From 00c9a181510b6d57791bd0b85b84f0bc4fde659e Mon Sep 17 00:00:00 2001
From: Laura <lthaci@tugraz.at>
Date: Thu, 8 Jan 2026 11:43:47 +0100
Subject: [PATCH] MUG: add optional CyVerse Keycloak provider

---
 themes/MUG/invenio.cfg | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/themes/MUG/invenio.cfg b/themes/MUG/invenio.cfg
index ba13659..9a292ff 100644
--- a/themes/MUG/invenio.cfg
+++ b/themes/MUG/invenio.cfg
@@ -384,6 +384,15 @@ _keycloak_helper = KeycloakSettingsHelper(
     legacy_url_path=False
 )
 
+_cyverse_keycloak_helper = KeycloakSettingsHelper(
+    title="CyVerse",
+    description="CyVerse",
+    base_url="https://keycloak.cyverse.at",
+    realm="CyVerse",
+    app_key="CYVERSE_KEYCLOAK_APP_CREDENTIALS",
+    legacy_url_path=False,
+)
+
 OAUTHCLIENT_KEYCLOAK_REALM_URL = _keycloak_helper.realm_url
 OAUTHCLIENT_KEYCLOAK_USER_INFO_URL = _keycloak_helper.user_info_url
 OAUTHCLIENT_KEYCLOAK_VERIFY_EXP = True  # whether to verify the expiration date of tokens
@@ -391,7 +400,12 @@ OAUTHCLIENT_KEYCLOAK_VERIFY_AUD = True  # whether to verify the audience tag for
 OAUTHCLIENT_KEYCLOAK_AUD = "inveniordm"  # probably the same as the client ID
 OAUTHCLIENT_KEYCLOAK_USER_INFO_FROM_ENDPOINT = True
 
-OAUTHCLIENT_REMOTE_APPS = {"keycloak": _keycloak_helper.remote_app}
+OAUTHCLIENT_REMOTE_APPS = {
+    "keycloak": _keycloak_helper.remote_app,
+    # Enable when needed (see docs: multiple keycloak authentication providers):
+    # "cyverse": _cyverse_keycloak_helper.remote_app,
+}
 
 ## SET THE CREDENTIALS via .env
 # INVENIO_KEYCLOAK_APP_CREDENTIALS={'consumer_key':'<YOUR.CLIENT.ID>','consumer_secret': '<YOUR.CLIENT.CREDENTIALS.SECRET>'}
+# INVENIO_CYVERSE_KEYCLOAK_APP_CREDENTIALS={'consumer_key':'<YOUR.CLIENT.ID>','consumer_secret': '<YOUR.CLIENT.CREDENTIALS.SECRET>'}