Management UI configuration made external

AGENTS.md

@@ -1,9 +1,19 @@
-This repository is a monorepo with 3 projects:
+This repository is a monorepo with 4 projects:
 
-- auth-server → Kotlin OAuth2/OIDC Authorization Server
-- management-ui → React admin UI
-- helm → Helm chart deployment
+- auth-server -> Kotlin OAuth2/OIDC Authorization Server
+- management-ui -> React/TypeScript admin UI
+- config-manager -> Go service that exposes management-ui runtime configuration
+- helm-charts -> Helm chart deployment assets
 
-Always use the closest AGENTS.md file.
+Always use the closest AGENTS.md file. Root instructions apply only when a subtree does not have its own guide or when the work is explicitly cross-project.
 
-Never mix changes across projects unless explicitly requested.
+Project boundaries:
+
+- `auth-server`: backend authorization server, local auth-server assets, and auth-server docs
+- `management-ui`: standalone React admin UI, nginx local serving config, and UI docs
+- `config-manager`: Go runtime configuration API for the management UI
+- `helm-charts`: Kubernetes/Helm packaging and chart documentation
+
+Never mix changes across projects unless explicitly requested. If a contract must change across projects, state that coupling clearly and update the related docs in the same change.
+
+Do not edit generated outputs by hand, including `auth-server/target`, `management-ui/dist`, `auth-server/dist`, dependency directories, or packaged Helm chart archives.

README.md

@@ -1,60 +1,92 @@
 # VAuthenticator
 
-This project is actually a journey. This is a big evolution of the OAuth2 authorization server 
-developed during my master thesis to an OpenID Connect authentication server.
-In this new version I expand the initial project in order to use JWT token embracing OpenID Connect protocol,
-all written in Kotlin based on Spring Boot 4.x and more over to the latest spring based oauth2.1/openid connect framework embedded in spring security 7+
+VAuthenticator is an OpenID Connect and OAuth2 authorization server ecosystem. The repository started from an OAuth2 authorization server built during a master thesis and now contains the backend, admin UI, runtime UI configuration service, and Helm deployment assets.
 
-## The Architecture
+## Projects
+
+| Project | Purpose |
+| --- | --- |
+| `auth-server` | Kotlin/Spring Boot authorization server with OAuth2, OIDC, MFA, account lifecycle, roles, keys, templates, and management APIs. |
+| `management-ui` | Standalone React/TypeScript admin UI for managing clients, accounts, roles, keys, and email templates. |
+| `config-manager` | Go service that exposes runtime configuration consumed by the management UI. |
+| `helm-charts` | Helm chart and chart repository docs for Kubernetes deployment. |
+
+## Architecture
 
 ![](https://github.com/mrFlick72/vauthenticator/blob/main/images/vauthenticator-architecture.png)
 
 ## Features
-Right now it is based, as said before to the latest version on spring oauth2/open id connect framework spring security 7+ 
 
-**API:**
+Backend capabilities include:
+
+- OAuth2 Authorization Server and OpenID Connect support on Spring Boot 4.x and Spring Security 7+
+- JWT access token and ID token customization through Lambda integration
+- Client application, role, account, and key management APIs
+- Signup, welcome email, email verification, password reset, and password change flows
+- MFA with email, SMS, and OTP support
+- Post-login workflows, including forced password reset
+- RP-initiated logout and OIDC Session Management
+- Custom actuator management endpoints for setup and cleanup
+
+Storage and infrastructure options include:
+
+- DynamoDB or PostgreSQL persistence profiles
+- Redis for authorization code storage, distributed session storage, and cache
+- AWS KMS-backed keys or local/plain Java key management
+- S3 or filesystem-backed document/static asset loading
+
+## Local Development
+
+Add these hostnames to your local hosts file:
+
+```text
+127.0.0.1   local.api.vauthenticator.com
+127.0.0.1   local.management.vauthenticator.com
+127.0.0.1   local.ui-config-manager.vauthenticator.com
+```
 
-- Client Applications management  
-- roles management
-- account management
-- sign up: admin:signup scope is required
-- welcome mail: admin:welcome scope is required
-- email verification: admin:mail-verify scope is required
-- reset password: admin:reset-password scope is required
-- access_token/id_token customization via lambda, see [here](auth-server/docs/lambda.md) for more details
-- MFA
-  - mail
-  - sms
-  - see [here](auth-server/docs/mfa.md) for more details
-- Post login flow 
-  - force to reset password
-- OIDC RP-initiated logout and OIDC Session Management
-- management api: custom actuator endpoint for more details [look here](auth-server/docs/management.md)
+Start the auth-server dependencies and tenant setup from the auth-server local docs:
 
-**Storage:**
+- [auth-server/local/readme.md](auth-server/local/readme.md)
 
-- DynamoDB 
-- Redis:
-  - authorization code
-  - distributed session store
-  - distributed cache
-- RSA key pair are created from KMS Customer Master Key stored on Dynamo, private key encrypted via KMS of course stored on Dynamo.
+Run the configuration service used by the management UI:
 
