fix(nubus): Update token exchange

fix(nubus): Remove UMC (SAML) Keycloak client
2025-12-06 07:21:36 +01:00 · 2025-11-10 11:19:34 +00:00 · 2025-11-10 11:19:34 +00:00 · 2025-11-10 11:19:34 +00:00
3 changed files with 13 additions and 6 deletions
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -203,10 +203,6 @@ keycloak:
          loginTitle: "Anmeldung bei {{ .Values.theme.texts.productName }}"
        en:
          loginTitle: "Sign in to {{ .Values.theme.texts.productName }}"
-    features:
-      enabled:
-        - "admin-fine-grained-authz:v1"
-        - "token-exchange"
  podAnnotations:
    intents.otterize.com/service-name: "ums-keycloak"
    {{- with .Values.annotations.nubusKeycloak.pod }}
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -84,7 +84,7 @@ config:
  managed:
    clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list',
                    'offline_access', 'roles', 'address', 'phone' ]
-    clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', 'UMC OIDC', '${client_account}',
+    clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC OIDC', '${client_account}',
               '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}',
               '${client_security-admin-console}' ]
  keycloak:
@@ -531,6 +531,7 @@ config:
        attributes:
          use.refresh.tokens: true
          backchannel.logout.session.required: true
+          # set the two attributes below to enable token exchange for a client
          standard.token.exchange.enabled: true
          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
          backchannel.logout.revoke.offline.tokens: true
@@ -637,6 +638,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          standard.token.exchange.enabled: true
+          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
        defaultClientScopes:
          - "opendesk-oxappsuite-scope"
          - "read_contacts"
@@ -678,6 +681,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          standard.token.exchange.enabled: true
+          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
        defaultClientScopes:
          - "opendesk-matrix-scope"
      {{ end }}
@@ -698,6 +703,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/opendesk"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          standard.token.exchange.enabled: true
+          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
        defaultClientScopes:
          - "opendesk-nextcloud-scope"
          - "read_contacts"
@@ -721,6 +728,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          standard.token.exchange.enabled: true
+          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
        defaultClientScopes:
          - "opendesk-openproject-scope"
      {{ end }}
@@ -741,6 +750,8 @@ config:
          backchannel.logout.session.required: false
          backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          standard.token.exchange.enabled: true
+          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
        defaultClientScopes:
          - "opendesk-xwiki-scope"
      {{ end }}
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -351,7 +351,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
    name: "opendesk-keycloak-bootstrap"
-    version: "2.6.0"
+    version: "2.7.0-trossner-token-exchange"
    verify: true
  opendeskStaticFiles:
    # providerCategory: "Platform"
Author	SHA1	Message	Date
Thorsten Roßner	89308abd5e	fix(nubus): Update token exchange	2025-11-10 11:19:34 +00:00
Thorsten Roßner	9ad99d643d	fix(nubus): Remove `UMC` (SAML) Keycloak client	2025-11-10 11:19:34 +00:00
Thorsten Roßner	3549e28771	fix(nubus): Update token exchange	2025-11-10 11:19:34 +00:00