Gko2026 ia hackathon/am/custom flow

[leleueri]

poc using ia assistant

[gemini-code-assist]

Summary of Changes

Hello @leleueri, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a "Post Login Action" capability, enabling Gravitee AM to integrate with external services for additional authentication steps or data enrichment immediately following a user's successful login. This feature allows for a flexible, custom flow where Gravitee AM redirects the user to an external endpoint with a signed JWT, awaits a callback with a validated response, and then proceeds with or denies the login based on the external service's decision. The changes span across core gateway logic, data models, persistence layers, and the management UI, providing a comprehensive solution for extending the login flow with external interactions.

Highlights

• Introduction of Post Login Action Feature: A new mechanism is added to Gravitee AM that allows for an external service to intervene in the authentication flow immediately after a user successfully logs in.
• External Service Redirection and Callback: After successful login, users can be redirected to a configurable external service with a signed JWT containing state information. The external service then responds via a callback with another signed JWT, which Gravitee AM validates.
• Login Flow Control: Based on the external service's response, Gravitee AM can either continue the login process or deny it, clearing the session and redirecting to an error page.
• Configurable Settings: The feature includes extensive configuration options for the external service URL, JWT signing certificate, response public key for validation, timeout, and specific claim names for success, error, and data.
• Persistence and Management UI: PostLoginAction settings are integrated into the Domain and ApplicationSettings models, persisted in both JDBC and MongoDB, and exposed through new UI components in the management console for both domain-level and application-level configuration.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new 'Post Login Action' feature, allowing for a custom flow after user login. The changes include new backend endpoints, handlers, and model updates to support this feature, as well as UI components for configuration at both the domain and application level. The implementation is quite extensive and covers backend logic, data persistence, and UI.

My review has identified a few areas for improvement:

• A potential bug in the JWT processor creation for EC keys which could impact security validation.
• An issue with data serialization that might lead to incorrect data being stored in the session.
• A minor security concern in the UI regarding URL validation.

Overall, this is a significant feature addition. Addressing these points will improve the robustness and security of the implementation.

[gemini-code-assist]

Using RSAKeyProcessor to handle EC keys is confusing and likely incorrect. The class name suggests it's for RSA algorithms only. Using it to create a processor for ES256 might lead to signature validation not working as expected or at all for EC keys. Please verify if RSAKeyProcessor is indeed capable of handling EC keys. If not, a dedicated processor for EC keys should be used. The comment // RSAKeyProcessor also handles EC keys seems to be an attempt to justify this, but it adds to the confusion and should be removed or clarified if RSAKeyProcessor is a misnomer.

[gemini-code-assist]

The data object from the JWT claims can be a complex type like a Map or List. Using String.valueOf(data) will call toString(), which does not produce a valid JSON string for these types. This could lead to data being stored incorrectly in the session. Consider using a JSON library to serialize the data object to a JSON string if it's not a primitive type.

[gemini-code-assist]

The variable name httpsUrlPattern suggests that only HTTPS URLs are allowed, but the regex pattern ^https?://.+$ also allows HTTP. For security reasons, especially in an authentication flow, it is recommended to enforce HTTPS to prevent potential man-in-the-middle attacks. If HTTP is intentionally allowed, consider renaming the variable to urlPattern to avoid confusion.

Suggested change

	httpsUrlPattern = '^https?://.+$';
	httpsUrlPattern = '^https://.+$';