cleanup multi provider

Author: simonredfern

.env.example

@@ -1,35 +1,52 @@
-### OBP-API Configuration ###
-VITE_OBP_API_PORTAL_HOST=http://127.0.0.1:8080                                    # OBP API Portal URL (for "Portal Home" navigation link)
-VITE_OBP_API_HOST=http://127.0.0.1:8080                                           # OBP API server base URL (for all backend API requests)
-# VITE_OBP_API_VERSION is NO LONGER USED - hardcoded to v5.1.0 in shared-constants.ts for stability
-VITE_OBP_API_MANAGER_HOST=https://apimanagersandbox.openbankproject.com          # OBP API Manager URL (optional - for navigation link)
-VITE_OBP_API_EXPLORER_HOST=http://localhost:5173                                 # API Explorer application URL (used for OAuth2 redirects and internal routing)
-VITE_OPB_SERVER_SESSION_PASSWORD=your-secret-session-password-here               # Secret key for session encryption (keep this secure!)
-VITE_SHOW_API_MANAGER_BUTTON=false                                               # Show/hide API Manager button in navigation (true/false)
-
-### Redis Configuration ###
-VITE_OBP_REDIS_URL=redis://127.0.0.1:6379                                        # Redis connection string for session storage (format: redis://host:port)
-
-### Opey Configuration ###
-VITE_CHATBOT_ENABLED=false                                                       # Enable/disable Opey chatbot widget (true/false)
-VITE_CHATBOT_URL=http://localhost:5000                                           # Opey chatbot service URL (only needed if chatbot is enabled)
-
-### OAuth2/OIDC Configuration ###
-VITE_OBP_OAUTH2_CLIENT_ID=48ac28e9-9ee3-47fd-8448-69a62764b779                   # OAuth2 client ID (UUID - must match OIDC server registration)
-VITE_OBP_OAUTH2_CLIENT_SECRET=fOTQF7jfg8C74u7ZhSjVQpoBYvD0KpWfM5UsEZBSFFM        # OAuth2 client secret (keep this secure!)
-VITE_OBP_OAUTH2_REDIRECT_URL=http://localhost:5173/api/oauth2/callback          # OAuth2 callback URL (must exactly match OIDC client registration)
-VITE_OBP_OAUTH2_WELL_KNOWN_URL=http://localhost:9000/obp-oidc/.well-known/openid-configuration  # OIDC discovery endpoint URL
-VITE_OBP_OAUTH2_TOKEN_REFRESH_THRESHOLD=300                                     # Seconds before token expiry to trigger refresh (default: 300)
-
-### Resource Documentation Version (Optional) ###
-# VITE_OBP_API_DEFAULT_RESOURCE_DOC_VERSION=OBPv5.1.0                            # Default resource docs version for frontend URLs (format: OBPv5.1.0 - with OBP prefix, auto-constructed if not set)
-
-### Session Configuration (Optional) ###
