M8F-90 - Move Super-Admin Role & super-Admin User from Tenant Realms to Master Realm (Keycloak)

[andrepestana-aot]

JIRA Ticket

https://aottech.atlassian.net/browse/M8F-90

Description

This PR moves the global super-admin out of tenant realms and into the Keycloak master realm, and updates the M8Flow auth flow so global tenant administration works without requiring a tenant-scoped realm or tenant context.

What changed

• Removed super-admin role/user creation from tenant realm provisioning.
• Ensured super-admin exists only in the Keycloak master realm.
• Ensured the master realm also has a browser-login client for M8Flow (spiffworkflow-backend) instead of relying on tenant realm clients.
• Added/updated local Keycloak bootstrap so the master realm client, role, and user are provisioned automatically in Docker/local development.

Backend auth and tenant-context changes

• Added support for a master auth configuration even when it is not explicitly present in .env, so master login can be resolved on demand.
• Updated authentication identifier resolution so global tenant-management requests can use the master realm correctly.
• Updated login_return handling so the Keycloak master callback is not treated as a tenant-scoped login.
• Updated refresh-token persistence so master-realm users do not try to store master as an m8flow_tenant foreign key.
• Exempted global/non-tenant auth endpoints such as /permissions-check from tenant-context enforcement where appropriate.
• Fixed backend auth cookie handling for IP-based frontend URLs by avoiding invalid cookie Domain values like 192.168.1.105:8001.

Frontend changes

• Added a Global admin sign in path from the tenant-selection page.
• Prevented multitenant routing from forcing a global admin back through tenant selection after login.
• Fixed login redirect URL handling for relative paths.
• Improved stale tenant handling so old tenant selections do not trap users in broken login flows.

Config / docs

• Updated sample config and Keycloak setup documentation to reflect the new master-realm super-admin model.
• Clarified tenant-context exemption naming in code (TENANT_CONTEXT_EXEMPT_PATH_PREFIXES).

Result

super-admin is global and exists only in Keycloak master.
Tenant realms no longer create or contain super-admin.
Global admins can log in through the master realm and manage tenants without tenant-scoped auth.
Tenant-specific admin behavior remains unchanged.

Type

• Feature
• Bug fix
• Documentation
• Other

Changes

• Backend
• Frontend
• Documentation

Testing

• Added/updated focused unit coverage for:
  • master auth config injection
  • master login callback handling
  • refresh-token storage for master logins
  • cookie handling for IP-based frontend URLs
  • tenant-context exemption for /permissions-check

Related Issues

Closes #

[auslin-aot]

Avoid changes in the spiffworkflow-backend & spiffworkflow-frontend folders

[auslin-aot]

Please resolve conflicts

[sonarqubecloud]

Quality Gate failed

Failed conditions
21 Security Hotspots
E Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE