mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-10-31 02:10:05 +00:00
Updated keycloak variables
This commit is contained in:
@@ -3,13 +3,13 @@
|
||||
|
||||
# ── REQUIRED VARS (must be provided by caller) ───────────────────────────────
|
||||
# - WEB_PROTOCOL e.g. "https"
|
||||
# - keycloak_realm target realm name
|
||||
# - keycloak_server_host_url e.g. "http://127.0.0.1:8080"
|
||||
# - keycloak_server_internal_url e.g. "http://127.0.0.1:8080"
|
||||
# - keycloak_kcadm_path e.g. "docker exec -i keycloak /opt/keycloak/bin/kcadm.sh"
|
||||
# - keycloak_master_api_user_name
|
||||
# - keycloak_master_api_user_password
|
||||
# - keycloak_client_id clientId to update (e.g. same as realm or an app client)
|
||||
# - KEYCLOAK_REALM target realm name
|
||||
# - KEYCLOAK_SERVER_HOST_URL e.g. "http://127.0.0.1:8080"
|
||||
# - KEYCLOAK_SERVER_INTERNAL_URL e.g. "http://127.0.0.1:8080"
|
||||
# - KEYCLOAK_KCADM_PATH e.g. "docker exec -i keycloak /opt/keycloak/bin/kcadm.sh"
|
||||
# - KEYCLOAK_MASTER_API_USER_NAME
|
||||
# - KEYCLOAK_MASTER_API_USER_PASSWORD
|
||||
# - KEYCLOAK_CLIENT_ID clientId to update (e.g. same as realm or an app client)
|
||||
# - domains your domain map
|
||||
# - applications your applications map
|
||||
|
||||
@@ -17,14 +17,14 @@
|
||||
assert:
|
||||
that:
|
||||
- WEB_PROTOCOL is defined
|
||||
- keycloak_realm is defined
|
||||
- keycloak_server_host_url is defined
|
||||
- keycloak_server_internal_url is defined
|
||||
- keycloak_kcadm_path is defined
|
||||
- keycloak_master_api_user_name is defined
|
||||
- keycloak_master_api_user_password is defined
|
||||
- keycloak_client_id is defined
|
||||
- keycloak_redirect_features is defined
|
||||
- KEYCLOAK_REALM is defined
|
||||
- KEYCLOAK_SERVER_HOST_URL is defined
|
||||
- KEYCLOAK_SERVER_INTERNAL_URL is defined
|
||||
- KEYCLOAK_KCADM_PATH is defined
|
||||
- KEYCLOAK_MASTER_API_USER_NAME is defined
|
||||
- KEYCLOAK_MASTER_API_USER_PASSWORD is defined
|
||||
- KEYCLOAK_CLIENT_ID is defined
|
||||
- KEYCLOAK_REDIRECT_FEATURES is defined
|
||||
- domains is defined
|
||||
- applications is defined
|
||||
fail_msg: "Missing required variable(s). Provide all vars listed at the top of 02_update_client_redirects.yml."
