From b30b29df8aa179dd065db4ade1d2911f6c7ab458 Mon Sep 17 00:00:00 2001 From: jconde Date: Thu, 21 Dec 2023 16:14:05 +0100 Subject: [PATCH] fix(univention-management-stack): Keycloak clients for guardian --- ...es-opendesk-keycloak-bootstrap.yaml.gotmpl | 249 ++++++++++++++++++ helmfile/environments/default/secrets.gotmpl | 1 + 2 files changed, 250 insertions(+) diff --git a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl index 73aaaa41..e7c0fa4b 100644 --- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl @@ -300,6 +300,255 @@ config: - "address" - "email" - "profile" + - name: "guardian-cli" + clientId: "guardian-cli" + rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*" + fullScopeAllowed: true + protocolMappers: + - name: "Client Host" + protocol: "openid-connect" + protocolMapper: "oidc-usersessionmodel-note-mapper" + consentRequired: false + config: + user.session.note: "clientHost" + userinfo.token.claim: true + id.token.claim: true + access.token.claim: true + claim.name: "clientHost" + jsonType.label: "String" + - name: "Client ID" + protocol: "openid-connect" + protocolMapper: "oidc-usersessionmodel-note-mapper" + consentRequired: false + config: + user.session.note: "client_id" + userinfo.token.claim: true + id.token.claim: true + access.token.claim: true + claim.name: "client_id" + jsonType.label: "String" + - name: "guardian-audience" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian" + userinfo.token.claim: false + id.token.claim: false + access.token.claim: true + - name: "audiencemap" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian-cli" + userinfo.token.claim: true + id.token.claim: true + access.token.claim: true + - name: "dn" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: false + user.attribute: "LDAP_ENTRY_DN" + id.token.claim: false + access.token.claim: true + claim.name: "dn" + jsonType.label: "String" + - name: "username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "username" + id.token.claim: true + access.token.claim: true + claim.name: "preferred_username" + jsonType.label: "String" + - name: "uid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "uid" + jsonType.label: "String" + - name: "email" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "email" + id.token.claim: true + access.token.claim: true + claim.name: "email" + jsonType.label: "String" + - name: "Client IP Address" + protocol: "openid-connect" + protocolMapper: "oidc-usersessionmodel-note-mapper" + consentRequired: false + config: + user.session.note: "clientAddress" + userinfo.token.claim: true + id.token.claim: true + access.token.claim: true + claim.name: "clientAddress" + jsonType.label: "String" + - name: "guardian" + clientId: "guardian" + rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + clientAuthenticatorType: "client-secret" + redirectUris: + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*" + fullScopeAllowed: true + protocol: "openid-connect" + publiClient: true + frontchannelLogout: false + standardFlowEnabled: true + attributes: + use.refresh.tokens: true + backchannel.logout.session.required: true + protocolMappers: + - name: "email" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "email" + id.token.claim: true + access.token.claim: true + claim.name: "email" + jsonType.label: "String" + - name: "dn" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: false + user.attribute: "LDAP_ENTRY_DN" + id.token.claim: false + access.token.claim: true + claim.name: "dn" + jsonType.label: "String" + - name: "uid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "udi" + jsonType.label: "String" + - name: "username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "username" + id.token.claim: true + access.token.claim: true + claim.name: "preferred_username" + jsonType.label: "String" + - name: "audiencemap" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian" + id.token.claim: true + access.token.claim: true + userinfo.token.claim: true + - name: "guardian-ui" + clientId: "guardian-ui" + rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + clientAuthenticatorType: "client-secret" + redirectUris: + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*" + standardFlowEnabled: true + publicClient: true + protocol: "openid-connect" + fullScopeAllowed: true + protocolMappers: + - name: "uid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "uid" + jsonType.label: "String" + - name: "username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "username" + id.token.claim: true + access.token.claim: true + claim.name: "preferred_username" + jsonType.label: "String" + - name: "dn" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: "false" + user.attribute: "LDAP_ENTRY_DN" + id.token.claim: false + access.token.claim: true + claim.name: "dn" + jsonType.label: "String" + - name: "audiencemap" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian-ui" + id.token.claim: true + access.token.claim: true + userinfo.token.claim: true + - name: "email" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "email" + id.token.claim: true + access.token.claim: true + claim.name: "email" + jsonType.label: "String" + - name: "guardian-audience" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian" + id.token.claim: false + access.token.claim: true + userinfo.token.claim: false containerSecurityContext: allowPrivilegeEscalation: false diff --git a/helmfile/environments/default/secrets.gotmpl b/helmfile/environments/default/secrets.gotmpl index f3343483..597aa4d8 100644 --- a/helmfile/environments/default/secrets.gotmpl +++ b/helmfile/environments/default/secrets.gotmpl @@ -57,6 +57,7 @@ secrets: openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "openproject_client_secret" | sha1sum | quote }} xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "xwiki_client_secret" | sha1sum | quote }} as8oidc: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "as8oidc_client_secret" | sha1sum | quote }} + guardian: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "guardian_client_secret" | sha1sum | quote }} nextcloud: adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_admin_user" | sha1sum | quote }} metricsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum | quote }}