feat: integrate OAuth authentication with GitHub and Keycloak

composer.json

@@ -22,6 +22,7 @@
         "php": "^8.2",
         "ext-simplexml": "*",
         "doctrine/dbal": "^3.6",
+        "dutchcodingcompany/filament-socialite": "^3.1",
         "filament/filament": "^4.0",
         "filament/spatie-laravel-settings-plugin": "^4.0",
         "guzzlehttp/guzzle": "^7.8",
@@ -33,6 +34,7 @@
         "illuminate/support": "^11.35.0",
         "laravel/sanctum": "^4.0",
         "nesbot/carbon": "^2.70",
+        "socialiteproviders/keycloak": "^5.3",
         "spatie/laravel-data": "^4.11",
         "spatie/laravel-query-builder": "^5.5",
         "spatie/laravel-settings": "^3.2",

database/migrations/2026_03_13_224342_create_socialite_users_table.php

@@ -0,0 +1,31 @@
+<?php
+
+use Illuminate\Support\Facades\Schema;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Migrations\Migration;
+
+return new class extends Migration {
+    public function up()
+    {
+        Schema::create('socialite_users', function (Blueprint $table) {
+            $table->id();
+
+            $table->foreignId('user_id')->constrained()->cascadeOnDelete()->cascadeOnUpdate();
+            $table->string('provider');
+            $table->string('provider_id');
+
+            $table->timestamps();
+
+            $table->unique([
+                'provider',
+                'provider_id',
+            ]);
+        });
+
+    }
+
+    public function down()
+    {
+        Schema::dropIfExists('socialite_users');
+    }
+};

database/migrations/2026_03_13_225342_remove_not_null_from_user_password.php

@@ -0,0 +1,22 @@
+<?php
+
+use Illuminate\Support\Facades\Schema;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Migrations\Migration;
+
+return new class extends Migration {
+    public function up()
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->string('password')->nullable()->change();
+        });
+
+    }
+
+    public function down()
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->string('password')->nullable(false)->change();
+        });
+    }
+};

public/build/manifest.json

@@ -1,11 +1,11 @@
 {
   "resources/css/cachet.css": {
-    "file": "assets/cachet-BQ3AZC_V.css",
+    "file": "assets/cachet-cq60tD7N.css",
     "src": "resources/css/cachet.css",
     "isEntry": true
   },
   "resources/css/dashboard/theme.css": {
-    "file": "assets/theme-CA1Ilmhs.css",
+    "file": "assets/theme-Bpp5vRLw.css",
     "src": "resources/css/dashboard/theme.css",
     "isEntry": true
   },

src/CachetDashboardServiceProvider.php

@@ -5,6 +5,8 @@
 use Cachet\Filament\Pages\EditProfile;
 use Cachet\Http\Middleware\SetAppLocale;
 use Cachet\Settings\AppSettings;
+use DutchCodingCompany\FilamentSocialite\FilamentSocialitePlugin;
+use DutchCodingCompany\FilamentSocialite\Provider;
 use Filament\FontProviders\LocalFontProvider;
 use Filament\Http\Middleware\Authenticate;
 use Filament\Http\Middleware\DisableBladeIconComponents;
@@ -106,6 +108,17 @@ public function panel(Panel $panel): Panel
             ->path(Cachet::dashboardPath())
             ->bootUsing(function (): void {
                 Section::configureUsing(fn (Section $section) => $section->columnSpanFull());
-            });
+            })
+            ->plugin(FilamentSocialitePlugin::make()->providers(
+                collect([
+                    config('services.github.client_id') ? Provider::make('github') : null,
+                    config('services.keycloak.client_id') ? Provider::make('keycloak') : null,
+                ])->filter()->values()->all()
+            )
+                ->rememberLogin(config('services.oauth.rememberLogin', false))
+                ->registration(config('services.oauth.registration', false))
+                ->domainAllowList(config('services.oauth.domainAllowlist', []))
+                ->userModelClass(config('cachet.user_model'))
+            );
     }
 }

workbench/.env.example

@@ -58,3 +58,14 @@ VITE_PUSHER_PORT="${PUSHER_PORT}"
 VITE_PUSHER_SCHEME="${PUSHER_SCHEME}"
 VITE_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
 
