fix(auth): enable dual-auth in SSO mode for E2E tests and API clients

jsell-rh · claude · jsell-rh · commit 03fdfb0824c5 · 2026-05-15T10:57:21.000Z
buildForwardHeadersSSO now falls back to Bearer token from request
when no SSO session cookie exists. This enables:
- SSO users: session cookie → JWT forwarded
- E2E tests / API clients: Bearer token in request → forwarded directly

Also adds Keycloak to wait-for-ready.sh to prevent race conditions
where frontend starts before Keycloak is ready.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/components/frontend/src/lib/auth.ts b/components/frontend/src/lib/auth.ts
@@ -172,7 +172,15 @@ async function buildForwardHeadersSSO(request: Request, extra?: Record<string, s
     'Accept': 'application/json',
   };
 
-  const accessToken = await getAccessToken();
+  // Try session token first (browser users with SSO cookie)
+  let accessToken = await getAccessToken();
+
+  // Fall back to Bearer token from request (E2E tests, API clients, service accounts)
+  // This enables dual-auth: SSO sessions + direct Bearer token authentication
+  if (!accessToken) {
+    accessToken = extractAccessToken(request) || undefined;
+  }
+
   if (accessToken) {
     headers['Authorization'] = `Bearer ${accessToken}`;
 
diff --git a/e2e/scripts/wait-for-ready.sh b/e2e/scripts/wait-for-ready.sh
@@ -34,6 +34,12 @@ kubectl wait --for=condition=available --timeout=300s \
   deployment/minio \
   -n ambient-code 2>/dev/null || echo "⚠️  MinIO not deployed (S3 persistence disabled)"
 
+# Wait for Keycloak (SSO/OIDC provider - frontend needs it for SSO mode)
+echo "⏳ Waiting for keycloak..."
+kubectl wait --for=condition=available --timeout=300s \
+  deployment/keycloak \
+  -n ambient-code 2>/dev/null || echo "⚠️  Keycloak not deployed (SSO disabled)"
+
 echo ""
 echo "✅ All pods are ready!"
 echo ""
