Fix OIDC issuer URL concatenation for Mastodon bug

- Removed trailing slash in '_oidc_client_issuer_url' to avoid issuer mismatch - Use '.rstrip('/')' to normalize '_oidc_url' - Switched to '~' concatenation instead of inline slashes for all OIDC endpoints - Ensures that Mastodon and other OIDC clients match the issuer from Keycloak discovery Change motivated by Mastodon issuer mismatch bug (OpenIDConnect::Discovery::DiscoveryFailed). See related discussion: https://chatgpt.com/share/68a17d3c-c980-800f-934c-d56955b45f81
2025-08-18 09:45:03 +02:00 · 2025-08-17 09:02:03 +02:00 · 2025-08-17 09:02:03 +02:00 · 14e868a644
commit 14e868a644
parent 2a1a956739
1 changed files with 17 additions and 17 deletions
--- a/group_vars/all/12_oidc.yml
+++ b/group_vars/all/12_oidc.yml
@ -10,30 +10,30 @@
 ## Helper Variables:
 _oidc_client_realm:         "{{ OIDC.CLIENT.REALM if OIDC.CLIENT is defined and OIDC.CLIENT.REALM is defined else SOFTWARE_NAME | lower }}"
 _oidc_url:                  "{{ 
-                                (OIDC.URL 
-                                  if (oidc is defined and OIDC.URL is defined) 
+                                ( OIDC.URL
+                                  if (OIDC is defined and OIDC.URL is defined) 
                                  else WEB_PROTOCOL ~ '://' ~ (domains | get_domain('web-app-keycloak'))
-                                ) 
+                                ).rstrip('/') 
                            }}"
-_oidc_client_issuer_url:    "{{ _oidc_url }}/realms/{{_oidc_client_realm}}/"
+_oidc_client_issuer_url:    "{{ _oidc_url ~ '/realms/' ~ _oidc_client_realm }}"
 _oidc_client_id:            "{{ OIDC.CLIENT.ID if OIDC.CLIENT is defined and OIDC.CLIENT.ID is defined else SOFTWARE_NAME | lower }}"

 defaults_oidc:
  URL:                    "{{ _oidc_url }}"
  CLIENT:
-    ID:                   "{{ _oidc_client_id }}"                                           # Client identifier, typically matching your primary domain
-#   secret:                                                                                 # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters
-    REALM:                "{{_oidc_client_realm}}"                                          # The realm to which the client belongs in the OIDC provider
-    ISSUER_URL:           "{{_oidc_client_issuer_url}}"                                     # Base URL of the OIDC provider (issuer)
-    DISCOVERY_DOCUMENT:   "{{_oidc_client_issuer_url}}/.well-known/openid-configuration"    # URL for fetching the provider's configuration details
-    AUTHORIZE_URL:        "{{_oidc_client_issuer_url}}/protocol/openid-connect/auth"        # Endpoint to start the authorization process
-    TOKEN_URL:            "{{_oidc_client_issuer_url}}/protocol/openid-connect/token"       # Endpoint to exchange authorization codes for tokens (note: 'token_url' may be a typo for 'token_url')
-    USER_INFO_URL:        "{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo"    # Endpoint to retrieve user information
-    LOGOUT_URL:           "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout"      # Endpoint to log out the user
-    CHANGE_CREDENTIALS:   "{{_oidc_client_issuer_url}}account/account-security/signing-in"  # URL for managing or changing user credentials
-    CERTS:                "{{_oidc_client_issuer_url}}/protocol/openid-connect/certs"       # JSON Web Key Set (JWKS)
-    RESET_CREDENTIALS:    "{{_oidc_client_issuer_url}}/login-actions/reset-credentials?client_id={{ _oidc_client_id }}" # Password reset url
-  BUTTON_TEXT:            "SSO Login ({{ PRIMARY_DOMAIN | upper }})"                           # Default button text
+    ID:                   "{{ _oidc_client_id }}"                                                  # Client identifier, typically matching your primary domain
+#   secret:                                                                                        # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters
+    REALM:                "{{ _oidc_client_realm }}"                                               # The realm to which the client belongs in the OIDC provider
+    ISSUER_URL:           "{{ _oidc_client_issuer_url }}"                                          # Base URL of the OIDC provider (issuer)
+    DISCOVERY_DOCUMENT:   "{{ _oidc_client_issuer_url ~ '/.well-known/openid-configuration' }}"    # URL for fetching the provider's configuration details
+    AUTHORIZE_URL:        "{{ _oidc_client_issuer_url ~ '/protocol/openid-connect/auth' }}"        # Endpoint to start the authorization process
+    TOKEN_URL:            "{{ _oidc_client_issuer_url ~ '/protocol/openid-connect/token' }}"       # Endpoint to exchange authorization codes for tokens (note: 'token_url' may be a typo for 'token_url')
+    USER_INFO_URL:        "{{ _oidc_client_issuer_url ~ '/protocol/openid-connect/userinfo' }}"    # Endpoint to retrieve user information
+    LOGOUT_URL:           "{{ _oidc_client_issuer_url ~ '/protocol/openid-connect/logout' }}"      # Endpoint to log out the user
+    CHANGE_CREDENTIALS:   "{{ _oidc_client_issuer_url ~ '/account/account-security/signing-in' }}" # URL for managing or changing user credentials
+    CERTS:                "{{ _oidc_client_issuer_url ~ '/protocol/openid-connect/certs' }}"       # JSON Web Key Set (JWKS)
+    RESET_CREDENTIALS:    "{{ _oidc_client_issuer_url ~ '/login-actions/reset-credentials?client_id=' ~ _oidc_client_id }}" # Password reset url
+  BUTTON_TEXT:            "SSO Login ({{ PRIMARY_DOMAIN | upper }})"                               # Default button text
  ATTRIBUTES:
    # Attribut to identify the user
    USERNAME:             "preferred_username"