-# VITE_SESSION_MAX_AGE=3600                                                      # Session timeout in seconds (default: 3600 = 1 hour)
-
-### Styling Configuration (Optional) ###
-# VITE_OBP_LOGO_URL=https://example.com/logo.png                                # Custom logo image URL (uses default OBP logo if not set)
-# VITE_OBP_LINKS_COLOR=#3c8dbc                                                   # Primary link color (CSS color value)
-# VITE_OBP_HEADER_LINKS_COLOR=#39455f                                            # Header navigation link color
-# VITE_OBP_HEADER_LINKS_HOVER_COLOR=#39455f                                      # Header navigation link hover color
-# VITE_OBP_HEADER_LINKS_BACKGROUND_COLOR=#eef0f4                                 # Header navigation active link background color
+### OBP API Configuration ###
+VITE_OBP_API_HOST=http://127.0.0.1:8080
+VITE_OBP_API_VERSION=v5.1.0
+
+### API Explorer Host ###
+VITE_OBP_API_EXPLORER_HOST=http://localhost:5173
+
+### Session Configuration ###
+VITE_OPB_SERVER_SESSION_PASSWORD=change-me-to-a-secure-random-string
+
+### OAuth2 Redirect URL (shared by all providers) ###
+VITE_OAUTH2_REDIRECT_URL=http://localhost:5173/api/oauth2/callback
+
+### Redis Configuration (Optional - uses localhost:6379 if not set) ###
+# VITE_OBP_REDIS_URL=redis://127.0.0.1:6379
+# VITE_OBP_REDIS_PASSWORD=
+# VITE_OBP_REDIS_USERNAME=
+
+### Multi-Provider OAuth2/OIDC Configuration ###
+### The system fetches available providers from: http://localhost:8080/obp/v5.1.0/well-known
+### Configure credentials below for each provider you want to support
+
+### OBP-OIDC Provider ###
+VITE_OBP_OIDC_CLIENT_ID=your-obp-oidc-client-id
+VITE_OBP_OIDC_CLIENT_SECRET=your-obp-oidc-client-secret
+
+### OBP Consumer Key (for API calls) ###
+VITE_OBP_CONSUMER_KEY=your-obp-oidc-client-id
+
+### Keycloak Provider (Optional) ###
+# VITE_KEYCLOAK_CLIENT_ID=your-keycloak-client-id
+# VITE_KEYCLOAK_CLIENT_SECRET=your-keycloak-client-secret
+
+### Google Provider (Optional) ###
+# VITE_GOOGLE_CLIENT_ID=your-google-client-id.apps.googleusercontent.com
+# VITE_GOOGLE_CLIENT_SECRET=your-google-client-secret
+
+### GitHub Provider (Optional) ###
+# VITE_GITHUB_CLIENT_ID=your-github-client-id
+# VITE_GITHUB_CLIENT_SECRET=your-github-client-secret
+
+### Custom OIDC Provider (Optional) ###
+# VITE_CUSTOM_OIDC_PROVIDER_NAME=my-custom-provider
+# VITE_CUSTOM_OIDC_CLIENT_ID=your-custom-client-id
+# VITE_CUSTOM_OIDC_CLIENT_SECRET=your-custom-client-secret
+
+### Chatbot Configuration (Optional) ###
+VITE_CHATBOT_ENABLED=false
+# VITE_CHATBOT_URL=http://localhost:5000
+
+### Resource Docs Version ###
+VITE_OBP_API_DEFAULT_RESOURCE_DOC_VERSION=OBPv6.0.0

