feat(deployment): swap Keycloak for Authelia + lldap + registration-service

.github/codeql-config.yml

@@ -0,0 +1,10 @@
+name: Loculus CodeQL config
+
+query-filters:
+  # Loculus is a stateless API: every request authenticates from scratch with
+  # either a bearer JWT or X-Service-Token header, no session cookies. Spring's
+  # CSRF protection is intentionally disabled in
+  # backend/src/main/kotlin/org/loculus/backend/config/SecurityConfig.kt and
+  # the corresponding alert is not actionable.
+  - exclude:
+      id: java/spring-disabled-csrf-protection

.github/dependabot.yml

@@ -46,20 +46,11 @@ updates:
       patch:
         update-types:
           - "patch"
-  - package-ecosystem: npm
-    directory: keycloak/keycloakify
-    schedule:
-      interval: monthly
-    groups:
-      minorAndPatch:
-        update-types:
-          - "minor"
-          - "patch"
   - package-ecosystem: docker
     directories:
       - website
       - backend
-      - keycloak/keycloakify
+      - registration-service
       - preprocessing/nextclade
       - preprocessing/dummy
       - ingest

.github/workflows/build-arm-images.yaml

@@ -63,10 +63,10 @@ jobs:
     uses: ./.github/workflows/ena-submission-flyway-image.yaml
     with:
       build_arm: true
-  trigger-keycloakify:
+  trigger-registration-service:
     needs: should-build
     if: needs.should-build.outputs.should_run == 'true'
-    uses: ./.github/workflows/keycloakify-image.yml
+    uses: ./.github/workflows/registration-service-image.yml
     with:
       build_arm: true
   trigger-preprocessing-nextclade:

.github/workflows/codeql.yml

@@ -41,6 +41,7 @@ jobs:
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
+          config-file: .github/codeql-config.yml
       - if: matrix.language == 'java-kotlin' && matrix.build-mode == 'manual'
         name: Set up JDK
         uses: actions/setup-java@v5

.github/workflows/keycloakify-image.yml → .github/workflows/registration-service-image.yml

@@ -1,4 +1,4 @@
-name: keycloakify-image
+name: registration-service-image
 on:
   pull_request:
   push:
@@ -19,36 +19,29 @@ on:
         default: false
         required: false
 env:
-  DOCKER_IMAGE_NAME: ghcr.io/loculus-project/keycloakify
+  DOCKER_IMAGE_NAME: ghcr.io/loculus-project/registration-service
   BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
   BUILD_ARM: ${{ github.event.inputs.build_arm || inputs.build_arm || github.ref == 'refs/heads/main' }}
   sha: ${{ github.event.pull_request.head.sha || github.sha }}
 concurrency:
-  group: ci-${{ github.ref == 'refs/heads/main' && github.run_id || github.ref }}-keycloak-buil-${{github.event.inputs.build_arm}}d
+  group: ci-${{ github.ref == 'refs/heads/main' && github.run_id || github.ref }}-registration-service-${{github.event.inputs.build_arm}}
   cancel-in-progress: true
 jobs:
-  keycloakify-image:
-    name: Build keycloakify Docker Image # Don't change: Referenced by .github/workflows/update-argocd-metadata.yml
+  registration-service-image:
+    name: Registration service docker image build # Don't change: Referenced by .github/workflows/update-argocd-metadata.yml
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 15
     permissions:
       contents: read
       packages: write
-      checks: read
     steps:
       - name: Shorten sha
         run: echo "sha=${sha::7}" >> $GITHUB_ENV
       - uses: actions/checkout@v6
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v4
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Generate files hash
         id: files-hash
         run: |
-          DIR_HASH=$(echo -n ${{ hashFiles('./keycloak/keycloakify/**','.github/workflows/keycloakify-image.yml', './website/.nvmrc' ) }})
+          DIR_HASH=$(echo -n ${{ hashFiles('registration-service/**', '.github/workflows/registration-service-image.yml') }})
           echo "DIR_HASH=$DIR_HASH${{ env.BUILD_ARM == 'true' && '-arm' || '' }}" >> $GITHUB_ENV
       - name: Setup Docker metadata
         id: dockerMetadata
@@ -61,30 +54,29 @@ jobs:
             type=raw,value=${{ env.BRANCH_NAME }}
             type=raw,value=commit-${{ env.sha }}
             type=raw,value=${{ env.BRANCH_NAME }}-arm,enable=${{ env.BUILD_ARM }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Check if image exists
         id: check-image
         run: |
           EXISTS=$(docker manifest inspect ${{ env.DOCKER_IMAGE_NAME }}:${{ env.DIR_HASH }} > /dev/null 2>&1 && echo "true" || echo "false")
           echo "CACHE_HIT=$EXISTS" >> $GITHUB_ENV
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4
-      - name: Get node version build arg
-        id: get-node-version
-        if: env.CACHE_HIT == 'false'
-        run: |
-          NODE_VERSION=$(grep -v "^[[:space:]]*#" website/.nvmrc | tr -d 'v')
-          echo "NODE_VERSION=$NODE_VERSION" >> $GITHUB_OUTPUT
       - name: Build and push image
         if: env.CACHE_HIT == 'false'
         uses: docker/build-push-action@v7
         with:
-          context: ./keycloak/keycloakify
+          context: ./registration-service
           push: true
           tags: ${{ steps.dockerMetadata.outputs.tags }}
-          cache-from: type=gha,scope=keycloakify-${{ github.ref }}
-          cache-to: type=gha,mode=max,scope=keycloakify-${{ github.ref }}
+          cache-from: type=gha,scope=registration-service-${{ github.ref }}
+          cache-to: type=gha,mode=max,scope=registration-service-${{ github.ref }}
           platforms: ${{ env.BUILD_ARM == 'true' && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
-          build-args: NODE_VERSION=${{ steps.get-node-version.outputs.NODE_VERSION }}
       - name: Tag and push image if cache hit
         if: env.CACHE_HIT == 'true'
         run: |

