helm/impress/templates/ingress-redirects.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a1dd073b5..f21d284356 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ and this project adheres to ### Added - ✨(backend) allow to create a new user in a marketing system +- ✨(helm) redirecting system #1697 ### Changed diff --git a/src/helm/impress/templates/ingress-redirects.yaml b/src/helm/impress/templates/ingress-redirects.yaml new file mode 100644 index 0000000000..2197ab1a14 --- /dev/null +++ b/src/helm/impress/templates/ingress-redirects.yaml @@ -0,0 +1,49 @@ +{{- if and .Values.ingress.enabled .Values.ingressRedirects.enabled }} +{{- $fullName := include "impress.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{- $class := .Values.ingress.className -}} +{{- $defaultHost := .Values.ingressRedirects.defaultHost | default .Values.ingress.host -}} + +{{- range $i, $r := .Values.ingressRedirects.rules }} +{{- $host := $r.host | default $defaultHost -}} +{{- $from := $r.from | default "/home" -}} +{{- $to := required (printf "ingressRedirects.rules[%d].to is required" $i) $r.to -}} +{{- $name := printf "%s-redirect-%s" $fullName (replace "/" "-" (trimAll "/" $from)) | trunc 63 | trimSuffix "-" -}} + +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $name }} + namespace: {{ $ns }} + annotations: + {{- if or (not $r.code) (eq (toString $r.code) "301") }} + nginx.ingress.kubernetes.io/permanent-redirect: "{{ $to }}" + {{- else }} + nginx.ingress.kubernetes.io/configuration-snippet: | + return {{ $r.code }} {{ $to }}; + {{- end }} +spec: + {{- if $class }} + ingressClassName: {{ $class }} + {{- end }} + rules: + - host: {{ $host }} + http: + paths: + - path: {{ $from }} + pathType: Exact + backend: + service: + name: {{ include "impress.frontend.fullname" $ }} + port: + number: {{ $.Values.frontend.service.port }} + - path: {{ printf "%s/" (trimSuffix "/" $from) }} + pathType: Exact + backend: + service: + name: {{ include "impress.frontend.fullname" $ }} + port: + number: {{ $.Values.frontend.service.port }} +--- +{{- end }} +{{- end }} diff --git a/src/helm/impress/values.yaml b/src/helm/impress/values.yaml index f063e478d7..db648df6aa 100644 --- a/src/helm/impress/values.yaml +++ b/src/helm/impress/values.yaml @@ -85,6 +85,12 @@ ingressCollaborationWS: nginx.ingress.kubernetes.io/proxy-send-timeout: "86400" nginx.ingress.kubernetes.io/upstream-hash-by: $arg_room +ingressRedirects: + enabled: false + namePrefix: impress-redir + defaultHost: impress.example.com + rules: [] + ## @param ingressCollaborationApi.enabled whether to enable the Ingress or not ## @param ingressCollaborationApi.className IngressClass to use for the Ingress ## @param ingressCollaborationApi.host Host for the Ingress From dc4f84ac81a7cb3a9432d1a5abc37f6209d9183c Mon Sep 17 00:00:00 2001 From: Anthony LC Date: Thu, 11 Dec 2025 10:05:54 +0100 Subject: [PATCH 3/7] testing-purpose-will-not-be-merged --- src/helm/env.d/feature/values.impress.yaml.gotmpl | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/helm/env.d/feature/values.impress.yaml.gotmpl b/src/helm/env.d/feature/values.impress.yaml.gotmpl index 050c35ece2..c6d69fee16 100644 --- a/src/helm/env.d/feature/values.impress.yaml.gotmpl +++ b/src/helm/env.d/feature/values.impress.yaml.gotmpl @@ -141,6 +141,14 @@ yProvider: COLLABORATION_SERVER_SECRET: my-secret Y_PROVIDER_API_KEY: my-secret +ingressRedirects: + enabled: true + defaultHost: {{ .Values.feature }}-docs.