env_ai

@@ -1,26 +1,63 @@
-### OBP-API Configuration ###
-VITE_OBP_API_PORTAL_HOST=http://127.0.0.1:8080
+### OBP API Configuration ###
 VITE_OBP_API_HOST=http://127.0.0.1:8080
-VITE_OBP_API_VERSION=v5.1.0
-VITE_OBP_API_MANAGER_HOST=https://apimanagersandbox.openbankproject.com
-VITE_OBP_API_EXPLORER_HOST=http://localhost:5174
+VITE_OBP_API_VERSION=v6.0.0
+VITE_OBP_API_EXPLORER_HOST=http://localhost:5173
+
+### Session Configuration ###
 VITE_OPB_SERVER_SESSION_PASSWORD=asidudhiuh33875
 
+### OAuth2 Redirect URL (shared by all providers) ###
+VITE_OAUTH2_REDIRECT_URL=http://localhost:5173/api/oauth2/callback
+
 ### Redis Configuration ###
 VITE_OBP_REDIS_URL=redis://127.0.0.1:6379
 
-### Opey Configuration ###
+### Chatbot Configuration ###
 VITE_CHATBOT_ENABLED=false
 VITE_CHATBOT_URL=http://localhost:5000
 
-### OAuth2/OIDC Configuration ###
-# OAuth2 Client Credentials (from OBP-OIDC)
-VITE_OBP_OAUTH2_CLIENT_ID=48ac28e9-9ee3-47fd-8448-69a62764b779
-VITE_OBP_OAUTH2_CLIENT_SECRET=fOTQF7jfg8C74u7ZhSjVQpoBYvD0KpWfM5UsEZBSFFM
-VITE_OBP_OAUTH2_REDIRECT_URL=http://localhost:5173/api/oauth2/callback
+### Multi-Provider OAuth2/OIDC Configuration ###
+### The system fetches available providers from: http://localhost:8080/obp/v5.1.0/well-known
+### Configure credentials below for each provider you want to support
+
+### OBP-OIDC Provider ###
+VITE_OBP_OIDC_CLIENT_ID=c2ea173e-8c1a-43c4-ba62-19738f27c43e
+VITE_OBP_OIDC_CLIENT_SECRET=1E7zsN47Xp4VTb28xEv5ZK4vcX8XMsYIH3IsnjQTYk8
+
+### OBP Consumer Key (for API calls) ###
+VITE_OBP_CONSUMER_KEY=c2ea173e-8c1a-43c4-ba62-19738f27c43e
+
+### Keycloak Provider (Optional) ###
+# VITE_KEYCLOAK_CLIENT_ID=obp-api-explorer
+# VITE_KEYCLOAK_CLIENT_SECRET=your-keycloak-secret-here
+
+### Google Provider (Optional) ###
+# VITE_GOOGLE_CLIENT_ID=your-google-client-id.apps.googleusercontent.com
+# VITE_GOOGLE_CLIENT_SECRET=your-google-client-secret
+
+### GitHub Provider (Optional) ###
+# VITE_GITHUB_CLIENT_ID=your-github-client-id
+# VITE_GITHUB_CLIENT_SECRET=your-github-client-secret
+
+### Custom OIDC Provider (Optional) ###
+# VITE_CUSTOM_OIDC_PROVIDER_NAME=my-custom-provider
+# VITE_CUSTOM_OIDC_CLIENT_ID=your-custom-client-id
+# VITE_CUSTOM_OIDC_CLIENT_SECRET=your-custom-client-secret
+
+### Opey Configuration ###
+VITE_OPEY_CONSUMER_ID=74545fb7-9a1f-4ee0-beb4-6e5b7ee50076
+
+### Resource Docs Version ###
+VITE_OBP_API_DEFAULT_RESOURCE_DOC_VERSION=OBPv6.0.0
 
-# OIDC Well-Known Configuration URL
-VITE_OBP_OAUTH2_WELL_KNOWN_URL=http://127.0.0.1:9000/obp-oidc/.well-known/openid-configuration
+### HOW IT WORKS ###
+# 1. Backend fetches provider list from OBP API: GET /obp/v5.1.0/well-known
+# 2. OBP API returns available providers with their .well-known URLs
+# 3. Backend matches providers with credentials configured above
+# 4. Only providers with both (API registration + credentials) will be available
+# 5. Users see provider selection if 2+ providers configured (or auto-login if only 1)
 
-# Optional: Token refresh threshold (seconds before expiry)
-VITE_OBP_OAUTH2_TOKEN_REFRESH_THRESHOLD=300
+### VERIFY YOUR SETUP ###
+# curl http://localhost:8080/obp/v5.1.0/well-known
+# curl http://localhost:8085/api/oauth2/providers
+# Visit: http://localhost:5173/debug/providers-status

server/app.ts

@@ -35,7 +35,6 @@ import type { Application } from 'express'
 import { Container } from 'typedi'
 import path from 'path'
 import { execSync } from 'child_process'
-import { OAuth2Service } from './services/OAuth2Service.js'
 import { OAuth2ProviderManager } from './services/OAuth2ProviderManager.js'
 import { fileURLToPath } from 'url'
 import { dirname } from 'path'
@@ -137,9 +136,7 @@ if (app.get('env') === 'production') {
 }
 app.use(session(sessionObject))
 
