fix(nubus): Update token exchange

fix(nubus): Remove UMC (SAML) Keycloak client
2025-12-09 00:38:34 +01:00 · 2025-11-10 11:19:34 +00:00 · 2025-11-10 11:19:34 +00:00 · 2025-11-10 11:19:34 +00:00 · 2025-11-07 09:08:52 +00:00 · 2025-11-07 05:58:42 +00:00
8 changed files with 45 additions and 11 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,30 @@
+# [1.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.8.0...v1.9.0) (2025-11-07)
+
+
+### Bug Fixes
+
+* **collabora:** Update from 25.04.4.3.1 to 25.04.5.3.1 ([e0128e6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e0128e6ccf02eaaa68fe53f5629150f0e0863ba0))
+* **element:** Increase message and media rate limits ([13968a8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/13968a8133174024dc97c5cf73e6b1e7883ce0a0))
+* **element:** Update favicon to use PNG version ([f8104f6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f8104f635862ce6c80b66c6d7fa82df7cde9d446))
+* **element:** Update Synapse from v1.137.0 to v1.141.0; fixes https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr which applies to all openDesk deployments using Element/Matrix with federation enabled ([02d3021](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/02d3021c4ba97f81165e286d1ee53b7c199f5dbb))
+* **element:** Update widgets primary color theme settings ([94394a1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/94394a1e3e3da304138263de73121a62aabbee11))
+* **gitlab:** Add issue templates ([26da7e3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/26da7e366709b3888f6786b574e3b3b11f1a6fab))
+* **helmfile:** Support setting the `defaultLanguage` - relevant for OX App Suite and XWiki - in `functional.yaml.gotmpl` ([24065db](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/24065dbc7043d09dbad0d272128cfe2f33f22e48))
+* **helmfile:** Use passwords defined in `database.yaml.gotmpl` for Cassandra when available ([0268219](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/026821996a4e42ac9ef25dd62c34d1697547962c))
+* **notes:** Fix python path for self signed certs ([c4279d1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c4279d11bb46c9fe65b2ccd54dc0789d11c0d0d8))
+* **notes:** Fix repeated redirects on expired session; Remove fetching of external assets ([c1012f4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c1012f4e656222750dda0668d8f81e5d1fbe02fd))
+* **open-xchange:** Don't enable sasl auth when no relay host is set ([ff3b221](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ff3b2218706a98b854c072de62105aa8352e3949))
+* **open-xchange:** Enable and configure defaults for ContactCollector, remove legacy config artifacts ([465f60d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/465f60d4a28ead7d7a715db71dad9d9992e8b89a))
+* **open-xchange:** Use masterpassword for mailfilter in migration Pods; use PLAIN instead of OAuth for SASL ([484dfaf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/484dfafe643e04a717e6bc3a8e6e6e6f5011c1c1))
+* **ox-connector:** Use FQDN for internal service URLs ([8593d5f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8593d5f2bdea685a836edc9d9034ce1976cf2e96))
+
+
+### Features
+
+* **helmfile:** Add toggle for external mail client onboarding and allow non-default FQDNs for IMAP and SMTP endpoints ([25a97ab](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/25a97abba69b34c6b65a08ca7af979f3897d218b))
+* **open-xchange:** Enable XRechnung in Viewer ([08e6ec5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/08e6ec59d2abac36a8f6e5ab10fec6a5643de282))
+* **openproject:** Update from 16.4.1 to 16.5.1 ([74cf2ee](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/74cf2ee0d818b5e017b3c97f6fbedb05ab764d67))
+
 # [1.8.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.7.1...v1.8.0) (2025-09-25)