|
||||
@@ -32,18 +32,18 @@
|
||||
- name: "kcadm login"
|
||||
no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
|
||||
shell: >
|
||||
{{ keycloak_kcadm_path }} config credentials
|
||||
--server {{ keycloak_server_internal_url }}
|
||||
{{ KEYCLOAK_KCADM_PATH }} config credentials
|
||||
--server {{ KEYCLOAK_SERVER_INTERNAL_URL }}
|
||||
--realm master
|
||||
--user {{ keycloak_master_api_user_name }}
|
||||
--password {{ keycloak_master_api_user_password }}
|
||||
--user {{ KEYCLOAK_MASTER_API_USER_NAME }}
|
||||
--password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }}
|
||||
changed_when: false
|
||||
|
||||
# 1) Build desired sets (NO defaults)
|
||||
- name: "Build desired redirect URIs from config via filter"
|
||||
set_fact:
|
||||
kc_redirect_uris: >-
|
||||
{{ domains | redirect_uris(applications, WEB_PROTOCOL, '/*', keycloak_redirect_features, True) }}
|
||||
{{ domains | redirect_uris(applications, WEB_PROTOCOL, '/*', KEYCLOAK_REDIRECT_FEATURES, True) }}
|
||||
|
||||
- name: Build desired web origins (scheme://host[:port])
|
||||
set_fact:
|
||||
@@ -55,11 +55,11 @@
|
||||
| list | unique }}
|
||||
|
||||
# 2) Resolve client id (strictly by provided clientId, no fallback)
|
||||
- name: "Resolve client internal id for {{ keycloak_client_id }}"
|
||||
- name: "Resolve client internal id for {{ KEYCLOAK_CLIENT_ID }}"
|
||||
shell: >
|
||||
{{ keycloak_kcadm_path }} get clients
|
||||
-r {{ keycloak_realm }}
|
||||
--query 'clientId={{ keycloak_client_id }}'
|
||||
{{ KEYCLOAK_KCADM_PATH }} get clients
|
||||
-r {{ KEYCLOAK_REALM }}
|
||||
--query 'clientId={{ KEYCLOAK_CLIENT_ID }}'
|
||||
--fields id --format json | jq -r '.[0].id'
|
||||
register: kc_client
|
||||
changed_when: false
|
||||
@@ -67,13 +67,13 @@
|
||||
- name: "Fail if client not found"
|
||||
assert:
|
||||
that: kc_client.stdout is match('^[0-9a-f-]+$')
|
||||
fail_msg: "Client '{{ keycloak_client_id }}' not found in realm '{{ keycloak_realm }}'."
|
||||
fail_msg: "Client '{{ KEYCLOAK_CLIENT_ID }}' not found in realm '{{ KEYCLOAK_REALM }}'."
|
||||
|
||||
# 3) Read current config (assume keys exist; we don't use defaults)
|
||||
- name: "Read current client configuration"
|
||||
shell: >
|
||||
{{ keycloak_kcadm_path }} get clients/{{ kc_client.stdout }}
|
||||
-r {{ keycloak_realm }} --format json
|
||||
{{ KEYCLOAK_KCADM_PATH }} get clients/{{ kc_client.stdout }}
|
||||
-r {{ KEYCLOAK_REALM }} --format json
|
||||
register: kc_client_obj
|
||||
changed_when: false
|
||||
|
||||
@@ -114,13 +114,13 @@
|
||||
# 4) Update only when changed
|
||||
- name: "Update client with redirectUris, webOrigins, frontchannelLogout"
|
||||
shell: >
|
||||
{{ keycloak_kcadm_path }} update clients/{{ kc_client.stdout }}
|
||||
-r {{ keycloak_realm }}
|
||||
{{ KEYCLOAK_KCADM_PATH }} update clients/{{ kc_client.stdout }}
|
||||
-r {{ KEYCLOAK_REALM }}
|
||||
-s 'redirectUris={{ kc_redirect_uris | to_json }}'
|
||||
-s 'webOrigins={{ kc_web_origins | to_json }}'
|
||||
-s 'frontchannelLogout=true'
|
||||
-s 'attributes."frontchannel.logout.url"={{ kc_desired_frontchannel_logout_url | to_json }}'
|
||||
-s 'attributes."frontchannel.logout.url"={{ KEYCLOAK_FRONTCHANNEL_LOGOUT_URL | to_json }}'
|
||||
when: kc_current_redirect_uris != kc_desired_redirect_uris
|
||||