-// Initialize OAuth2 Service
-console.log(`--- OAuth2/OIDC setup -------------------------------------------`)
-const wellKnownUrl = process.env.VITE_OBP_OAUTH2_WELL_KNOWN_URL
+// OAuth2 Multi-Provider Setup only - no legacy fallback
 
 // Async IIFE to initialize OAuth2 and start server
 let instance: any
@@ -160,61 +157,15 @@ let instance: any
       providerManager.startHealthCheck(60000) // Check every 60 seconds
       console.log('OK Provider health monitoring started (every 60s)')
     } else {
-      console.warn('WARNING No OAuth2 providers initialized from OBP API')
-      console.warn('WARNING Falling back to legacy single-provider mode...')
+      console.error('ERROR: No OAuth2 providers initialized from OBP API')
+      console.error(
+        'ERROR: Check that OBP API is running and returns providers from /obp/v5.1.0/well-known'
+      )
+      console.error('ERROR: Server will start but login will not work')
     }
   } catch (error) {
     console.error('ERROR Failed to initialize OAuth2 multi-provider:', error)
-    console.warn('WARNING Falling back to legacy single-provider mode...')
-  }
-  console.log(`-----------------------------------------------------------------`)
-
-  // Initialize Legacy OAuth2 Service (for backward compatibility)
-  console.log(`--- OAuth2/OIDC Legacy Setup (Backward Compatibility) -----------`)
-  if (!wellKnownUrl) {
-    console.warn('VITE_OBP_OAUTH2_WELL_KNOWN_URL not set. Legacy OAuth2 will not function.')
-    console.warn('Server will rely on multi-provider mode from OBP API.')
-  } else {
-    console.log(`OIDC Well-Known URL (legacy): ${wellKnownUrl}`)
-
-    // Get OAuth2Service from container
-    const oauth2Service = Container.get(OAuth2Service)
-
-    // Initialize OAuth2 service with retry logic
-    const isProduction = process.env.NODE_ENV === 'production'
-    const maxRetries = Infinity // Retry indefinitely
-    const initialDelay = 1000 // 1 second, then exponential backoff
-
-    console.log(
-      'Attempting legacy OAuth2 initialization (will retry indefinitely with exponential backoff)...'
-    )
-    const success = await oauth2Service.initializeWithRetry(wellKnownUrl, maxRetries, initialDelay)
-
-    if (success) {
-      console.log('OAuth2Service (legacy): Initialization successful')
-      console.log('  Client ID:', process.env.VITE_OBP_OAUTH2_CLIENT_ID || 'NOT SET')
-      console.log('  Redirect URI:', process.env.VITE_OBP_OAUTH2_REDIRECT_URL || 'NOT SET')
-      console.log('Legacy OAuth2/OIDC ready for authentication')
-
-      // Start continuous monitoring even when initially connected
-      oauth2Service.startHealthCheck(1000, 240000) // Monitor every 4 minutes
-      console.log('OAuth2Service (legacy): Starting continuous monitoring (every 4 minutes)')
-    } else {
-      console.error('OAuth2Service (legacy): Initialization failed after all retries')
-
-      // Use graceful degradation for both development and production
-      const envMode = isProduction ? 'Production' : 'Development'
-      console.warn(`WARNING: ${envMode} mode: Server will start without legacy OAuth2`)
-      console.warn('WARNING: Legacy login will be unavailable until OIDC server is reachable')
-      console.warn('WARNING: Multi-provider mode will be used if available')
-      console.warn('Please check:')
-      console.warn('  1. OBP-OIDC server is running')
-      console.warn('  2. VITE_OBP_OAUTH2_WELL_KNOWN_URL is correct')
-      console.warn('  3. Network connectivity to OIDC provider')
-
-      // Start periodic health check to reconnect when OIDC becomes available
-      oauth2Service.startHealthCheck(1000, 240000) // Start with 1 second, monitor every 4 minutes when connected
-    }
+    console.error('ERROR: Server will start but login will not work')
   }
   console.log(`-----------------------------------------------------------------`)