.github/workflows/update-argocd-metadata.yml

@@ -71,11 +71,11 @@ jobs:
           check-name: Build ingest Docker Image
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           wait-interval: 2
-      - name: Wait for Keycloakify Docker Image
+      - name: Wait for Registration Service Docker Image
         uses: lewagon/wait-on-check-action@v1.7.0
         with:
           ref: ${{ github.sha }}
-          check-name: Build keycloakify Docker Image
+          check-name: Registration service docker image build
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           wait-interval: 2
       - name: Wait for ENA Submission Docker Image

architecture_docs/05_building_block_view.md

@@ -16,13 +16,13 @@ and how they interact with each other and external participants.
     * use the website to browse the data and download sequences
     * or use LAPIS directly to query the data (e.g. for automated analysis).
 * Submitters can 
-  * log in via Keycloak 
+  * log in via Authelia 
   * submit new sequence data via the website
   * or use the API directly to automate their submission process.
 * The backend infrastructure stores and processes the data.
 * LAPIS / SILO provides the query engine for the sequence data that is stored in the backend infrastructure.
 * The backend infrastructure also fetches sequence data from / uploads sequence data to INSDC services.
-* The website and the backend infrastructure use Keycloak to verify the identity of users.
+* The website and the backend infrastructure use Authelia to verify the identity of users.
 
 ## LAPIS / SILO
 

architecture_docs/07_deployment_view.md

@@ -30,9 +30,9 @@ We configured Traefik to expose the relevant services to the public:
 * the website,
 * the backend,
 * LAPIS,
-* Keycloak.
+* Authelia + lldap.
 
