From 46412d1a9e4547dea8d0da3e322400ea148edf19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Tue, 16 Jul 2024 09:23:02 +0200 Subject: [PATCH] fix(keycloak): Support for custom OIDC Clients and ClientScopes. --- .../values-opendesk-keycloak-bootstrap.yaml.gotmpl | 8 ++++++-- helmfile/environments/default/functional.yaml | 5 +++++ helmfile/environments/default/images.yaml | 2 +- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl index 6ac20c7b..423041b0 100644 --- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl @@ -21,6 +21,11 @@ cleanup: keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }} config: + custom: + clientScopes: + {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }} + clients: + {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }} keycloak: adminUser: "kcadmin" adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }} @@ -30,7 +35,7 @@ config: internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080" twoFactorSettings: additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }} - custom: + opendesk: # We use client specific scopes as we bind them to Keycloak role membership which itself is linked # to LDAP group membership to ensure a user cannot access an application without the required # group membership. @@ -766,7 +771,6 @@ config: claim.name: "dn" jsonType.label: "String" defaultClientScopes: - - "opendesk" - "web-origins" - "acr" - "roles" diff --git a/helmfile/environments/default/functional.yaml b/helmfile/environments/default/functional.yaml index 4de7b31f..fa722df1 100644 --- a/helmfile/environments/default/functional.yaml +++ b/helmfile/environments/default/functional.yaml @@ -14,6 +14,11 @@ functional: # Note: Removing a group from the list will not disable 2FA for the removed group. groups: - "Domain Admins" + oidc: + # Define additional/custom OIDC clients to be created in the 'opendesk' realm of Keycloak. + clients: ~ + # Define additional/custom OIDC client scopes to be created in the 'opendesk' realm of Keycloak. + clientScopes: ~ externalServices: nubus: diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index 7546469e..87ea4dfe 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -261,7 +261,7 @@ images: # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap" registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap" - tag: "1.1.0@sha256:20e885e2f2cb19e4b45adfdd6f1622ea888fe26621a0a3ace12c074497ac04aa" + tag: "1.2.0@sha256:3b364c60bedb9ae001c39cbf84e4b4b326b9559078f21bfc993cf0e601196e6f" openproject: # providerCategory: "Supplier" # providerResponsible: "OpenProject"