{{ .Values.domain }} + rules: + - name: home + from: /home + to: https://lasuite.numerique.gouv.fr/produits/docs + ingress: enabled: true host: {{ .Values.feature }}-docs.{{ .Values.domain }} From f8b3cbe5e934c651471c7ffb024c0c26a56bfbd0 Mon Sep 17 00:00:00 2001 From: Anthony LC Date: Mon, 15 Dec 2025 14:53:30 +0100 Subject: [PATCH 4/7] =?UTF-8?q?fixup!=20=E2=9C=A8(helm)=20create=20ingress?= =?UTF-8?q?-redirects=20template?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../impress/templates/ingress-redirects.yaml | 34 +++++++++++++------ src/helm/impress/values.yaml | 8 +++-- 2 files changed, 30 insertions(+), 12 deletions(-) diff --git a/src/helm/impress/templates/ingress-redirects.yaml b/src/helm/impress/templates/ingress-redirects.yaml index 2197ab1a14..2415149ce8 100644 --- a/src/helm/impress/templates/ingress-redirects.yaml +++ b/src/helm/impress/templates/ingress-redirects.yaml @@ -1,15 +1,15 @@ -{{- if and .Values.ingress.enabled .Values.ingressRedirects.enabled }} +{{- if .Values.ingressRedirects.enabled }} {{- $fullName := include "impress.fullname" . -}} {{- $ns := .Release.Namespace -}} -{{- $class := .Values.ingress.className -}} -{{- $defaultHost := .Values.ingressRedirects.defaultHost | default .Values.ingress.host -}} {{- range $i, $r := .Values.ingressRedirects.rules }} -{{- $host := $r.host | default $defaultHost -}} +{{- $host := $r.host | default $.Values.ingressRedirects.host -}} {{- $from := $r.from | default "/home" -}} {{- $to := required (printf "ingressRedirects.rules[%d].to is required" $i) $r.to -}} {{- $name := printf "%s-redirect-%s" $fullName (replace "/" "-" (trimAll "/" $from)) | trunc 63 | trimSuffix "-" -}} - +{{- if $i }} +--- +{{- end }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -19,12 +19,27 @@ metadata: {{- if or (not $r.code) (eq (toString $r.code) "301") }} nginx.ingress.kubernetes.io/permanent-redirect: "{{ $to }}" {{- else }} - nginx.ingress.kubernetes.io/configuration-snippet: | - return {{ $r.code }} {{ $to }}; + nginx.ingress.kubernetes.io/temporal-redirect: "{{ $to }}" + nginx.ingress.kubernetes.io/temporal-redirect-code: "{{ $r.code }}" {{- end }} spec: - {{- if $class }} - ingressClassName: {{ $class }} + {{- if $.Values.ingressRedirects.className }} + ingressClassName: {{ $.Values.ingressRedirects.className }} + {{- end }} + {{- if $.Values.ingressRedirects.tls.enabled }} + tls: + {{- if $host }} + - secretName: {{ $.Values.ingressRedirects.tls.secretName | default (printf "%s-tls" $fullName) | quote }} + hosts: + - {{ $host | quote }} + {{- end }} + {{- range $.Values.ingressRedirects.tls.additional }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} {{- end }} rules: - host: {{ $host }} @@ -44,6 +59,5 @@ spec: name: {{ include "impress.frontend.fullname" $ }} port: number: {{ $.Values.frontend.service.port }} ---- {{- end }} {{- end }} diff --git a/src/helm/impress/values.yaml b/src/helm/impress/values.yaml index db648df6aa..2968d02620 100644 --- a/src/helm/impress/values.yaml +++ b/src/helm/impress/values.yaml @@ -87,8 +87,12 @@ ingressCollaborationWS: ingressRedirects: enabled: false - namePrefix: impress-redir - defaultHost: impress.example.com + className: null + host: impress.example.com + tls: + enabled: true + secretName: null + additional: [] rules: [] ## @param ingressCollaborationApi.enabled whether to enable the Ingress or not From 593ea27f6360e656d21d08fa3b0f185b9d8c0bfe Mon Sep 17 00:00:00 2001 From: Anthony LC Date: Mon, 15 Dec 