or kc_current_web_origins != kc_desired_web_origins
|
||||
or kc_current_frontchannel_logout_url != kc_desired_frontchannel_logout_url
|
||||
or kc_current_frontchannel_logout_url != KEYCLOAK_FRONTCHANNEL_LOGOUT_URL
|
||||
|
||||
|
||||
@@ -12,12 +12,12 @@
|
||||
- name: "Assert required vars exist (strict: use ldap.* only, no defaults)"
|
||||
assert:
|
||||
that:
|
||||
- keycloak_realm is defined
|
||||
- keycloak_container is defined
|
||||
- keycloak_server_internal_url is defined
|
||||
- keycloak_master_api_user_name is defined
|
||||
- keycloak_master_api_user_password is defined
|
||||
- keycloak_ldap_component_name is defined
|
||||
- KEYCLOAK_REALM is defined
|
||||
- KEYCLOAK_CONTAINER is defined
|
||||
- KEYCLOAK_SERVER_INTERNAL_URL is defined
|
||||
- KEYCLOAK_MASTER_API_USER_NAME is defined
|
||||
- KEYCLOAK_MASTER_API_USER_PASSWORD is defined
|
||||
- KEYCLOAK_LDAP_CMP_NAME is defined
|
||||
- ldap is defined
|
||||
- ldap.dn.administrator is defined
|
||||
- ldap.dn.administrator.data is defined
|
||||
@@ -35,7 +35,7 @@
|
||||
- docker
|
||||
- exec
|
||||
- -i
|
||||
- "{{ keycloak_container }}"
|
||||
- "{{ KEYCLOAK_CONTAINER }}"
|
||||
- /opt/keycloak/bin/kcadm.sh
|
||||
|
||||
- name: "kcadm login (master)"
|
||||
@@ -43,19 +43,19 @@
|
||||
command:
|
||||
argv: "{{ kcadm_argv_base
|
||||
+ ['config', 'credentials',
|
||||
'--server', keycloak_server_internal_url,
|
||||
'--server', KEYCLOAK_SERVER_INTERNAL_URL,
|
||||
'--realm', 'master',
|
||||
'--user', keycloak_master_api_user_name,
|
||||
'--password', keycloak_master_api_user_password] }}"
|
||||
'--user', KEYCLOAK_MASTER_API_USER_NAME,
|
||||
'--password', KEYCLOAK_MASTER_API_USER_PASSWORD] }}"
|
||||
changed_when: false
|
||||
|
||||
# Resolve the LDAP component *by name* to avoid picking the wrong one.
|
||||
- name: "Resolve LDAP component id by name '{{ keycloak_ldap_component_name }}'"
|
||||
- name: "Resolve LDAP component id by name '{{ KEYCLOAK_LDAP_CMP_NAME }}'"
|
||||
command:
|
||||
argv: "{{ kcadm_argv_base
|
||||
+ ['get', 'components',
|
||||
'-r', keycloak_realm,
|
||||
'--query', 'name=' ~ keycloak_ldap_component_name,
|
||||
'-r', KEYCLOAK_REALM,
|
||||
'--query', 'name=' ~ KEYCLOAK_LDAP_CMP_NAME,
|
||||
'--fields', 'id,name,providerId,config',
|
||||
'--format', 'json'] }}"
|
||||
register: kc_ldap_list
|
||||
@@ -68,7 +68,7 @@
|
||||
that:
|
||||
- (parsed | length) == 1
|
||||
fail_msg: >-
|
||||
Expected exactly one LDAP component named '{{ keycloak_ldap_component_name }}',
|
||||
Expected exactly one LDAP component named '{{ KEYCLOAK_LDAP_CMP_NAME }}',
|
||||
found {{ (kc_ldap_list.stdout | from_json) | length }}.
|
||||
|
||||
- name: "Extract current LDAP component values"
|
||||
@@ -102,7 +102,7 @@
|
||||
command:
|
||||
argv: "{{ kcadm_argv_base
|
||||
+ ['update', 'components/' ~ kc_ldap_component_id,
|
||||
'-r', keycloak_realm,
|
||||
'-r', KEYCLOAK_REALM,
|
||||
'-s', 'config.bindDn=' ~ ([kc_desired_bind_dn] | to_json),
|
||||
'-s', 'config.bindCredential=' ~ ([kc_desired_bind_pw] | to_json),
|
||||
'-s', 'config.connectionUrl=' ~ ([kc_desired_connection_url] | to_json)
|
||||
@@ -112,7 +112,7 @@
|
||||
|
||||
- name: "LDAP provider updated"
|
||||
debug:
|
||||
msg: "LDAP bindDn/bindCredential/connectionUrl updated on component {{ keycloak_ldap_component_name }}."