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+
+KEYCLOAK_CLIENT_ID=
+KEYCLOAK_CLIENT_SECRET=
+KEYCLOAK_REALM="master"
+KEYCLOAK_BASE_URL=
+
+OAUTH_REMEMBER_LOGIN=
+OAUTH_REGISTRATION=
+OAUTH_DOMAIN_ALLOWLIST=

workbench/app/Providers/WorkbenchServiceProvider.php

@@ -2,6 +2,8 @@
 
 namespace Workbench\App\Providers;
 
+use Cachet\Cachet;
+use Illuminate\Support\Facades\Event;
 use Illuminate\Support\ServiceProvider;
 use Workbench\App\User;
 
@@ -16,13 +18,21 @@ public function register(): void
             'cachet.path' => '/',
             'cachet.user_model' => User::class,
         ]);
+
+        // Reinitialize the redirect URIs to ensure they use the correct path for the workbench environment.
+        config([
+            'services.keycloak.redirect' => env('KEYCLOAK_REDIRECT_URI', Cachet::dashboardPath().'/oauth/callback/keycloak'),
+            'services.github.redirect' => env('GITHUB_REDIRECT_URI', Cachet::dashboardPath().'/oauth/callback/github'),
+        ]);
     }
 
     /**
      * Bootstrap services.
      */
     public function boot(): void
     {
-        //
+        Event::listen(function (\SocialiteProviders\Manager\SocialiteWasCalled $event) {
+            $event->extendSocialite('keycloak', \SocialiteProviders\Keycloak\Provider::class);
+        });
     }
 }

workbench/config/services.php

@@ -0,0 +1,66 @@
+<?php
+
+use Cachet\Cachet;
+use Illuminate\Support\Facades\Route;
+
+return [
+
+    /*
+    |--------------------------------------------------------------------------
+    | Socialite OAuth Configuration
+    |--------------------------------------------------------------------------
+    |
+    | These options configure the behavior of OAuth authentication in Cachet.
+    |
+    | NOTE: It is highly discouraged to enable the 'registration' option in a
+    | production environment without also configuring the 'domainAllowlist'
+    | option, as otherwise anyone with an account on any of the providers
+    | can register an account on your Cachet instance and gain access to it.
+    |
+    */
+
+   'oauth' => [
+        /*
+        * Whether to remember the user once they have logged in using a social provider.
+        */
+        'rememberLogin' => env('OAUTH_REMEMBER_LOGIN', false),
+        /*
+        * Whether to allow users who authenticate via a social provider to be automatically
+        * registered, if no account already exists for them.
+        */
+        'registration' => env('OAUTH_REGISTRATION', false),
+        /*
+        * An allowlist of email domains which are permitted to authenticate via social providers.
+        * If empty or not set, there is no restriction on email domains.
+        */
+        'domainAllowlist' => explode(',', env('OAUTH_DOMAIN_ALLOWLIST', 'does_not_exists.local')),
+    ],
+
+    /*
+    |--------------------------------------------------------------------------
+    | Socialite Providers
+    |--------------------------------------------------------------------------
+    |
+    | Configuration for Laravel Socialite providers. This is used to configure the providers which
+    | users can use to authenticate with Cachet. The default providers are GitHub and Keycloak.
+    |
+    | Only the providers which have a client_id configured here will be offered as authentication
+    | options to users.
+    |
+    */
+
+    'github' => [
+        'client_id' => env('GITHUB_CLIENT_ID'),
+        'client_secret' => env('GITHUB_CLIENT_SECRET'),
+        'redirect' => env('GITHUB_REDIRECT_URI', Cachet::dashboardPath().'/oauth/callback/github'),
+    ],
+
+    'keycloak' => [
+        'client_id' => env('KEYCLOAK_CLIENT_ID'),
+        'client_secret' => env('KEYCLOAK_CLIENT_SECRET'),
+        'redirect' => env('KEYCLOAK_REDIRECT_URI', Cachet::dashboardPath().'/oauth/callback/keycloak'),
+        'base_url' => env('KEYCLOAK_BASE_URL'),
+        'realms' => env('KEYCLOAK_REALM', 'master'),
+    ],
+
+];