-We only need a single instance of the website, the backend and keycloak (and their respective databases).
+We only need a single instance of the website, the backend and authelia (and their respective databases).
 The other services (LAPIS, SILO, preprocessing pipeline, ingest and ENA deposition) have to be configured
 and deployed per organism that the Loculus instance supports.
 We utilize Helm to generate those multiple service instances.

architecture_docs/09_architecture_decisions.md

@@ -77,3 +77,21 @@ Some relevant discussions:
 #### Decision
 
 We implemented the building blocks as described in this documentation.
+
+## Authentication: Authelia + lldap (2026)
+
+The original Keycloak deployment was replaced with Authelia for OIDC and lldap
+as the user directory. Rationale:
+
+- Lighter footprint (Authelia and lldap together are smaller than Keycloak
+  alone) and a simpler operational model for self-hosted installations.
+- LDAP backend is pluggable: bundled lldap for self-hosted, or operators can
+  point Authelia at an existing enterprise LDAP/AD by setting
+  `auth.bundledLdap.enabled=false` and configuring `auth.ldap.*`.
+- Self-registration moves into a small dedicated `registration-service` that
+  writes new users into lldap via its GraphQL admin API; in BYO-LDAP mode this
+  service is not deployed and registration is managed out-of-band.
+- ORCID social login is dropped; can be added later in the registration
+  service.
+- CLI authentication moves from ROPC (unsupported in Authelia) to the OIDC
+  device-code flow.

architecture_docs/plantuml/05_level_1.puml

@@ -10,12 +10,12 @@ frame Loculus as loculus {
     component "Loculus Website" as website
     component "Loculus Backend Infrastructure" as backend
     component "LAPIS" as lapis
-    component "Keycloak" as keycloak
+    component "Authelia + lldap" as authelia
 }
 
 submitter --> website
 submitter -right-> backend
-submitter --> keycloak
+submitter --> authelia
 
 user --> website
 user --> lapis
@@ -26,7 +26,7 @@ lapis --> backend
 
 backend --> insdc
 
-backend -left-> keycloak
-website -left-> keycloak
+backend -left-> authelia
+website -left-> authelia
 
 @enduml

architecture_docs/plantuml/07_cluster_details.puml

@@ -8,7 +8,7 @@ node "Kubernetes Cluster" as loculus {
 
     component "Loculus Website" as website
     component "Loculus Backend" as backend
-    component "Keycloak" as keycloak
+    component "Authelia + lldap" as authelia
 
     node "One instance per organism" {
         component "Processing Pipeline" as processing
@@ -21,17 +21,17 @@ node "Kubernetes Cluster" as loculus {
 }
 
 database "Loculus Database" as db
-database "Keycloak Database" as kc_db
+database "Authelia + lldap Database" as ldap_data
 
 " " --> traefik : HTTP
 traefik --> website
 traefik --> backend
 traefik --> lapis
-traefik --> keycloak
+traefik --> authelia
 
 backend --> db
 deposition --> db
-keycloak --> kc_db
+authelia --> ldap_data
 
 
 @enduml

architecture_docs/plantuml/07_deployment_overview.puml

@@ -7,9 +7,9 @@ node "Kubernetes Cluster" as loculus {
 }
 
 database "Loculus Database" as db
-database "Keycloak Database" as kc_db
+database "Authelia + lldap Database" as ldap_data
 
 services --> db
-services --> kc_db
+services --> ldap_data
 
 @enduml

backend/build.gradle

@@ -55,7 +55,7 @@ dependencies {
     implementation "org.jetbrains.exposed:exposed-kotlin-datetime"
     implementation "org.jetbrains.kotlinx:kotlinx-datetime:0.7.1-0.6.x-compat"
     implementation "org.hibernate.validator:hibernate-validator"
-    implementation "org.keycloak:keycloak-admin-client:26.0.9"
+    implementation "org.springframework.boot:spring-boot-starter-data-ldap"
     implementation("io.minio:minio:9.0.0")
     implementation("software.amazon.awssdk:s3:2.44.2")
 
@@ -82,6 +82,7 @@ dependencies {
     testImplementation "org.testcontainers:testcontainers-minio:2.0.5"
     testImplementation "org.awaitility:awaitility:4.3.0"
     testImplementation "org.junit.platform:junit-platform-launcher"
+    testImplementation "org.apache.httpcomponents:httpclient:4.5.14"
     ktlint("com.pinterest.ktlint:ktlint-cli:1.8.0") {
         attributes {
             attribute(Bundling.BUNDLING_ATTRIBUTE, getObjects().named(Bundling, Bundling.EXTERNAL))