+```bash
+cd config-manager
+export CONFIG_MANAGER_ENV_FILE=.env.example
+make run
+```
 
-### auth server local environment
+Build and serve the management UI locally:
 
-For more details please follow to this link [readme.md](auth-server/local/readme.md)
+```bash
+cd management-ui
+bash build.sh
+docker compose -f local/docker-compose.yml up
+```
 
+The local UI is served from:
 
-### management ui local environment
+- `http://local.management.vauthenticator.com:8085/secure/admin/index`
 
-In order to build the application, you can use the build.sh script under managament-ui folder.
-The ```docker-compose.yml``` file under the local folder cna be used to sin up a nginx exposed to the port 8085
+The nginx config in `management-ui/local` proxies `GET /api/config` to `config-manager` on `host.docker.internal:8086` and forwards the `Host` header as `local.ui-config-manager.vauthenticator.com`.
 
-To access to the application you can use the following link: **http://local.management.vauthenticator.com:8085/secure/admin/index**, please take care to have the local ip mapped to the ```local.management.vauthenticator.com``` in the host file.
+## Build And Test
 
+| Project | Commands |
+| --- | --- |
+| `auth-server` | `./mvnw test`, `./mvnw package`, `./mvnw spring-boot:run` |
+| `auth-server/src/main/frontend` | `npm install`, `npm run build`, `npm run production-build`, `npm run watch` |
+| `management-ui/src` | `npm install`, `npm run build`, `npm run production-build`, `npm run watch` |
+| `management-ui` | `bash build.sh` |
+| `config-manager` | `make test`, `make run`, `make build`, `make tidy` |
 
-### profiling
+## Documentation
 
-The application configuration is very versatile and you can decide what persistence and key management provider to use AWS or not AWS native. 
-For more details please refer to the detailed page [here](auth-server/docs/profiles.md)
+- [Auth server profiles](auth-server/docs/profiles.md)
+- [Auth server MFA](auth-server/docs/mfa.md)
+- [Auth server Lambda token customization](auth-server/docs/lambda.md)
+- [Auth server management endpoints](auth-server/docs/management.md)
+- [Management UI agent guide](management-ui/AGENTS.md)
+- [Config manager README](config-manager/README.md)
+- [Helm chart README](helm-charts/README.md)

auth-server/AGENTS.md

@@ -6,7 +6,7 @@ This repository contains the VAuthenticator authorization server. It is a Spring
 
 The main application entry point is [src/main/kotlin/com/vauthenticator/server/VAuthenticatorApplication.kt](src/main/kotlin/com/vauthenticator/server/VAuthenticatorApplication.kt).
 
-Use this guide for any work under `auth-server`. Per the repo root instructions, this file takes precedence over the monorepo-level `Agents.md` for this subtree.
+Use this guide for any work under `auth-server`. Per the repo root instructions, this file takes precedence over the monorepo-level `AGENTS.md` for this subtree.
 
 The relevant skills if available, for working in this repository include: $kotlin-patterns $kotlin-specialist $kotlin-springboot  $kotlin-testing
 
@@ -168,6 +168,5 @@ Lambda-based token customization is supported when `vauthenticator.lambda.aws.en
 
 ## Practical Notes For Future Agents
 
-- The git worktree was clean when this guide was created.
 - `application.yml` at the root resource level is intentionally minimal, so expect most behavior to come from profile-specific or component-specific configuration classes and local overrides.
 - The local helper scripts and docs are important in this project because a large part of the runtime setup lives outside the default Spring Boot process.

auth-server/src/main/kotlin/com/vauthenticator/server/oidc/sessionmanagement/AuthorizeSessionState.kt

@@ -8,7 +8,6 @@ import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.annotation.Value
 import org.springframework.data.redis.core.RedisTemplate
-import org.springframework.http.ResponseEntity
 import org.springframework.security.core.Authentication
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken
@@ -18,11 +17,9 @@ import org.springframework.stereotype.Controller
 import org.springframework.ui.Model
 import org.springframework.util.StringUtils
 import org.springframework.web.bind.annotation.GetMapping
-import org.springframework.web.bind.annotation.RequestParam
-import org.springframework.web.bind.annotation.RestController
 import org.springframework.web.util.UriComponentsBuilder
+import java.util.*
 import java.util.Arrays.stream
-import java.util.UUID
 
 const val OPBS_COOKIE_NAME = "opbs"
 const val OPBS_SESSION_ATTRIBUTE = "opbs_session_value"
@@ -119,20 +116,4 @@ class SessionManagementIFrameController(
         return "session/management"
     }
 
