feat(keycloak): add public client for browser-based SDK authentication

[marythought]

Add opentdf-public client and enable direct access grants to support browser-based JavaScript SDK quickstart authentication flow.

Proposed Changes

• Add opentdf-public client (public, directAccessGrantsEnabled: true)
• Enable directAccessGrantsEnabled on cli-client
• Both clients restricted to localhost redirect URIs (localhost:* and 127.0.0.1:*)

This enables the JavaScript SDK quickstart to obtain refresh tokens via password grant for local development/testing, as the browser-based SDK cannot use client credentials (client secrets) for security reasons.

Is it a security change? Yes - it enables a less secure OAuth flow (password grant).

However, the following factors mitigate the risk:

• Quickstart/testing context only
• Public client (no secret exposure risk)
• Localhost-only redirect URIs
• Documentation warns against production use
• Matches how Go/Java SDKs use client credentials for testing

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

[gemini-code-assist]

Summary of Changes

Hello @marythought, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces configurations to Keycloak to facilitate browser-based JavaScript SDK authentication for local development and testing environments. By adding a new public client and enabling direct access grants on an existing client, it allows the use of password grant flows, which are necessary for browser-based SDKs that cannot securely handle client secrets. The changes are carefully scoped to minimize security risks by restricting usage to localhost and emphasizing non-production contexts.

Highlights

• New Keycloak Client Added: A new Keycloak client named opentdf-public has been added. This client is configured as a public client with directAccessGrantsEnabled set to true, allowing for password grant authentication. Its redirect URIs are restricted to http://localhost:* and http://127.0.0.1:*.
• Direct Access Grants Enabled for CLI Client: The existing cli-client in Keycloak has been updated to enable directAccessGrantsEnabled. This change allows the cli-client to also utilize the password grant flow.
• Security Considerations: These changes enable a less secure OAuth flow (password grant) but are intended for quickstart/testing contexts only. Risks are mitigated by the clients being public, having no secret exposure, restricting redirect URIs to localhost, and documentation warnings against production use.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• service/cmd/keycloak_data.yaml
  • Added a new Keycloak client named opentdf-public with clientID: opentdf-public, enabled: true, publicClient: true, directAccessGrantsEnabled: true, and redirect URIs for http://localhost:* and http://127.0.0.1:*.
  • Modified the existing cli-client to set directAccessGrantsEnabled: true.

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Keycloak grants access, Tokens flow, a secure path, Devs build, code takes flight.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new public Keycloak client opentdf-public and enables direct access grants for it and the existing cli-client to support browser-based SDK authentication for local development. However, it introduces security-sensitive changes by enabling the deprecated Resource Owner Password Credentials (ROPC) grant type and using wildcard redirect URIs for public clients. These are insecure authentication patterns that should be avoided in production, with ROPC being superseded by more secure flows like Authorization Code Flow with PKCE. To mitigate risks, it's crucial to add explicit warnings in the keycloak_data.yaml configuration file, as suggested in the comments, to prevent accidental use of these less-secure settings in production environments.

[gemini-code-assist]

Similar to the cli-client, it's important to add a warning comment for this new opentdf-public client. This makes it clear that enabling directAccessGrantsEnabled is for local testing/quickstart purposes only and should not be used in production due to security risks associated with the password grant flow.

          # WARNING: This client is for browser-based SDK quickstarts and local testing only.
          # It uses the less-secure password grant flow. Do not use in production.
          clientID: opentdf-public

[gemini-code-assist]

Enabling directAccessGrantsEnabled (Resource Owner Password Credentials grant) is discouraged by OAuth 2.0 security best practices as it increases the risk of credential theft and bypasses MFA. While intended for local development, it's crucial to add a warning comment here to prevent accidental enabling in production environments. For production, the Authorization Code Flow with PKCE is the recommended secure alternative.

          # WARNING: Enables the less-secure password grant flow for local development.
          # Do not enable in production environments.
          directAccessGrantsEnabled: true

[gemini-code-assist]

Enabling directAccessGrantsEnabled (Resource Owner Password Credentials grant) for the opentdf-public client introduces security risks by allowing the client to handle user passwords directly. This grant type is deprecated in the OAuth 2.1 specification and should be avoided. For public clients like browser-based SDKs, Authorization Code Flow with PKCE should be used instead to ensure user credentials are not exposed to the client application.

[gemini-code-assist]

The use of wildcards in redirectUris (e.g., http://localhost:*) is insecure as it allows an attacker to redirect authorization codes to any port on the host. Although restricted to localhost and 127.0.0.1, this could still be exploited if a malicious process on the user's machine intercepts the code. It is a best practice to register exact redirect URIs. If multiple ports are required for development, they should be listed explicitly.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	197.864103ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	99.173547ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	380.03244ms
Throughput	263.14 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	38.548049675s
Average Latency	383.548479ms
Throughput	129.71 requests/second

[github-actions]

X-Test Results

opentdfplatform4GQ3A0.dockerbuild
cukes-report
✅ js-v0.9.0
✅ js-pull-3050
✅ java-v0.9.0
bats-test-results
test-cases-mapping-report
✅ java-pull-3050
✅ go-v0.9.0
✅ go-pull-3050