From 3fa974b41be2189510a39c6fba44725bcf84be66 Mon Sep 17 00:00:00 2001 From: Juan Pedro Torres Date: Tue, 17 Sep 2024 13:59:58 +0200 Subject: [PATCH] fix(opendesk-keycloak-bootstrap): Client creation fix Adjusts the configuration of the guardian related clientids. --- ...es-opendesk-keycloak-bootstrap.yaml.gotmpl | 292 +----------------- 1 file changed, 1 insertion(+), 291 deletions(-) diff --git a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl index d7fe4f1d..97c39364 100644 --- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl +++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl @@ -29,7 +29,7 @@ config: managed: clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ] # 'guardian-management-api', 'guardian-scripts', 'guardian-ui' clients have been added explicitly for the moment (see further down this file) - clients: [ 'opendesk-intercom', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ] + clients: [ 'opendesk-intercom', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ] keycloak: adminUser: "kcadmin" adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }} @@ -517,296 +517,6 @@ config: post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" defaultClientScopes: - "opendesk-xwiki-scope" - - name: "guardian-management-api" - clientId: "guardian-management-api" - rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}" - baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}" - protocol: "openid-connect" - publicClient: false - clientAuthenticatorType: "client-secret" - secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} - redirectUris: - - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*" - fullScopeAllowed: true - standardFlowEnabled: true - implicitFlowEnabled: false - directAccessGrantsEnabled: false - serviceAccountsEnabled: true - protocolMappers: - - name: "Client Host" - protocol: "openid-connect" - protocolMapper: "oidc-usersessionmodel-note-mapper" - consentRequired: false - config: - user.session.note: "clientHost" - userinfo.token.claim: true - id.token.claim: true - access.token.claim: true - claim.name: "clientHost" - jsonType.label: "String" - - name: "Client ID" - protocol: "openid-connect" - protocolMapper: "oidc-usersessionmodel-note-mapper" - consentRequired: false - config: - user.session.note: "client_id" - userinfo.token.claim: true - id.token.claim: true - access.token.claim: true - claim.name: "client_id" - jsonType.label: "String" - - name: "guardian-audience" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian" - userinfo.token.claim: false - id.token.claim: false - access.token.claim: true - - name: "audiencemap" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian-cli" - userinfo.token.claim: true - id.token.claim: true - access.token.claim: true - - name: "dn" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: false - user.attribute: "LDAP_ENTRY_DN" - id.token.claim: false - access.token.claim: true - claim.name: "dn" - jsonType.label: "String" - - name: "username" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "username" - id.token.claim: true - access.token.claim: true - claim.name: "preferred_username" - jsonType.label: "String" - - name: "uid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "uid" - jsonType.label: "String" - - name: "email" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "email" - id.token.claim: true - access.token.claim: true - claim.name: "email" - jsonType.label: "String" - - name: "Client IP Address" - protocol: "openid-connect" - protocolMapper: "oidc-usersessionmodel-note-mapper" - consentRequired: false - config: - user.session.note: "clientAddress" - userinfo.token.claim: true - id.token.claim: true - access.token.claim: true - claim.name: "clientAddress" - jsonType.label: "String" - - name: "guardian-scripts" - clientId: "guardian-scripts" - description: "" - rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}" - adminUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}" - baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}" - surrogateAuthRequired: false - enabled: true - alwaysDisplayInConsole: false - clientAuthenticatorType: "client-secret" - redirectUris: - - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*" - - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}" - - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*" - webOrigins: - - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}" - bearerOnly: false - consentRequired: false - standardFlowEnabled: true - implicitFlowEnabled: false - directAccessGrantsEnabled: true - serviceAccountsEnabled: false - publicClient: true - frontchannelLogout: false - protocol: "openid-connect" - fullScopeAllowed: true - protocolMappers: - - name: "email" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "email" - id.token.claim: true - access.token.claim: true - claim.name: "email" - jsonType.label: "String" - - name: "guardian-audience" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian" - id.token.claim: false - access.token.claim: true - userinfo.token.claim: false - - name: "username" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "username" - id.token.claim: true - access.token.claim: true - claim.name: "preferred_username" - jsonType.label: "String" - - name: "uid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "uid" - jsonType.label: "String" - - name: "audiencemap" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian-scripts" - id.token.claim: true - access.token.claim: true - userinfo.token.claim: true - - name: "dn" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - aggregate.attrs: false - multivalued: false - userinfo.token.claim: false - user.attribute: "LDAP_ENTRY_DN" - id.token.claim: false - access.token.claim: true - claim.name: "dn" - jsonType.label: "String" - defaultClientScopes: - - "web-origins" - - "acr" - - "roles" - - "profile" - - "email" - optionalClientScopes: - - "address" - - "phone" - - "offline_access" - - "microprofile-jwt" - - name: "guardian-ui" - clientId: "guardian-ui" - rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}" - baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}" - clientAuthenticatorType: "client-secret" - redirectUris: - - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*" - standardFlowEnabled: true - publicClient: true - implicitFlowEnabled: false - directAccessGrantsEnabled: false - serviceAccountsEnabled: false - protocol: "openid-connect" - fullScopeAllowed: true - protocolMappers: - - name: "uid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "uid" - jsonType.label: "String" - - name: "username" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "username" - id.token.claim: true - access.token.claim: true - claim.name: "preferred_username" - jsonType.label: "String" - - name: "dn" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: "false" - user.attribute: "LDAP_ENTRY_DN" - id.token.claim: false - access.token.claim: true - claim.name: "dn" - jsonType.label: "String" - - name: "audiencemap" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian" - id.token.claim: true - access.token.claim: true - userinfo.token.claim: true - - name: "email" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "email" - id.token.claim: true - access.token.claim: true - claim.name: "email" - jsonType.label: "String" - - name: "guardian-audience" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian" - id.token.claim: false - access.token.claim: true - userinfo.token.claim: false containerSecurityContext: allowPrivilegeEscalation: false