sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(univention-management-stack): Keycloak clients for guardian

Browse Source
This commit is contained in:
jconde
2023-12-21 16:14:05 +01:00
committed by Thorsten Roßner
parent 7a145315f9
commit b30b29df8a
2 changed files with 250 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

249
helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
View File

@@ -300,6 +300,255 @@ config:
- "address"
- "email"
- "profile"
- name: "guardian-cli"
clientId: "guardian-cli"
rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
fullScopeAllowed: true
protocolMappers:
- name: "Client Host"
protocol: "openid-connect"
protocolMapper: "oidc-usersessionmodel-note-mapper"
consentRequired: false
config:
user.session.note: "clientHost"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
claim.name: "clientHost"
jsonType.label: "String"
- name: "Client ID"
protocol: "openid-connect"
protocolMapper: "oidc-usersessionmodel-note-mapper"
consentRequired: false
config:
user.session.note: "client_id"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
claim.name: "client_id"
jsonType.label: "String"
- name: "guardian-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
userinfo.token.claim: false
id.token.claim: false
access.token.claim: true
- name: "audiencemap"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian-cli"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
- name: "dn"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: false
user.attribute: "LDAP_ENTRY_DN"
id.token.claim: false
access.token.claim: true
claim.name: "dn"
jsonType.label: "String"
- name: "username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "username"
id.token.claim: true
access.token.claim: true
claim.name: "preferred_username"
jsonType.label: "String"
- name: "uid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "uid"
jsonType.label: "String"
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "Client IP Address"
protocol: "openid-connect"
protocolMapper: "oidc-usersessionmodel-note-mapper"
consentRequired: false
config:
user.session.note: "clientAddress"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
claim.name: "clientAddress"
jsonType.label: "String"
- name: "guardian"
clientId: "guardian"
rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
fullScopeAllowed: true
protocol: "openid-connect"
publiClient: true
frontchannelLogout: false
standardFlowEnabled: true
attributes:
use.refresh.tokens: true
backchannel.logout.session.required: true
protocolMappers:
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "dn"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: false
user.attribute: "LDAP_ENTRY_DN"
id.token.claim: false
access.token.claim: true
claim.name: "dn"
jsonType.label: "String"
- name: "uid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "udi"
jsonType.label: "String"
- name: "username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "username"
id.token.claim: true
access.token.claim: true
claim.name: "preferred_username"
jsonType.label: "String"
- name: "audiencemap"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
id.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "guardian-ui"
clientId: "guardian-ui"
rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
standardFlowEnabled: true
publicClient: true
protocol: "openid-connect"
fullScopeAllowed: true
protocolMappers:
- name: "uid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "uid"
jsonType.label: "String"
- name: "username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "username"
id.token.claim: true
access.token.claim: true
claim.name: "preferred_username"
jsonType.label: "String"
- name: "dn"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: "false"
user.attribute: "LDAP_ENTRY_DN"
id.token.claim: false
access.token.claim: true
claim.name: "dn"
jsonType.label: "String"
- name: "audiencemap"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian-ui"
id.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "guardian-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
id.token.claim: false
access.token.claim: true
userinfo.token.claim: false
containerSecurityContext:
allowPrivilegeEscalation: false

1
helmfile/environments/default/secrets.gotmpl
View File

@@ -57,6 +57,7 @@ secrets:
openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "openproject_client_secret" | sha1sum | quote }}
xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "xwiki_client_secret" | sha1sum | quote }}
as8oidc: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "as8oidc_client_secret" | sha1sum | quote }}
guardian: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "guardian_client_secret" | sha1sum | quote }}
nextcloud:
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_admin_user" | sha1sum | quote }}
metricsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum | quote }}