|
||||
msg: "LDAP bindDn/bindCredential/connectionUrl updated on component {{ KEYCLOAK_LDAP_CMP_NAME }}."
|
||||
when:
|
||||
- kc_bind_update is defined
|
||||
- kc_bind_update.rc == 0
|
||||
|
||||
@@ -1,17 +1,17 @@
|
||||
# Configure Credentials
|
||||
- name: Ensure Keycloak CLI credentials are configured
|
||||
shell: |
|
||||
{{ keycloak_kcadm_path }} config credentials \
|
||||
--server {{ keycloak_server_internal_url }} \
|
||||
{{ KEYCLOAK_KCADM_PATH }} config credentials \
|
||||
--server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \
|
||||
--realm master \
|
||||
--user {{ keycloak_master_api_user_name }} \
|
||||
--password {{ keycloak_master_api_user_password }}
|
||||
--user {{ KEYCLOAK_MASTER_API_USER_NAME }} \
|
||||
--password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }}
|
||||
|
||||
# LDAP Source
|
||||
- name: Get ID of LDAP storage provider
|
||||
shell: |
|
||||
{{ keycloak_kcadm_path }} get components \
|
||||
-r {{ keycloak_realm }} \
|
||||
{{ KEYCLOAK_KCADM_PATH }} get components \
|
||||
-r {{ KEYCLOAK_REALM }} \
|
||||
--query 'providerId=ldap' \
|
||||
--fields id,name \
|
||||
--format json
|
||||
@@ -24,7 +24,7 @@
|
||||
- name: Ensure {{ ldap.user.attributes.ssh_public_key }} LDAP Mapper exists
|
||||
shell: |
|
||||
docker exec -i keycloak_application bash -c '
|
||||
/opt/keycloak/bin/kcadm.sh get components -r {{ keycloak_realm }} \
|
||||
/opt/keycloak/bin/kcadm.sh get components -r {{ KEYCLOAK_REALM }} \
|
||||
| grep -q "\"name\" : \"{{ ldap.user.attributes.ssh_public_key }}\"" \
|
||||
|| printf "%s\n" "{
|
||||
\"name\": \"{{ ldap.user.attributes.ssh_public_key }}\",
|
||||
@@ -39,7 +39,7 @@
|
||||
\"always.read.value.from.ldap\": [\"false\"],
|
||||
\"multivalued\": [\"true\"]
|
||||
}
|
||||
}" | /opt/keycloak/bin/kcadm.sh create components -r {{ keycloak_realm }} -f -'
|
||||
}" | /opt/keycloak/bin/kcadm.sh create components -r {{ KEYCLOAK_REALM }} -f -'
|
||||
register: mapper_create
|
||||
changed_when: mapper_create.rc == 0 and mapper_create.stdout != ""
|
||||
|
||||
@@ -47,16 +47,16 @@
|
||||
|
||||
- name: Enable user profile in realm
|
||||
shell: >
|
||||
{{ keycloak_kcadm_path }} update realms/{{ keycloak_realm }}
|
||||
{{ KEYCLOAK_KCADM_PATH }} update realms/{{ KEYCLOAK_REALM }}
|
||||
-s 'attributes.userProfileEnabled=true'
|
||||
|
||||
- name: Re-authenticate to Keycloak after enabling user profile
|
||||
shell: |
|
||||
{{ keycloak_kcadm_path }} config credentials \
|
||||
--server {{ keycloak_server_internal_url }} \
|
||||
{{ KEYCLOAK_KCADM_PATH }} config credentials \
|
||||
--server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \
|
||||
--realm master \
|
||||
--user {{ keycloak_master_api_user_name }} \
|
||||
--password {{ keycloak_master_api_user_password }}
|
||||
--user {{ KEYCLOAK_MASTER_API_USER_NAME }} \
|
||||
--password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }}
|
||||
|
||||
