Pages we don't override with a custom .ftl (change password, OTP,
verify email, required actions, etc.) render their inner form
with Keycloak's stock PatternFly/Bootstrap classes. The brutalist
card shell was styled but the fields inside were not.
Add resources/css/brutalist.css with targeted overrides on
.pf-c-form-control, .pf-c-button, .pf-c-input-group, .checkbox,
.form-group, alerts and headings, then link it from template.ftl
so every Keycloak auto-generated page inherits the E-Cosplay look
without touching each individual .ftl file.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Bundle logo.jpg in the repo root as the source asset and copy it
into themes/ecosplay/login/resources/img and
themes/ecosplay/account/resources/img so Keycloak serves it under
${url.resourcesPath}/img/logo.jpg.
- Login: render the logo above the auth card in a brutalist white
frame (black border, offset hard shadow), 160x160.
- Account console: inject a 64x64 brand mark in the masthead via
a ::before pseudo-element on .pf-v5-c-masthead__brand using the
theme's resources/img/logo.jpg as background.
- Email: inline the logo as a base64 data URI (resized to 400x400
JPEG @ q82 ~14KB) directly in html/template.ftl, so external image
blocking in mail clients does not hide it. Rendered as a 160x160
framed brand mark above the message body.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Go-live:
- Switch keycloak from start-dev to start --import-realm (production
mode with auto-build at boot, no Dockerfile needed yet).
- Set KC_HOSTNAME=https://auth.e-cosplay.fr and KC_PROXY_HEADERS=
xforwarded so Keycloak emits correct issuer URLs and trusts
Caddy's X-Forwarded-* headers.
- Replace deprecated KEYCLOAK_ADMIN env vars with KC_BOOTSTRAP_ADMIN_*.
- Bind the public port to 127.0.0.1 only (Caddy is colocated).
- Add a Keycloak healthcheck against /health/ready on the management
port (9000) using bash /dev/tcp; init container now waits on
service_healthy instead of service_started.
Architecture:
- New realms/ecosplay-realm.json mounted into /opt/keycloak/data/import
and imported on first boot. Defines the dedicated 'ecosplay' realm
(separate from master) with French i18n, brute-force protection,
strong password policy, SES SMTP, and an OIDC client 'ecosplay-web'
pointing at e-cosplay.fr (confidential + PKCE S256).
Theme coverage:
- themes/ecosplay/account: PatternFly v5 overlay (parent=keycloak.v2)
bringing the neo-brutalist colors, thick borders, italic uppercase
typography, and offset hard shadows to the user account console.
- themes/ecosplay/email: branded HTML wrapper template (table layout
with inline styles for email-client safety) plus a matching plain
text wrapper. All Keycloak emails now ship with the E-Cosplay
identity without needing per-template overrides.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- keycloak-init now enables i18n on master with French as the only
supported locale and the default, so all login pages render in fr.
- Replace dynamic realm.displayName tag (which showed 'Keycloak') with
hardcoded '// Connexion sécurisée' in the theme header.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Guard locale references with null-safe defaults — the master realm
ships with internationalization off, so locale is undefined and
${locale.currentLanguageTag} threw InvalidReferenceException.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Custom theme under themes/ecosplay/login (extends keycloak parent)
with template.ftl and login.ftl matching the e-cosplay.fr style:
thick black borders, hard offset shadows, italic uppercase, indigo
accent, hover translate effect, marquee header, watermark.
- Tailwind via Play CDN for utility classes (no build step).
- Mount the theme dir read-only into the Keycloak container.
- Init container now also sets loginTheme=ecosplay on master realm
alongside the SMTP config; service renamed keycloak-init.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
