sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(opendesk-keycloak-bootstrap): Client creation fix

Browse Source 
Adjusts the configuration of the guardian related clientids.
This commit is contained in:
Juan Pedro Torres
2024-09-17 13:59:58 +02:00
committed by Johannes Bornhold
parent 41be8cbf18
commit 3fa974b41b
1 changed files with 1 additions and 291 deletions
Download Patch File Download Diff File Expand all files Collapse all files

292
helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
View File

@@ -29,7 +29,7 @@ config:
managed:
clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
# 'guardian-management-api', 'guardian-scripts', 'guardian-ui' clients have been added explicitly for the moment (see further down this file)
clients: [ 'opendesk-intercom', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
clients: [ 'opendesk-intercom', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
keycloak:
adminUser: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -517,296 +517,6 @@ config:
post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-xwiki-scope"
- name: "guardian-management-api"
clientId: "guardian-management-api"
rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
protocol: "openid-connect"
publicClient: false
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
fullScopeAllowed: true
standardFlowEnabled: true
implicitFlowEnabled: false
directAccessGrantsEnabled: false
serviceAccountsEnabled: true
protocolMappers:
- name: "Client Host"
protocol: "openid-connect"
protocolMapper: "oidc-usersessionmodel-note-mapper"
consentRequired: false
config:
user.session.note: "clientHost"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
claim.name: "clientHost"
jsonType.label: "String"
- name: "Client ID"
protocol: "openid-connect"
protocolMapper: "oidc-usersessionmodel-note-mapper"
consentRequired: false
config:
user.session.note: "client_id"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
claim.name: "client_id"
jsonType.label: "String"
- name: "guardian-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
userinfo.token.claim: false
id.token.claim: false
access.token.claim: true
- name: "audiencemap"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian-cli"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
- name: "dn"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: false
user.attribute: "LDAP_ENTRY_DN"
id.token.claim: false
access.token.claim: true
claim.name: "dn"
jsonType.label: "String"
- name: "username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "username"
id.token.claim: true
access.token.claim: true
claim.name: "preferred_username"
jsonType.label: "String"
- name: "uid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "uid"
jsonType.label: "String"
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "Client IP Address"
protocol: "openid-connect"
protocolMapper: "oidc-usersessionmodel-note-mapper"
consentRequired: false
config:
user.session.note: "clientAddress"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
claim.name: "clientAddress"
jsonType.label: "String"
- name: "guardian-scripts"
clientId: "guardian-scripts"
description: ""
rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
adminUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
surrogateAuthRequired: false
enabled: true
alwaysDisplayInConsole: false
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
webOrigins:
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
bearerOnly: false
consentRequired: false
standardFlowEnabled: true
implicitFlowEnabled: false
directAccessGrantsEnabled: true
serviceAccountsEnabled: false
publicClient: true
frontchannelLogout: false
protocol: "openid-connect"
fullScopeAllowed: true
protocolMappers:
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "guardian-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
id.token.claim: false
access.token.claim: true
userinfo.token.claim: false
- name: "username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "username"
id.token.claim: true
access.token.claim: true
claim.name: "preferred_username"
jsonType.label: "String"
- name: "uid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "uid"
jsonType.label: "String"
- name: "audiencemap"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian-scripts"
id.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "dn"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
aggregate.attrs: false
multivalued: false
userinfo.token.claim: false
user.attribute: "LDAP_ENTRY_DN"
id.token.claim: false
access.token.claim: true
claim.name: "dn"
jsonType.label: "String"
defaultClientScopes:
- "web-origins"
- "acr"
- "roles"
- "profile"
- "email"
optionalClientScopes:
- "address"
- "phone"
- "offline_access"
- "microprofile-jwt"
- name: "guardian-ui"
clientId: "guardian-ui"
rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
standardFlowEnabled: true
publicClient: true
implicitFlowEnabled: false
directAccessGrantsEnabled: false
serviceAccountsEnabled: false
protocol: "openid-connect"
fullScopeAllowed: true
protocolMappers:
- name: "uid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "uid"
jsonType.label: "String"
- name: "username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "username"
id.token.claim: true
access.token.claim: true
claim.name: "preferred_username"
jsonType.label: "String"
- name: "dn"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: "false"
user.attribute: "LDAP_ENTRY_DN"
id.token.claim: false
access.token.claim: true
claim.name: "dn"
jsonType.label: "String"
- name: "audiencemap"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
id.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "guardian-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
id.token.claim: false
access.token.claim: true
userinfo.token.claim: false
containerSecurityContext:
allowPrivilegeEscalation: false