From 37a907e087758a1b493ebf3ab96d7f4239563ae8 Mon Sep 17 00:00:00 2001
From: Denis Lugowski <denis.lugowski@gmail.com>
Date: Mon, 16 Mar 2026 08:29:54 +0100
Subject: [PATCH] fix(frontend,backend): Remove hardcoded legalconsenthub
 keycloak client ID

---
 .../security/CustomJwtAuthenticationConverter.kt         | 9 ++++++---
 .../src/main/resources/application.yaml                  | 2 ++
 legalconsenthub/server/routes/auth/keycloak.get.ts       | 6 +++---
 legalconsenthub/types/keycloak.ts                        | 6 +-----
 4 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/legalconsenthub-backend/src/main/kotlin/com/betriebsratkanzlei/legalconsenthub/security/CustomJwtAuthenticationConverter.kt b/legalconsenthub-backend/src/main/kotlin/com/betriebsratkanzlei/legalconsenthub/security/CustomJwtAuthenticationConverter.kt
index 6ce4027..2c8c405 100644
--- a/legalconsenthub-backend/src/main/kotlin/com/betriebsratkanzlei/legalconsenthub/security/CustomJwtAuthenticationConverter.kt
+++ b/legalconsenthub-backend/src/main/kotlin/com/betriebsratkanzlei/legalconsenthub/security/CustomJwtAuthenticationConverter.kt
@@ -1,5 +1,6 @@
 package com.betriebsratkanzlei.legalconsenthub.security
 
+import org.springframework.beans.factory.annotation.Value
 import org.springframework.core.convert.converter.Converter
 import org.springframework.security.authentication.AbstractAuthenticationToken
 import org.springframework.security.core.GrantedAuthority
@@ -8,14 +9,16 @@ import org.springframework.security.oauth2.jwt.Jwt
 import org.springframework.stereotype.Component
 
 @Component
-class CustomJwtAuthenticationConverter : Converter<Jwt, AbstractAuthenticationToken> {
+class CustomJwtAuthenticationConverter(
+    @Value("\${legalconsenthub.keycloak.client-id}") private val keycloakClientId: String,
+) : Converter<Jwt, AbstractAuthenticationToken> {
     override fun convert(jwt: Jwt): AbstractAuthenticationToken {
         val userId = jwt.subject
         val username = jwt.getClaimAsString("name")
 
         val resourceAccess = jwt.getClaimAsMap("resource_access") as? Map<*, *>
-        val legalconsenthubResource = resourceAccess?.get("legalconsenthub") as? Map<*, *>
-        val roles = (legalconsenthubResource?.get("roles") as? List<*>)?.mapNotNull { it as? String } ?: emptyList()
+        val clientResource = resourceAccess?.get(keycloakClientId) as? Map<*, *>
+        val roles = (clientResource?.get("roles") as? List<*>)?.mapNotNull { it as? String } ?: emptyList()
 
         val organizationIds = extractOrganizationIds(jwt)
 
diff --git a/legalconsenthub-backend/src/main/resources/application.yaml b/legalconsenthub-backend/src/main/resources/application.yaml
index d29dfc0..20dac5d 100644
--- a/legalconsenthub-backend/src/main/resources/application.yaml
+++ b/legalconsenthub-backend/src/main/resources/application.yaml
@@ -63,6 +63,8 @@ spring:
       max-request-size: 50MB
 
 legalconsenthub:
+  keycloak:
+    client-id: ${KEYCLOAK_CLIENT_ID:gremiumhub}
   file:
     storage:
       filesystem:
diff --git a/legalconsenthub/server/routes/auth/keycloak.get.ts b/legalconsenthub/server/routes/auth/keycloak.get.ts
index be94dd7..858e4bf 100644
--- a/legalconsenthub/server/routes/auth/keycloak.get.ts
+++ b/legalconsenthub/server/routes/auth/keycloak.get.ts
@@ -21,7 +21,7 @@ export default defineOAuthKeycloakEventHandler({
     }
 
     const organizations = decodedJwt ? extractOrganizations(decodedJwt) : []
-    const roles = decodedJwt ? extractRoles(decodedJwt) : []
+    const roles = decodedJwt ? extractRoles(decodedJwt, config.oauth.keycloak.clientId) : []
 
     await setUserSession(event, {
       user: {
@@ -71,6 +71,6 @@ function extractOrganizations(decoded: KeycloakTokenPayload): Organization[] {
   return organizations
 }
 
-function extractRoles(decoded: KeycloakTokenPayload): string[] {
-  return decoded?.resource_access?.legalconsenthub?.roles ?? []
+function extractRoles(decoded: KeycloakTokenPayload, clientId: string): string[] {
+  return decoded?.resource_access?.[clientId]?.roles ?? []
 }
diff --git a/legalconsenthub/types/keycloak.ts b/legalconsenthub/types/keycloak.ts
index b39096d..118a93f 100644
--- a/legalconsenthub/types/keycloak.ts
+++ b/legalconsenthub/types/keycloak.ts
@@ -5,11 +5,7 @@ export interface KeycloakTokenPayload {
   family_name?: string
   email?: string
   organization?: Record<string, { id?: string }>
-  resource_access?: {
-    legalconsenthub?: {
-      roles?: string[]
-    }
-  }
+  resource_access?: Record<string, { roles?: string[] } | undefined>
 }
 
 export interface Organization {