fix(keycloak): Support for custom OIDC Clients and ClientScopes.

2025-12-08 00:11:38 +01:00 · 2024-07-16 09:23:02 +02:00
parent 26a7641a5a
commit 46412d1a9e
3 changed files with 12 additions and 3 deletions
--- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -21,6 +21,11 @@ cleanup:
  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 config:
  custom:
    clientScopes:
      {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
    clients:
      {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
  keycloak:
    adminUser: "kcadmin"
    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -30,7 +35,7 @@ config:
      internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
  twoFactorSettings:
    additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
-  custom:
+  opendesk:
    # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
    # to LDAP group membership to ensure a user cannot access an application without the required
    # group membership.
@@ -766,7 +771,6 @@ config:
              claim.name: "dn"
              jsonType.label: "String"
        defaultClientScopes:
          - "opendesk"
          - "web-origins"
          - "acr"
          - "roles"
--- a/helmfile/environments/default/functional.yaml
+++ b/helmfile/environments/default/functional.yaml
@@ -14,6 +14,11 @@ functional:
      # Note: Removing a group from the list will not disable 2FA for the removed group.
      groups:
        - "Domain Admins"
    oidc:
      # Define additional/custom OIDC clients to be created in the 'opendesk' realm of Keycloak.
      clients: ~
      # Define additional/custom OIDC client scopes to be created in the 'opendesk' realm of Keycloak.
      clientScopes: ~
  externalServices:
    nubus:
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -261,7 +261,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
-    tag: "1.1.0@sha256:20e885e2f2cb19e4b45adfdd6f1622ea888fe26621a0a3ace12c074497ac04aa"
+    tag: "1.2.0@sha256:3b364c60bedb9ae001c39cbf84e4b4b326b9559078f21bfc993cf0e601196e6f"
  openproject:
    # providerCategory: "Supplier"
    # providerResponsible: "OpenProject"