2025 14:53:43 +0100 Subject: [PATCH 5/7] fixup! testing-purpose-will-not-be-merged --- src/helm/env.d/feature/values.impress.yaml.gotmpl | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/helm/env.d/feature/values.impress.yaml.gotmpl b/src/helm/env.d/feature/values.impress.yaml.gotmpl index c6d69fee16..28314b49a0 100644 --- a/src/helm/env.d/feature/values.impress.yaml.gotmpl +++ b/src/helm/env.d/feature/values.impress.yaml.gotmpl @@ -143,11 +143,14 @@ yProvider: ingressRedirects: enabled: true - defaultHost: {{ .Values.feature }}-docs.{{ .Values.domain }} + host: {{ .Values.feature }}-docs.{{ .Values.domain }} rules: - name: home from: /home to: https://lasuite.numerique.gouv.fr/produits/docs + - name: google + from: /google + to: https://docs.google.com ingress: enabled: true From 8f8d467969af3e3245119a7fcfb76e5205078b45 Mon Sep 17 00:00:00 2001 From: Anthony LC Date: Mon, 15 Dec 2025 15:45:46 +0100 Subject: [PATCH 6/7] =?UTF-8?q?=F0=9F=94=A7(helm)=20add=20OIDC=5FREDIRECT?= =?UTF-8?q?=5FALLOWED=5FHOSTS=20to=20fix=20authentication=20flow?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add OIDC_REDIRECT_ALLOWED_HOSTS setting to dev and feature environments to properly allow Keycloak redirect callbacks after authentication. --- src/helm/env.d/dev/values.impress.yaml.gotmpl | 1 + src/helm/env.d/feature/values.impress.yaml.gotmpl | 1 + 2 files changed, 2 insertions(+) diff --git a/src/helm/env.d/dev/values.impress.yaml.gotmpl b/src/helm/env.d/dev/values.impress.yaml.gotmpl index 129a4b89ba..a030186606 100644 --- a/src/helm/env.d/dev/values.impress.yaml.gotmpl +++ b/src/helm/env.d/dev/values.impress.yaml.gotmpl @@ -38,6 +38,7 @@ backend: OIDC_OP_TOKEN_ENDPOINT: https://docs-keycloak.127.0.0.1.nip.io/realms/docs/protocol/openid-connect/token OIDC_OP_USER_ENDPOINT: https://docs-keycloak.127.0.0.1.nip.io/realms/docs/protocol/openid-connect/userinfo OIDC_OP_LOGOUT_ENDPOINT: https://docs-keycloak.127.0.0.1.nip.io/realms/docs/protocol/openid-connect/logout + OIDC_REDIRECT_ALLOWED_HOSTS: "docs.127.0.0.1.nip.io" OIDC_RP_CLIENT_ID: docs OIDC_RP_CLIENT_SECRET: ThisIsAnExampleKeyForDevPurposeOnly OIDC_RP_SIGN_ALGO: RS256 diff --git a/src/helm/env.d/feature/values.impress.yaml.gotmpl b/src/helm/env.d/feature/values.impress.yaml.gotmpl index 28314b49a0..bf4af4fdbc 100644 --- a/src/helm/env.d/feature/values.impress.yaml.gotmpl +++ b/src/helm/env.d/feature/values.impress.yaml.gotmpl @@ -39,6 +39,7 @@ backend: OIDC_OP_TOKEN_ENDPOINT: https://{{ .Values.feature }}-docs-keycloak.{{ .Values.domain }}/realms/docs/protocol/openid-connect/token OIDC_OP_USER_ENDPOINT: https://{{ .Values.feature }}-docs-keycloak.{{ .Values.domain }}/realms/docs/protocol/openid-connect/userinfo OIDC_OP_LOGOUT_ENDPOINT: https://{{ .Values.feature }}-docs-keycloak.{{ .Values.domain }}/realms/docs/protocol/openid-connect/logout + OIDC_REDIRECT_ALLOWED_HOSTS: "{{ .Values.feature }}-docs.{{ .Values.domain }}" OIDC_RP_CLIENT_ID: docs OIDC_RP_CLIENT_SECRET: ThisIsAnExampleKeyForDevPurposeOnly OIDC_RP_SIGN_ALGO: RS256 From e9ef8060a974e64ecd48a7e2a1af755c275d2ad1 Mon Sep 17 00:00:00 2001 From: Anthony LC Date: Mon, 15 Dec 2025 16:20:21 +0100 Subject: [PATCH 7/7] =?UTF-8?q?=F0=9F=90=9B(helm)=20fix=20OIDC=20authentic?