-}
-
-@RestController
-class CheckSessionEndPoint(private val redisTemplate: RedisTemplate<String, String?>) {
-
-    @GetMapping("/check_session")
-    fun checkSession(@RequestParam state: String): ResponseEntity<CheckSessionResponse> {
-        val sessionState = redisTemplate.opsForHash<String, String?>().get(state, state.toSha256())
-            ?: return ResponseEntity.notFound().build()
-
-        return ResponseEntity.ok(CheckSessionResponse(sessionState))
-    }
-
-}
-
-
-data class CheckSessionResponse(val state: String?)
+}

management-ui/environments/.env.development → config-manager/.env.example

@@ -1,5 +1,10 @@
-REDIRECT_URI="http://local.management.vauthenticator.com:8085/callback"
-CLIENT_APPLICATION_ID="vauthenticator-management-ui"
+SERVER_ADDRESS=":8086"
+
+MANAGEMENT_UI_SERVER_URL="http://local.management.vauthenticator.com:8085"
+
 IDP_BASE_URL="http://local.api.vauthenticator.com:9090"
+CLIENT_APPLICATION_ID="vauthenticator-management-ui"
+REDIRECT_URI="http://local.management.vauthenticator.com:8085/callback"
 AUTHENTICATION_CHECK_INTERVAL="15000"
-API_BASE_URL="http://local.api.vauthenticator.com:9090/api"
+API_BASE_URL="http://local.api.vauthenticator.com:9090/api"
+

config-manager/.gitignore

@@ -0,0 +1,4 @@
+/bin/
+config-manager
+/.env
+/coverage.out

config-manager/AGENTS.md

@@ -0,0 +1,91 @@
+# VAuthenticator Config Manager Agent Guide
+
+## Purpose
+
+`config-manager` is a small Go service that exposes runtime configuration for the standalone VAuthenticator management UI.
+
+Use this guide for any work under `config-manager`. Per the repo root instructions, this file takes precedence over the monorepo-level `AGENTS.md` for this subtree.
+
+The relevant skills if available for this project include: $golang-documentation $golang-patterns $golang-testing
+
+## Stack
+
+- Go 1.25
+- Gin HTTP router
+- Viper configuration loading
+- `gin-contrib/cors` for CORS
+- Standard `net/http` server with graceful shutdown
+
+## Repository Layout
+
+- `cmd/config-manager`: executable entry point
+- `internal/api`: Gin router and HTTP endpoint tests
+- `internal/config`: environment and `.env` file loading, parsing, and validation
+- `.env.example`: local configuration example
+- `Makefile`: build, run, test, and tidy shortcuts
+
+## Runtime Contract
+
+The service exposes one unauthenticated endpoint:
+
+- `GET /api/config`
+
+It returns the configuration consumed by `management-ui/src/config/ConfigLoader.ts`:
+
+- `idpBaseUrl`
+- `clientApplicationId`
+- `redirectUri`
+- `authenticationCheckInterval`
+- `apiBaseUrl`
+
+The management UI caches this response in `sessionStorage` under `appConfig` and clears it during logout.
+
+## Configuration
+
+Configuration is read from environment variables with Viper. If `CONFIG_MANAGER_ENV_FILE` is set, that file is required. Otherwise `.env` is used when present and direct shell environment variables still win.
+
+Required values:
+
+- `MANAGEMENT_UI_SERVER_URL`
+- `IDP_BASE_URL`
+- `CLIENT_APPLICATION_ID`
+- `REDIRECT_URI`
+- `AUTHENTICATION_CHECK_INTERVAL`
+- `API_BASE_URL`
+
+Optional value:
+
+- `SERVER_ADDRESS` defaults to `:8086`
+
+`MANAGEMENT_UI_SERVER_URL` is the allowed CORS origin. Keep this aligned with the management UI host.
+
+## Build And Test Commands
+
+- `make test`
+- `make run`
+- `make build`
+- `make tidy`
+
+Equivalent direct commands:
+
+- `go test ./...`
+- `go run ./cmd/config-manager`
+- `go build -o bin/config-manager ./cmd/config-manager`
+- `go mod tidy`
+
+## Conventions For Changes
+
+- Keep the executable entry point thin; put HTTP behavior in `internal/api` and configuration rules in `internal/config`.
+- Keep the `/api/config` response shape aligned with `management-ui/src/config/ConfigLoader.ts`.
+- If configuration fields are added, update `.env.example`, `README.md`, tests, and the management UI contract docs together.
+- Keep CORS explicit. Do not replace the configured management UI origin with a wildcard without an explicit security decision.
+- Do not add authentication to `/api/config` unless the management UI bootstrap flow is changed at the same time.
+- Prefer table-driven tests for config parsing and HTTP handler behavior.
+
+## Files Worth Reading First
+
+- `cmd/config-manager/main.go`
+- `internal/api/router.go`
+- `internal/config/config.go`
+- `README.md`
+- `.env.example`

config-manager/Makefile

@@ -0,0 +1,14 @@
+.PHONY: build run test tidy
+
+build:
+	go build -o bin/config-manager ./cmd/config-manager
+
+run:
+	go run ./cmd/config-manager
+
+test:
+	go test ./...
+
+tidy:
+	go mod tidy
+