- name: Render user-profile JSON for SSH key
|
||||
template:
|
||||
@@ -67,5 +67,5 @@
|
||||
|
||||
- name: Apply SSH Public Key to user-profile via kcadm
|
||||
shell: |
|
||||
docker exec -i {{ keycloak_container }} \
|
||||
/opt/keycloak/bin/kcadm.sh update realms/{{ keycloak_realm }} -f {{ keycloak_docker_import_directory }}user-profile.json
|
||||
docker exec -i {{ KEYCLOAK_CONTAINER }} \
|
||||
/opt/keycloak/bin/kcadm.sh update realms/{{ KEYCLOAK_REALM }} -f {{ KEYCLOAK_DOCKER_IMPORT_DIR }}user-profile.json
|
||||
|
||||
@@ -10,10 +10,12 @@
|
||||
- name: "load docker, db and proxy for {{ application_id }}"
|
||||
include_role:
|
||||
name: cmp-db-docker-proxy
|
||||
vars:
|
||||
docker_compose_flush_handlers: true
|
||||
|
||||
- name: "Wait until Keycloak is reachable at {{ keycloak_server_host_url }}"
|
||||
- name: "Wait until Keycloak is reachable at {{ KEYCLOAK_SERVER_HOST_URL }}"
|
||||
uri:
|
||||
url: "{{ keycloak_server_host_url }}/realms/master"
|
||||
url: "{{ KEYCLOAK_SERVER_HOST_URL }}/realms/master"
|
||||
method: GET
|
||||
status_code: 200
|
||||
validate_certs: false
|
||||
@@ -26,7 +28,7 @@
|
||||
include_tasks: 02_update_client_redirects.yml
|
||||
|
||||
- name: "Update LDAP bind credentials from ldap.*"
|
||||
when: keycloak_update_ldap_bind | bool
|
||||
when: KEYCLOAK_UPDATE_LDAP_BIND | bool
|
||||
include_tasks: 03_update-ldap-bind.yml
|
||||
|
||||
# Deactivated temporary. Import now via realm.yml
|
||||
|
||||
@@ -1,14 +1,14 @@
|
||||
{% include 'roles/docker-compose/templates/base.yml.j2' %}
|
||||
|
||||
application:
|
||||
image: "{{ keycloak_image }}:{{ keycloak_version }}"
|
||||
container_name: {{ keycloak_container }}
|
||||
command: start{% if keycloak_import_realm %} --import-realm{% endif %}{% if keycloak_debug_enabled %} --verbose{% endif %}
|
||||
image: "{{ KEYCLOAK_IMAGE }}:{{ KEYCLOAK_VERSION }}"
|
||||
container_name: {{ KEYCLOAK_CONTAINER }}
|
||||
command: start{% if KEYCLOAK_IMPORT_REALM_ENABLED %} --import-realm{% endif %}{% if KEYCLOAK_DEBUG_ENABLED %} --verbose{% endif %}
|
||||
{% include 'roles/docker-container/templates/base.yml.j2' %}
|
||||
ports:
|
||||
- "{{ keycloak_server_host }}:8080"
|
||||
- "{{ KEYCLOAK_SERVER_HOST }}:8080"
|
||||
volumes:
|
||||
- "{{ keycloak_host_import_directory }}:{{keycloak_docker_import_directory}}"
|
||||
- "{{ keycloak_host_import_directory }}:{{KEYCLOAK_DOCKER_IMPORT_DIR}}"
|
||||
{% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
|
||||
{% include 'roles/docker-container/templates/networks.yml.j2' %}
|
||||
{% set container_port = 9000 %}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"id": "3b03105b-5fe6-4b53-ba24-c8796525be0e",
|
||||
"realm": "{{ keycloak_realm }}",
|
||||
"realm": "{{ KEYCLOAK_REALM }}",
|
||||
"displayName": "",
|
||||
"displayNameHtml": "",
|
||||
"notBefore": 0,
|
||||
@@ -60,7 +60,7 @@
|
||||
},
|
||||
{
|
||||
"id": "01d9dd2a-75b2-47a2-af36-b14251f1b956",
