Depends on D4994
Details
Details
Diff Detail
Diff Detail
- Repository
- rSPSITE puppet-swh-site
- Branch
- keycloak-hedgedoc-full
- Lint
No Linters Available - Unit
No Unit Test Coverage - Build Status
Buildable 18955 Build 29372: arc lint + arc unit
Event Timeline
Comment Actions
I think you should be able to add the id scope by overriding the default_client_scopes in client settings.
The protocol mapper could also be created the following way.
keycloak::resources::protocol_mappers::id: resource_name: id type: oidc-usermodel-property-mapper claim_name: id user_attribute: id hedgedoc: settings: public_client: false default_client_scopes: - profile - email - roles - web-origins - id redirect_uris: # Should match letsencrypt::certificates.hedgedoc.domains - https://hedgedoc.softwareheritage.org/* secret: some-secret protocol_mappers: - "%{alias('keycloak::resources::protocol_mappers::id')}"
I need to update my pupperware environment so I can not confirm it is working at the moment.
Comment Actions
So after (painfully) manage to get my pupperware environment functional again, I could configure the hedgedoc client properly using the following diff:
diff --git a/data/common/common.yaml b/data/common/common.yaml index ff78d092..0db1c3cd 100644 --- a/data/common/common.yaml +++ b/data/common/common.yaml @@ -3070,6 +3070,12 @@ keycloak::resources::protocol_mappers::groups: claim_name: groups full_path: true +keycloak::resources::protocol_mappers::id: + resource_name: id + type: oidc-usermodel-property-mapper + claim_name: id + user_attribute: id + keycloak::resources::flows::direct_grant_no_otp: name: direct_grant_no_otp description: Direct grant flow without conditional OTP @@ -3091,6 +3097,8 @@ keycloak::resources::realms: verify_email: true flows: - "%{alias('keycloak::resources::flows::direct_grant_no_otp')}" + client_scopes: + id: {} clients: swh-web: settings: @@ -3104,6 +3112,21 @@ keycloak::resources::realms: protocol_mappers: - "%{alias('keycloak::resources::protocol_mappers::audience')}" - "%{alias('keycloak::resources::protocol_mappers::groups')}" + hedgedoc: + settings: + public_client: false + default_client_scopes: + - profile + - email + - roles + - web-origins + - id + redirect_uris: + # Should match letsencrypt::certificates.hedgedoc.domains + - https://hedgedoc.softwareheritage.org/* + secret: some-secret + protocol_mappers: + - "%{alias('keycloak::resources::protocol_mappers::id')}" SoftwareHeritageStaging: settings: display_name: Software Heritage (Staging) diff --git a/site-modules/profile/manifests/keycloak/resources.pp b/site-modules/profile/manifests/keycloak/resources.pp index 84caa91e..6f1ab624 100644 --- a/site-modules/profile/manifests/keycloak/resources.pp +++ b/site-modules/profile/manifests/keycloak/resources.pp @@ -66,6 +66,19 @@ class profile::keycloak::resources { } } + $client_scopes = pick($realm_data['client_scopes'], {}) + + $client_scopes.each |$client_scope_name, $client_scope_settings| { + + $client_scope_id = fqdn_uuid("${realm_name}.${client_scope_name}") + + keycloak_client_scope {"${client_scope_name} on ${realm_name}": + ensure => present, + id => $client_scope_id, + * => $client_scope_settings, + } + } + $clients = pick($realm_data['clients'], {}) $realm_client_common_settings = deep_merge($client_common_settings, pick($realm_data['client_settings'], {}))
Below is the relevant octocatalog-diff output
14:21 $ bin/octocatalog-diff --octocatalog-diff-args --no-truncate-details -t staging kelvingrove.internal.softwareheritage.org
Found host kelvingrove.internal.softwareheritage.org
Cloning into '/tmp/swh-ocd.ZVkv3jvy/environments/production/data/private'...
done.
Cloning into '/tmp/swh-ocd.ZVkv3jvy/environments/staging/data/private'...
done.
*** Running octocatalog-diff on host kelvingrove.internal.softwareheritage.org
I, [2021-02-03T14:21:53.420292 #744366] INFO -- : Catalogs compiled for kelvingrove.internal.softwareheritage.org
I, [2021-02-03T14:21:53.636103 #744366] INFO -- : Diffs computed for kelvingrove.internal.softwareheritage.org
diff origin/production/kelvingrove.internal.softwareheritage.org current/kelvingrove.internal.softwareheritage.org
*******************************************
+ Keycloak_client[hedgedoc on SoftwareHeritage] =>
parameters =>
"client_id": "hedgedoc"
"default_client_scopes": ["profile", "email", "roles", "web-origins", "id"]
"ensure": "present"
"id": "8000e76f-b23a-5736-aceb-5116ec28debe"
"login_theme": "swh"
"optional_client_scopes": ["microprofile-jwt", "offline_access"]
"public_client": false
"realm": "SoftwareHeritage"
"redirect_uris": ["https://hedgedoc.softwareheritage.org/*"]
"secret": "some-secret"
*******************************************
+ Keycloak_client_protocol_mapper[id for 8000e76f-b23a-5736-aceb-5116ec28debe on SoftwareHeritage] =>
parameters =>
"claim_name": "id"
"client": "8000e76f-b23a-5736-aceb-5116ec28debe"
"ensure": "present"
"id": "bf7afedc-b33c-58df-a672-36c59b72cd2e"
"realm": "SoftwareHeritage"
"resource_name": "id"
"type": "oidc-usermodel-property-mapper"
"user_attribute": "id"
*******************************************
+ Keycloak_client_scope[id on SoftwareHeritage] =>
parameters =>
"ensure": "present"
"id": "75f94bdc-5223-5490-a9a8-c8ef902c8351"
"realm": "SoftwareHeritage"
"resource_name": "id"
*******************************************