= =?UTF-8?q?ation=20with=20standard=20scopes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace custom OIDC scopes with standard OpenID Connect scopes to fix Keycloak authentication flow. Changes: - Replace OIDC_RP_SCOPES from "openid email given_name usual_name" to "openid email profile" - Update OIDC_USERINFO_FULLNAME_FIELDS from "given_name,usual_name" to "given_name,family_name" - Add OIDC_REDIRECT_ALLOWED_HOSTS to allow Keycloak callback redirects The previous configuration used custom scopes (given_name, usual_name) that were not configured in Keycloak, causing authentication to fail with "invalid_scope" error. Using the standard "profile" scope includes all necessary user claims (given_name, family_name, etc.) and works with default Keycloak configuration. This fixes the issue where users were redirected to /home after authentication instead of staying logged in, because the OIDC flow was failing and session cookies were not being set properly. --- src/helm/env.d/dev/values.impress.yaml.gotmpl | 4 ++-- src/helm/env.d/feature/values.impress.yaml.gotmpl | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/helm/env.d/dev/values.impress.yaml.gotmpl b/src/helm/env.d/dev/values.impress.yaml.gotmpl index a030186606..693c51121e 100644 --- a/src/helm/env.d/dev/values.impress.yaml.gotmpl +++ b/src/helm/env.d/dev/values.impress.yaml.gotmpl @@ -32,7 +32,7 @@ backend: LOGGING_LEVEL_LOGGERS_ROOT: INFO LOGGING_LEVEL_LOGGERS_APP: INFO OIDC_USERINFO_SHORTNAME_FIELD: "given_name" - OIDC_USERINFO_FULLNAME_FIELDS: "given_name,usual_name" + OIDC_USERINFO_FULLNAME_FIELDS: "given_name,family_name" OIDC_OP_JWKS_ENDPOINT: https://docs-keycloak.127.0.0.1.nip.io/realms/docs/protocol/openid-connect/certs OIDC_OP_AUTHORIZATION_ENDPOINT: https://docs-keycloak.127.0.0.1.nip.io/realms/docs/protocol/openid-connect/auth OIDC_OP_TOKEN_ENDPOINT: https://docs-keycloak.127.0.0.1.nip.io/realms/docs/protocol/openid-connect/token @@ -42,7 +42,7 @@ backend: OIDC_RP_CLIENT_ID: docs OIDC_RP_CLIENT_SECRET: ThisIsAnExampleKeyForDevPurposeOnly OIDC_RP_SIGN_ALGO: RS256 - OIDC_RP_SCOPES: "openid email given_name usual_name" + OIDC_RP_SCOPES: "openid email profile" LOGIN_REDIRECT_URL: https://docs.127.0.0.1.nip.io LOGIN_REDIRECT_URL_FAILURE: https://docs.127.0.0.1.nip.io LOGOUT_REDIRECT_URL: https://docs.127.0.0.1.nip.io diff --git a/src/helm/env.d/feature/values.impress.yaml.gotmpl b/src/helm/env.d/feature/values.impress.yaml.gotmpl index bf4af4fdbc..c72a9dfee3 100644 --- a/src/helm/env.d/feature/values.impress.yaml.gotmpl +++ b/src/helm/env.d/feature/values.impress.yaml.gotmpl @@ -33,7 +33,7 @@ backend: LOGGING_LEVEL_LOGGERS_ROOT: INFO LOGGING_LEVEL_LOGGERS_APP: INFO OIDC_USERINFO_SHORTNAME_FIELD: "given_name" - OIDC_USERINFO_FULLNAME_FIELDS: "given_name,usual_name" + OIDC_USERINFO_FULLNAME_FIELDS: "given_name,family_name" OIDC_OP_JWKS_ENDPOINT: https://{{ .Values.feature }}-docs-keycloak.{{ .Values.domain }}/realms/docs/protocol/openid-connect/certs OIDC_OP_AUTHORIZATION_ENDPOINT: https://{{ .Values.feature }}-docs-keycloak.{{ .Values.domain }}/realms/docs/protocol/openid-connect/auth OIDC_OP_TOKEN_ENDPOINT: https://{{ .Values.feature }}-docs-keycloak.{{ .Values.domain }}/realms/docs/protocol/openid-connect/token @@ -43,7 +43,7 @@ backend: OIDC_RP_CLIENT_ID: docs OIDC_RP_CLIENT_SECRET: ThisIsAnExampleKeyForDevPurposeOnly OIDC_RP_SIGN_ALGO: RS256 - OIDC_RP_SCOPES: "openid email given_name usual_name" + OIDC_RP_SCOPES: "openid email profile" LOGIN_REDIRECT_URL: https://{{ .Values.feature }}-docs.{{ .Values.domain }} LOGIN_REDIRECT_URL_FAILURE: https://{{ .Values.feature }}-docs.{{ .Values.domain }} LOGOUT_REDIRECT_URL: https://{{ .Values.feature }}-docs.{{ .Values.domain }}