Enable keycloak authentication on hedgedoc
- Harden hedgedoc config mode
- Enable keycloak authentication on HedgeDoc (and disable user registration)
- Unconfuse variable names in hedgedoc manifest
- Set session secret for hedgedoc
Related to T2951
Test Plan
diff origin/production/bardo.internal.admin.swh.network current/bardo.internal.admin.swh.network
*******************************************
File[/opt/hedgedoc/config.json] =>
parameters =>
content =>
@@ -1,5 +1,5 @@
{
"production": {
- "sessionSecret": "change-this-secret",
+ "sessionSecret": "hedgedoc::session_secret",
"allowAnonymous": true,
"allowAnonymousEdit": true,
@@ -10,5 +10,16 @@
"allowOrigin": [ "localhost", "hedgedoc.softwareheritage.org"],
"email": true,
- "allowEmailRegister": true,
+ "allowEmailRegister": false,
+ "oauth2": {
+ "baseURL": "https://auth.softwareheritage.org/",
+ "userProfileURL": "https://auth.softwareheritage.org/auth/realms/SoftwareHeritage/protocol/openid-connect/userinfo",
+ "userProfileUsernameAttr": "preferred_username",
+ "userProfileDisplayNameAttr": "name",
+ "userProfileEmailAttr": "email",
+ "tokenURL": "https://auth.softwareheritage.org/auth/realms/SoftwareHeritage/protocol/openid-connect/token",
+ "authorizationURL": "https://auth.softwareheritage.org/auth/realms/SoftwareHeritage/protocol/openid-connect/auth",
+ "clientID": "hedgedoc",
+ "clientSecret": "hedgedoc::keycloak::client::secret"
+ },
"hsts": {
"enable": true,
mode =>
- 0644
+ 0600
*******************************************
*** End octocatalog-diff on bardo.internal.admin.swh.network
Checked that the new config.json file works on the prod instance 0:-)
Migrated from D4994 (view on Phabricator)