Staging instance, all changes can be removed at any time

Skip to content
Snippets Groups Projects

Programmatically set up keycloak client for hedgedoc

Open Programmatically set up keycloak client for hedgedoc
generated-differential-D4995-source into production
Open Nicolas Dandrimont requested to merge generated-differential-D4995-source into production

Depends on !304 (closed)

Test Plan

incomplete/untested so far

Migrated from D4995 (view on Phabricator)

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Antoine Lambert
    Antoine Lambert @anlambert ·
    Maintainer

    I think you should be able to add the id scope by overriding the default_client_scopes in client settings. The protocol mapper could also be created the following way.

    keycloak::resources::protocol_mappers::id:
  resource_name: id
  type: oidc-usermodel-property-mapper
  claim_name: id
  user_attribute: id

hedgedoc:
  settings:
    public_client: false
    default_client_scopes:
      - profile
      - email
      - roles
      - web-origins
      - id
    redirect_uris:
      # Should match letsencrypt::certificates.hedgedoc.domains
      - https://hedgedoc.softwareheritage.org/*
    secret: some-secret
  protocol_mappers:
    - "%{alias('keycloak::resources::protocol_mappers::id')}"

    I need to update my pupperware environment so I can not confirm it is working at the moment.

  • Antoine Lambert
    Antoine Lambert @anlambert ·
    Maintainer

    So after (painfully) manage to get my pupperware environment functional again, I could configure the hedgedoc client properly using the following diff:

    diff --git a/data/common/common.yaml b/data/common/common.yaml
index ff78d092..0db1c3cd 100644
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -3070,6 +3070,12 @@ keycloak::resources::protocol_mappers::groups:
     claim_name: groups
     full_path: true
 
+keycloak::resources::protocol_mappers::id:
+  resource_name: id
+  type: oidc-usermodel-property-mapper
+  claim_name: id
+  user_attribute: id
+
 keycloak::resources::flows::direct_grant_no_otp:
   name: direct_grant_no_otp
   description: Direct grant flow without conditional OTP
@@ -3091,6 +3097,8 @@ keycloak::resources::realms:
       verify_email: true
     flows:
       - "%{alias('keycloak::resources::flows::direct_grant_no_otp')}"
+    client_scopes:
+      id: {}
     clients:
       swh-web:
         settings:
@@ -3104,6 +3112,21 @@ keycloak::resources::realms:
         protocol_mappers:
           - "%{alias('keycloak::resources::protocol_mappers::audience')}"
           - "%{alias('keycloak::resources::protocol_mappers::groups')}"
+      hedgedoc:
+        settings:
+          public_client: false
+          default_client_scopes:
+            - profile
+            - email
+            - roles
+            - web-origins
+            - id
+          redirect_uris:
+            # Should match letsencrypt::certificates.hedgedoc.domains
+            - https://hedgedoc.softwareheritage.org/*
+          secret: some-secret
+        protocol_mappers:
+          - "%{alias('keycloak::resources::protocol_mappers::id')}"
   SoftwareHeritageStaging:
     settings:
       display_name: Software Heritage (Staging)
diff --git a/site-modules/profile/manifests/keycloak/resources.pp b/site-modules/profile/manifests/keycloak/resources.pp
index 84caa91e..6f1ab624 100644
--- a/site-modules/profile/manifests/keycloak/resources.pp
+++ b/site-modules/profile/manifests/keycloak/resources.pp
@@ -66,6 +66,19 @@ class profile::keycloak::resources {
       }
     }
 
+    $client_scopes = pick($realm_data['client_scopes'], {})
+
+    $client_scopes.each |$client_scope_name, $client_scope_settings| {
+
+      $client_scope_id = fqdn_uuid("${realm_name}.${client_scope_name}")
+
+      keycloak_client_scope {"${client_scope_name} on ${realm_name}":
+        ensure => present,
+        id => $client_scope_id,
+        *  => $client_scope_settings,
+      }
+    }
+
     $clients = pick($realm_data['clients'], {})
     $realm_client_common_settings = deep_merge($client_common_settings,
                                                pick($realm_data['client_settings'], {}))

    Below is the relevant octocatalog-diff output

    14:21 $ bin/octocatalog-diff --octocatalog-diff-args --no-truncate-details -t staging kelvingrove.internal.softwareheritage.org
Found host kelvingrove.internal.softwareheritage.org
Cloning into '/tmp/swh-ocd.ZVkv3jvy/environments/production/data/private'...
done.
Cloning into '/tmp/swh-ocd.ZVkv3jvy/environments/staging/data/private'...
done.
*** Running octocatalog-diff on host kelvingrove.internal.softwareheritage.org
I, [2021-02-03T14:21:53.420292 #744366]  INFO -- : Catalogs compiled for kelvingrove.internal.softwareheritage.org
I, [2021-02-03T14:21:53.636103 #744366]  INFO -- : Diffs computed for kelvingrove.internal.softwareheritage.org
diff origin/production/kelvingrove.internal.softwareheritage.org current/kelvingrove.internal.softwareheritage.org
*******************************************
+ Keycloak_client[hedgedoc on SoftwareHeritage] =>
   parameters =>
      "client_id": "hedgedoc"
      "default_client_scopes": ["profile", "email", "roles", "web-origins", "id"]
      "ensure": "present"
      "id": "8000e76f-b23a-5736-aceb-5116ec28debe"
      "login_theme": "swh"
      "optional_client_scopes": ["microprofile-jwt", "offline_access"]
      "public_client": false
      "realm": "SoftwareHeritage"
      "redirect_uris": ["https://hedgedoc.softwareheritage.org/*"]
      "secret": "some-secret"
*******************************************
+ Keycloak_client_protocol_mapper[id for 8000e76f-b23a-5736-aceb-5116ec28debe on SoftwareHeritage] =>
   parameters =>
      "claim_name": "id"
      "client": "8000e76f-b23a-5736-aceb-5116ec28debe"
      "ensure": "present"
      "id": "bf7afedc-b33c-58df-a672-36c59b72cd2e"
      "realm": "SoftwareHeritage"
      "resource_name": "id"
      "type": "oidc-usermodel-property-mapper"
      "user_attribute": "id"
*******************************************
+ Keycloak_client_scope[id on SoftwareHeritage] =>
   parameters =>
      "ensure": "present"
      "id": "75f94bdc-5223-5490-a9a8-c8ef902c8351"
      "realm": "SoftwareHeritage"
      "resource_name": "id"
*******************************************
  • Antoine R. Dumont added state:stale label

    added state:stale label

Please register or sign in to reply