Merge pull request #2625 from cfpb/5181-fix-keycloak-redirections-for-aws

We're taking [Kenneth's good work](#2385), making it work for more domains, and trying to get it into `master` so it doesn't have to get deployed separately.

## Changes

- redirects to the correct keycloak instance for a given hostname (see the logic diagrams on the enterprise wiki for [Keycloak Redirect Logic as of October 8th 2025](https://[ENT]/HMDA-Operations/hmda-devops/wiki/Keycloak-Redirect-Logic-as-of-October-8th-2025))
- changes `checkLoginIframe` to false due to CORS issues now related to trying to access an iframe from another domain...
  <img width="1492" height="136" alt="Screenshot 2025-10-08 at 2 04 48 PM" src="https://github.com/user-attachments/assets/a5a6ae7d-9b83-4b70-9638-62a647da61c3" />

  ... and probably future problems with it as cookies get more locked down based on some of my digging through keycloak docs and issues. Take a look at issue 23872 [on the keycloak repo](https://github.com/keycloak/keycloak/issues) (avoiding a direct link to the issue so we're not linked into it) for more info on browser incompatibilities.

  There are some downsides to not having it, particularly if someone logs off in another tab then it might not auto-detect the log out. Having said that, Kenneth's PR that implements it has been on [hmda beta side](https://ffiec.beta.cfpb.gov/) for almost a year without complaints. I still [made an issue](#2624) to follow up and investigate re-enabling it or ameliorating any issues, if we feel like we need to down the line.

## Testing

1. Does it work on all the environments?
### Local
<img width="775" height="692" alt="5181-works-on-local" src="https://github.com/user-attachments/assets/b55cbcd5-0730-4255-8c36-a7d920a2dc6a" />

### Dev
<img width="613" height="587" alt="5181-works-on-hmdadev" src="https://github.com/user-attachments/assets/0e92a982-17fc-436f-821e-e1eba870384f" />

### Dev Beta
<img width="609" height="295" alt="5181-works-on-dev-beta" src="https://github.com/user-attachments/assets/d0f8a23b-9be8-432d-83cc-532844cbe11f" />

### Prod Beta
<img width="625" height="360" alt="5181-works-on-prod-beta" src="https://github.com/user-attachments/assets/6bac9d33-77ec-4fef-8d24-e26c2fb5d0a9" />

### Prod
(will wait till release)

### Alto environments
(will need to wait to see on those)

## Notes

- Although we're moving [Kenneth's PR](#2385) into master, I don't need to replicate `update prod-beta-config.json` like [Kenneth did](https://github.com/cfpb/hmda-frontend/pull/2385/files#diff-2ab1df37bbc1d33f86eebba246041c6c3a549ad602fb661251acaebcd096b1ee), because those changes were already [merged into master](https://github.com/cfpb/hmda-frontend/pull/2389/files#diff-2ab1df37bbc1d33f86eebba246041c6c3a549ad602fb661251acaebcd096b1eeR71) earlier.

Author: billhimmelsbach

src/common/api/Keycloak.js

@@ -4,6 +4,48 @@ let keycloak = null
 let isInitialized = false
 let initPromise = null
 
+// check out [ENT]/HMDA-Operations/hmda-devops/blob/master/eks/hmda_urls.md for more details
+// about the different HMDA environments
+
+const prodKeycloakDomain = 'ffiec.cfpb.gov'
+const domainsToBeRedirectedToProdKeycloak = [
+  'ffiec.beta.cfpb.gov',
+  'prod-regtech',
+  'ffiec-beta-test',
+  'ffiec-test',
+]
+
+const devKeycloakDomain = 'hmdadev.cfpb.gov'
+const domainsToBeRedirectedToDevKeycloak = ['hmda4-beta.demo']
+
+const getKeycloakInstance = (hostname) => {
+  const isRedirectedToProd = domainsToBeRedirectedToProdKeycloak.some(
+    (domain) => hostname.includes(domain),
+  )
+  const isRedirectedToDev = domainsToBeRedirectedToDevKeycloak.some((domain) =>
+    hostname.includes(domain),
+  )
+
+  if (isRedirectedToProd) return prodKeycloakDomain
+  if (isRedirectedToDev) return devKeycloakDomain
+
+  // if hostname doesn't match any known redirect patterns, assume keycloak is hosted on the same domain
+  return hostname
+}
+
+const hostname = window.location.hostname
+const keycloakInstance = getKeycloakInstance(hostname)
+
+const keycloakConfig = {
+  realm: 'hmda2',
+  url: `https://${keycloakInstance}/auth`,
+  clientId: 'hmda2-api',
+  'public-client': true,
+  'use-resource-role-mappings': true,
+  'confidential-port': 0,
+  'ssl-required': 'all',
+}
+
 export const setKeycloak = (cloak) => {
   keycloak = cloak
   return keycloak
@@ -28,12 +70,12 @@ export const initKeycloak = (overrides) => {
     } else if (import.meta.env.MODE === 'development') {
       keycloak = new Keycloak('/local_keycloak.json')
     } else {
-      keycloak = new Keycloak('/keycloak.json')
+      keycloak = new Keycloak(keycloakConfig)
     }
   }
 
   initPromise = keycloak
-    .init({ pkceMethod: 'S256' })
+    .init({ pkceMethod: 'S256', checkLoginIframe: false })
     .then((authenticated) => {
       console.log('Keycloak initialized, authenticated:', authenticated)
       isInitialized = true