|
||||
"name": "default-roles-{{ keycloak_realm }}",
|
||||
"name": "default-roles-{{ KEYCLOAK_REALM }}",
|
||||
"description": "${role_default-roles}",
|
||||
"composite": true,
|
||||
"composites": {
|
||||
@@ -302,7 +302,7 @@
|
||||
"attributes": {}
|
||||
}
|
||||
],
|
||||
"{{ keycloak_realm }}": [],
|
||||
"{{ KEYCLOAK_REALM }}": [],
|
||||
"security-admin-console": [],
|
||||
"admin-cli": [],
|
||||
"account-console": [],
|
||||
@@ -410,7 +410,7 @@
|
||||
"groups": [],
|
||||
"defaultRole": {
|
||||
"id": "01d9dd2a-75b2-47a2-af36-b14251f1b956",
|
||||
"name": "default-roles-{{ keycloak_realm }}",
|
||||
"name": "default-roles-{{ KEYCLOAK_REALM }}",
|
||||
"description": "${role_default-roles}",
|
||||
"composite": true,
|
||||
"clientRole": false,
|
||||
@@ -464,18 +464,18 @@
|
||||
"users": [
|
||||
{
|
||||
"id": "19ecedfd-acf2-49e8-9f66-91ab71d54fc3",
|
||||
"username": "service-account-{{ keycloak_realm }}",
|
||||
"username": "service-account-{{ KEYCLOAK_REALM }}",
|
||||
"emailVerified": false,
|
||||
"createdTimestamp": 1737925519602,
|
||||
"enabled": true,
|
||||
"totp": false,
|
||||
"serviceAccountClientId": "{{ keycloak_realm }}",
|
||||
"serviceAccountClientId": "{{ KEYCLOAK_REALM }}",
|
||||
"disableableCredentialTypes": [],
|
||||
"requiredActions": [
|
||||
"CONFIGURE_TOTP"
|
||||
],
|
||||
"realmRoles": [
|
||||
"default-roles-{{ keycloak_realm }}"
|
||||
"default-roles-{{ KEYCLOAK_REALM }}"
|
||||
],
|
||||
"notBefore": 0,
|
||||
"groups": []
|
||||
@@ -508,13 +508,13 @@
|
||||
"description": "",
|
||||
"rootUrl": "${authBaseUrl}",
|
||||
"adminUrl": "",
|
||||
"baseUrl": "/realms/{{ keycloak_realm }}/account/",
|
||||
"baseUrl": "/realms/{{ KEYCLOAK_REALM }}/account/",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "desktop-secret",
|
||||
"redirectUris": [
|
||||
"/realms/{{ keycloak_realm }}/account/*"
|
||||
"/realms/{{ KEYCLOAK_REALM }}/account/*"
|
||||
],
|
||||
"webOrigins": [
|
||||
"{{ domains | get_url('web-app-keycloak', WEB_PROTOCOL) }}"
|
||||
@@ -530,7 +530,7 @@
|
||||
"frontchannelLogout": true,
|
||||
"protocol": "openid-connect",
|
||||
"attributes": {
|
||||
"frontchannel.logout.url": "{{ kc_desired_frontchannel_logout_url }}",
|
||||
"frontchannel.logout.url": "{{ KEYCLOAK_FRONTCHANNEL_LOGOUT_URL }}",
|
||||
"realm_client": "false",
|
||||
"oidc.ciba.grant.enabled": "false",
|
||||
"backchannel.logout.session.required": "true",
|
||||
@@ -565,13 +565,13 @@
|
||||
"description": "",
|
||||
"rootUrl": "${authBaseUrl}",
|
||||
"adminUrl": "",
|
||||
"baseUrl": "/realms/{{ keycloak_realm }}/account/",
|
||||
"baseUrl": "/realms/{{ KEYCLOAK_REALM }}/account/",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "desktop-secret",
|
||||
"redirectUris": [
|
||||
"/realms/{{ keycloak_realm }}/account/*"
|
||||
"/realms/{{ KEYCLOAK_REALM }}/account/*"
|
||||
],
|
||||
"webOrigins": [
|
||||
"*"
|
||||
@@ -757,13 +757,13 @@
|
||||
