diff --git a/Puppetfile b/Puppetfile --- a/Puppetfile +++ b/Puppetfile @@ -113,7 +113,7 @@ mod 'keycloak', :git => 'https://forge.softwareheritage.org/source/puppet-treydock-keycloak', - :ref => 'v6.2.0' + :ref => 'v6.10.0' mod 'letsencrypt', :git => 'https://forge.softwareheritage.org/source/puppet-puppet-letsencrypt', diff --git a/data/defaults.yaml b/data/defaults.yaml --- a/data/defaults.yaml +++ b/data/defaults.yaml @@ -2652,6 +2652,9 @@ keycloak::postgres::user: keycloak # keycloak::postgres::password in private-data +keycloak::realm::swh::name: 'SoftwareHeritage' +keycloak::realm::swh::display_name: 'Software Heritage' +keycloak::client::swh_web::id: 'swh-web' cassandra::release: 311x cassandra::cluster: azure diff --git a/site-modules/profile/manifests/keycloak/primary.pp b/site-modules/profile/manifests/keycloak/primary.pp --- a/site-modules/profile/manifests/keycloak/primary.pp +++ b/site-modules/profile/manifests/keycloak/primary.pp @@ -33,4 +33,36 @@ # Don't manage the PostgreSQL database manage_datasource => false, } + + keycloak_realm { $swh_realm_name: + ensure => 'present', + display_name => $swh_realm_display_name, + remember_me => true, + } + + keycloak_client { $swh_web_client_id: + ensure => 'present', + realm => $swh_realm_name, + redirect_uris => [ + 'http://localhost:5004/*', + 'https://archive.softwareheritage.org/*', + ], + default_client_scopes => ['profile', 'email', 'roles', 'web-origins'], + optional_client_scopes => ['microprofile-jwt', 'offline_access'], + public_client => true, + } + + keycloak_client_protocol_mapper { + "audience for ${swh_web_client_id} on ${swh_realm_name}": + type => 'oidc-audience-mapper', + included_client_audience => $swh_web_client_id, + } + + keycloak_client_protocol_mapper { + "user groups for ${swh_web_client_id} on ${swh_realm_name}": + type => 'oidc-group-membership-mapper', + claim_name => 'groups', + full_path => true, + } + }