--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -203,10 +203,6 @@ keycloak:
          loginTitle: "Anmeldung bei {{ .Values.theme.texts.productName }}"
        en:
          loginTitle: "Sign in to {{ .Values.theme.texts.productName }}"
-    features:
-      enabled:
-        - "admin-fine-grained-authz:v1"
-        - "token-exchange"
  podAnnotations:
    intents.otterize.com/service-name: "ums-keycloak"
    {{- with .Values.annotations.nubusKeycloak.pod }}
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -84,7 +84,7 @@ config:
  managed:
    clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list',
                    'offline_access', 'roles', 'address', 'phone' ]
-    clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', 'UMC OIDC', '${client_account}',
+    clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC OIDC', '${client_account}',
               '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}',
               '${client_security-admin-console}' ]
  keycloak:
@@ -531,6 +531,7 @@ config:
        attributes:
          use.refresh.tokens: true
          backchannel.logout.session.required: true
+          # set the two attributes below to enable token exchange for a client
          standard.token.exchange.enabled: true
          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
          backchannel.logout.revoke.offline.tokens: true
@@ -637,6 +638,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          standard.token.exchange.enabled: true
+          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
        defaultClientScopes:
          - "opendesk-oxappsuite-scope"
          - "read_contacts"
@@ -678,6 +681,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          standard.token.exchange.enabled: true
+          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
        defaultClientScopes:
          - "opendesk-matrix-scope"
      {{ end }}
@@ -698,6 +703,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/opendesk"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          standard.token.exchange.enabled: true
+          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
        defaultClientScopes:
          - "opendesk-nextcloud-scope"
          - "read_contacts"
@@ -721,6 +728,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          standard.token.exchange.enabled: true
+          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
        defaultClientScopes:
          - "opendesk-openproject-scope"
      {{ end }}
@@ -741,6 +750,8 @@ config:
          backchannel.logout.session.required: false
          backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          standard.token.exchange.enabled: true
+          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
        defaultClientScopes:
          - "opendesk-xwiki-scope"
      {{ end }}
--- a/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl
@@ -15,8 +15,8 @@ assets:
  element:
    subdomain: {{ .Values.global.hosts.element }}
    paths:
-      - path: "/vector-icons/favicon.........ico"
-        data: {{ .Values.theme.imagery.chat.faviconIco }}
+      - path: "/vector-icons/favicon.png"
+        data: {{ .Values.theme.imagery.chat.faviconPng }}
  jitsi:
    subdomain: {{ .Values.global.hosts.jitsi }}
    paths:
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -351,7 +351,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
    name: "opendesk-keycloak-bootstrap"
-    version: "2.6.0"
+    version: "2.7.0-trossner-token-exchange"
    verify: true
  opendeskStaticFiles:
    # providerCategory: "Platform"
--- a/helmfile/environments/default/global.generated.yaml.gotmpl
+++ b/helmfile/environments/default/global.generated.yaml.gotmpl
@@ -3,5 +3,5 @@
 ---
 global:
  systemInformation:
-    releaseVersion: "v1.8.0"
+    releaseVersion: "v1.9.0"
 ...
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -960,7 +960,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "91", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
-    tag: "v1.137.0@sha256:ae2f7ae1329d4ce66292ee2aed78f9187ab25104288c44413b0de4c0ae8ac7f9"
+    tag: "v1.141.0@sha256:4914f40c9fbfb29e4157bd1f7db87169894505c2c66dfdb4fcad5a34cd42f924"
  synapseCreateUser:
    # providerCategory: "Community"
    # providerResponsible: "Nordeck"
--- a/helmfile/environments/default/theme.yaml.gotmpl
+++ b/helmfile/environments/default/theme.yaml.gotmpl
@@ -44,7 +44,7 @@ theme:
    logoHeaderInvertedSvgB64: {{ readFile "./../../files/theme/logoHeaderInverted.svg" | b64enc | quote }}

    chat:
-      faviconIco: {{ readFile "./../../files/theme/chat/favicon.ico" | b64enc | quote }}
+      faviconPng: {{ readFile "./../../files/theme/chat/favicon.png" | b64enc | quote }}

    files:
      faviconIco: {{ readFile "./../../files/theme/files/favicon.ico" | b64enc | quote }}
Author	SHA1	Message	Date
Thorsten Roßner	89308abd5e	fix(nubus): Update token exchange	2025-11-10 11:19:34 +00:00
Thorsten Roßner	9ad99d643d	fix(nubus): Remove `UMC` (SAML) Keycloak client	2025-11-10 11:19:34 +00:00
Thorsten Roßner	3549e28771	fix(nubus): Update token exchange	2025-11-10 11:19:34 +00:00
Thorsten Roßner	4655942762	chore(release): 1.9.0 [skip ci] # [1.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.8.0...v1.9.0) (2025-11-07) ### Bug Fixes * collabora: Update from 25.04.4.3.1 to 25.04.5.3.1 ([`e0128e6`](`e0128e6ccf`)) * element: Increase message and media rate limits ([`13968a8`](`13968a8133`)) * element: Update favicon to use PNG version ([`f8104f6`](`f8104f6358`)) * element: Update Synapse from v1.137.0 to v1.141.0; fixes https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr which applies to all openDesk deployments using Element/Matrix with federation enabled ([`02d3021`](`02d3021c4b`)) * element: Update widgets primary color theme settings ([`94394a1`](`94394a1e3e`)) * gitlab: Add issue templates ([`26da7e3`](`26da7e3667`)) * helmfile: Support setting the `defaultLanguage` - relevant for OX App Suite and XWiki - in `functional.yaml.gotmpl` ([`24065db`](`24065dbc70`)) * helmfile: Use passwords defined in `database.yaml.gotmpl` for Cassandra when available ([`0268219`](`026821996a`)) * notes: Fix python path for self signed certs ([`c4279d1`](`c4279d11bb`)) * notes: Fix repeated redirects on expired session; Remove fetching of external assets ([`c1012f4`](`c1012f4e65`)) * open-xchange: Don't enable sasl auth when no relay host is set ([`ff3b221`](`ff3b221870`)) * open-xchange: Enable and configure defaults for ContactCollector, remove legacy config artifacts ([`465f60d`](`465f60d4a2`)) * open-xchange: Use masterpassword for mailfilter in migration Pods; use PLAIN instead of OAuth for SASL ([`484dfaf`](`484dfafe64`)) * ox-connector: Use FQDN for internal service URLs ([`8593d5f`](`8593d5f2bd`)) ### Features * helmfile: Add toggle for external mail client onboarding and allow non-default FQDNs for IMAP and SMTP endpoints ([`25a97ab`](`25a97abba6`)) * open-xchange: Enable XRechnung in Viewer ([`08e6ec5`](`08e6ec59d2`)) * openproject: Update from 16.4.1 to 16.5.1 ([`74cf2ee`](`74cf2ee0d8`))	2025-11-07 09:08:52 +00:00
Thorsten Roßner	f8104f6358	fix(element): Update favicon to use PNG version	2025-11-07 05:58:42 +00:00
Thorsten Roßner	02d3021c4b	fix(element): Update Synapse from v1.137.0 to v1.141.0; fixes https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr which applies to all openDesk deployments using Element/Matrix with federation enabled	2025-11-07 05:58:42 +00:00