"clientId": "security-admin-console",
|
||||
"name": "${client_security-admin-console}",
|
||||
"rootUrl": "${authAdminUrl}",
|
||||
"baseUrl": "/admin/{{ keycloak_realm }}/console/",
|
||||
"baseUrl": "/admin/{{ KEYCLOAK_REALM }}/console/",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "desktop-secret",
|
||||
"redirectUris": [
|
||||
"/admin/{{ keycloak_realm }}/console/*"
|
||||
"/admin/{{ KEYCLOAK_REALM }}/console/*"
|
||||
],
|
||||
"webOrigins": [
|
||||
"+"
|
||||
@@ -823,12 +823,12 @@
|
||||
},
|
||||
{
|
||||
"id": "7b5f97e3-7fa8-4d86-b1e9-80aac996da26",
|
||||
"clientId": "{{ keycloak_realm }}",
|
||||
"clientId": "{{ KEYCLOAK_REALM }}",
|
||||
"name": "",
|
||||
"description": "",
|
||||
"rootUrl": "{{ WEB_PROTOCOL }}://{{ keycloak_realm }}/",
|
||||
"adminUrl": "{{ WEB_PROTOCOL }}://{{ keycloak_realm }}/",
|
||||
"baseUrl": "{{ WEB_PROTOCOL }}://{{ keycloak_realm }}/",
|
||||
"rootUrl": "{{ WEB_PROTOCOL }}://{{ KEYCLOAK_REALM }}/",
|
||||
"adminUrl": "{{ WEB_PROTOCOL }}://{{ KEYCLOAK_REALM }}/",
|
||||
"baseUrl": "{{ WEB_PROTOCOL }}://{{ KEYCLOAK_REALM }}/",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
@@ -1823,7 +1823,7 @@
|
||||
"org.keycloak.storage.UserStorageProvider": [
|
||||
{
|
||||
"id": "bBD2l6kVRMaSABbfOJVRaw",
|
||||
"name": "{{ keycloak_ldap_component_name }}",
|
||||
"name": "{{ KEYCLOAK_LDAP_CMP_NAME }}",
|
||||
"providerId": "ldap",
|
||||
"subComponents": {
|
||||
"org.keycloak.storage.ldap.mappers.LDAPStorageMapper": [
|
||||
|
||||
@@ -3,25 +3,22 @@ application_id: "web-app-keycloak"
|
||||
database_type: "postgres" # Database which will be used
|
||||
|
||||
# Keycloak
|
||||
keycloak_container: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name') }}" # Name of the keycloak docker container
|
||||
keycloak_docker_import_directory: "/opt/keycloak/data/import/" # Directory in which keycloak import files are placed in the running docker container
|
||||
keycloak_realm: "{{ OIDC.CLIENT.REALM }}" # This is the name of the default realm which is used by the applications
|
||||
keycloak_master_api_user: "{{ applications | get_app_conf(application_id, 'users.administrator') }}" # Master Administrator
|
||||
keycloak_master_api_user_name: "{{ keycloak_master_api_user.username }}" # Master Administrator Username
|
||||
keycloak_master_api_user_password: "{{ keycloak_master_api_user.password }}" # Master Administrator Password
|
||||
keycloak_kcadm_path: "docker exec -i {{ keycloak_container }} /opt/keycloak/bin/kcadm.sh" # Init script for keycloak
|
||||
keycloak_server_internal_url: "http://127.0.0.1:8080"
|
||||
keycloak_server_host: "127.0.0.1:{{ ports.localhost.http[application_id] }}"
|
||||
keycloak_server_host_url: "http://{{ keycloak_server_host }}"
|
||||
keycloak_image: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.image') }}" # Keycloak docker image
|
||||
keycloak_version: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.version') }}" # Keycloak docker version
|
||||
keycloak_debug_enabled: "{{ MODE_DEBUG }}"
|
||||
keycloak_redirect_features: ["features.oauth2","features.oidc"]
|
||||
keycloak_client_id: "{{ OIDC.CLIENT.ID }}"
|
||||
keycloak_ldap_component_name: "{{ ldap.server.domain }}" # Name of the LDAP User Federation component in Keycloak (as shown in UI)
|
||||
keycloak_import_realm: "{{ applications | get_app_conf(application_id, 'actions.import_realm') }}" # Activate realm import
|
||||
keycloak_update_ldap_bind: "{{ applications | get_app_conf(application_id, 'actions.update_ldap_bind') }}" # Toggle the LDAP bind update step
|
||||
kc_desired_frontchannel_logout_url: "{{ domains | get_url('web-svc-logout', WEB_PROTOCOL) }}/"
|
||||
|
||||
# Docker
|
||||
docker_compose_flush_handlers: true # Remember to copy realm import before flush when set to true
|
||||
KEYCLOAK_CONTAINER: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name') }}" # Name of the keycloak docker container
|
||||
KEYCLOAK_DOCKER_IMPORT_DIR: "/opt/keycloak/data/import/" # Directory in which keycloak import files are placed in the running docker container
|
||||
KEYCLOAK_REALM: "{{ OIDC.CLIENT.REALM }}" # This is the name of the default realm which is used by the applications
|
||||
KEYCLOAK_MASTER_API_USER: "{{ applications | get_app_conf(application_id, 'users.administrator') }}" # Master Administrator
|
||||
KEYCLOAK_MASTER_API_USER_NAME: "{{ KEYCLOAK_MASTER_API_USER.username }}" # Master Administrator Username
|
||||
KEYCLOAK_MASTER_API_USER_PASSWORD: "{{ KEYCLOAK_MASTER_API_USER.password }}" # Master Administrator Password
|
||||
KEYCLOAK_KCADM_PATH: "docker exec -i {{ KEYCLOAK_CONTAINER }} /opt/keycloak/bin/kcadm.sh" # Init script for keycloak
|
||||
KEYCLOAK_SERVER_INTERNAL_URL: "http://127.0.0.1:8080"
|
||||
KEYCLOAK_SERVER_HOST: "127.0.0.1:{{ ports.localhost.http[application_id] }}"
|
||||
KEYCLOAK_SERVER_HOST_URL: "http://{{ KEYCLOAK_SERVER_HOST }}"
|
||||
KEYCLOAK_IMAGE: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.image') }}" # Keycloak docker image
|
||||
KEYCLOAK_VERSION: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.version') }}" # Keycloak docker version
|
||||
KEYCLOAK_DEBUG_ENABLED: "{{ MODE_DEBUG }}"
|
||||
KEYCLOAK_REDIRECT_FEATURES: ["features.oauth2","features.oidc"]
|
||||
KEYCLOAK_CLIENT_ID: "{{ OIDC.CLIENT.ID }}"
|
||||
KEYCLOAK_LDAP_CMP_NAME: "{{ ldap.server.domain }}" # Name of the LDAP User Federation component in Keycloak (as shown in UI)
|
||||
KEYCLOAK_IMPORT_REALM_ENABLED: "{{ applications | get_app_conf(application_id, 'actions.import_realm') }}" # Activate realm import
|
||||
KEYCLOAK_UPDATE_LDAP_BIND: "{{ applications | get_app_conf(application_id, 'actions.update_ldap_bind') }}" # Toggle the LDAP bind update step
|
||||
KEYCLOAK_FRONTCHANNEL_LOGOUT_URL: "{{ domains | get_url('web-svc-logout', WEB_PROTOCOL) }}/"
|
||||
|
||||
Reference in New Issue
Block a user