kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-30 15:28:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Finished implementation of oauth2 import

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-08-17 21:00:45 +02:00
parent 7d0502ebc5
commit 5f0762e4f6
20 changed files with 620 additions and 190 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
roles/web-app-keycloak/templates/docker-compose.yml.j2
View File

@@ -3,12 +3,12 @@
application:
image: "{{ KEYCLOAK_IMAGE }}:{{ KEYCLOAK_VERSION }}"
container_name: {{ KEYCLOAK_CONTAINER }}
command: start{% if KEYCLOAK_IMPORT_REALM_ENABLED %} --import-realm{% endif %}{% if KEYCLOAK_DEBUG_ENABLED %} --verbose{% endif %}
command: start{% if KEYCLOAK_REALM_IMPORT_ENABLED %} --import-realm{% endif %}{% if KEYCLOAK_DEBUG_ENABLED %} --verbose{% endif %}
{% include 'roles/docker-container/templates/base.yml.j2' %}
ports:
- "{{ KEYCLOAK_SERVER_HOST }}:8080"
volumes:
- "{{ KEYCLOAK_HOST_IMPORT_DIR }}:{{KEYCLOAK_DOCKER_IMPORT_DIR}}"
- "{{ KEYCLOAK_REALM_IMPORT_DIR_HOST }}:{{ KEYCLOAK_REALM_IMPORT_DIR_DOCKER }}"
{% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
{% include 'roles/docker-container/templates/networks.yml.j2' %}
{% set container_port = 9000 %}

2
roles/web-app-keycloak/templates/env.j2
View File

@@ -7,7 +7,7 @@ KC_HTTP_ENABLED= true
# Health Checks
# @see https://quarkus.io/guides/smallrye-health
KC_HEALTH_ENABLED= true
KC_HEALTH_ENABLED= {{ KEYCLOAK_HEALTH_ENABLED | lower }}
KC_METRICS_ENABLED= true
# Administrator

3
roles/web-app-keycloak/templates/import/client.json.j2 → roles/web-app-keycloak/templates/import/clients/default.json.j2
View File

@@ -28,6 +28,7 @@
"oidc.ciba.grant.enabled": "false",
"client.secret.creation.time": "0",
"backchannel.logout.session.required": "true",
"standard.token.exchange.enabled": "false",
"post.logout.redirect.uris": {{ KEYCLOAK_POST_LOGOUT_URIS | to_json }},
"frontchannel.logout.session.required": "true",
"oauth2.device.authorization.grant.enabled": "false",
@@ -53,7 +54,7 @@
"organization",
"offline_access",
"microprofile-jwt",
"{{ applications | get_app_conf(application_id, 'scopes.rbac_roles', True) }}",
"{{ KEYCLOAK_OIDC_RBAC_SCOPE_NAME }}",
"{{ applications | get_app_conf(application_id, 'scopes.nextcloud', True) }}"
]
}

54
roles/web-app-keycloak/templates/import/ldap.json.j2 → roles/web-app-keycloak/templates/import/components/org.keycloak.storage.UserStorageProvider.json.j2
View File

@@ -1,9 +1,10 @@
{
"org.keycloak.storage.UserStorageProvider": [
{
"name": "{{ KEYCLOAK_LDAP_CMP_NAME }}",
"providerId": "ldap",
"subComponents": {
"org.keycloak.storage.ldap.mappers.LDAPStorageMapper": [
{# ---------------------- First Name ---------------------- #}
{
"name": "first name",
@@ -149,13 +150,7 @@
"groups.dn": [ "{{ ldap.dn.ou.roles }}" ],
"mode": [ "LDAP_ONLY" ],
"user.roles.retrieve.strategy": [ "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE" ],
"groups.ldap.filter": [
"{% set flavors = ldap.rbac.flavors | default([]) %}\
{% if 'groupOfNames' in flavors and 'organizationalUnit' in flavors %}(|(objectClass=groupOfNames)(objectClass=organizationalUnit))\
{% elif 'groupOfNames' in flavors %}(objectClass=groupOfNames)\
{% elif 'organizationalUnit' in flavors %}(objectClass=organizationalUnit)\
{% else %}(objectClass=groupOfNames){% endif %}"
],
"groups.ldap.filter": ["{{ ldap.rbac.flavors | ldap_groups_filter }}"],
"membership.ldap.attribute": [ "member" ],
"ignore.missing.groups": [ "true" ],
"group.object.classes": [ "groupOfNames" ],
@@ -163,7 +158,44 @@
"drop.non.existing.groups.during.sync": [ "false" ],
"groups.path": [ "{{ applications | get_app_conf(application_id, 'rbac_groups', True) }}" ]
}
}{% if keycloak_map_ldap_realm_roles | default(false) %},
},
{
"name": "phone number",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config": {
"ldap.attribute": [ "telephoneNumber" ],
"is.mandatory.in.ldap": [ "false" ],
"always.read.value.from.ldap": [ "true" ],
"read.only": [ "false" ],
"user.model.attribute": [ "phoneNumber" ]
}
},
{
"name": "locale",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config": {
"ldap.attribute": [ "preferredLanguage" ],
"is.mandatory.in.ldap": [ "false" ],
"always.read.value.from.ldap": [ "true" ],
"read.only": [ "false" ],
"user.model.attribute": [ "locale" ]
}
},
{
"name": "uidNumber",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config": {
"ldap.attribute": [ "uidNumber" ],
"is.mandatory.in.ldap": [ "false" ],
"always.read.value.from.ldap": [ "true" ],
"read.only": [ "false" ],
"user.model.attribute": [ "uidNumber" ]
}
}
{% if keycloak_map_ldap_realm_roles | default(false) %},
{# ---------------------- LDAP -> Realm Roles (optional) -- #}
{
"name": "ldap-realm-roles",
@@ -182,7 +214,6 @@
"role.object.classes": [ "groupOfNames" ]
}
}{% endif %}
]
},
"config": {
@@ -225,3 +256,4 @@
"removeInvalidUsersEnabled": [ "true" ]
}
}
]

61
roles/web-app-keycloak/templates/import/components/org.keycloak.userprofile.UserProfileProvider.json.j2 Normal file
View File

@@ -0,0 +1,61 @@
{% set user_profile = {
"attributes": [
{
"name": "username",
"displayName": "${username}",
"validations": {"length": {"min": 3, "max": 255}, "pattern": {"pattern": "^[a-z0-9]+$", "error-message": ""}},
"annotations": {},
"permissions": {"view": ["admin","user"], "edit": ["admin","user"]},
"multivalued": false
},
{
"name": "email",
"displayName": "${email}",
"validations": {"email": {}, "length": {"max": 255}},
"required": {"roles": ["user"]},
"permissions": {"view": ["admin","user"], "edit": ["admin","user"]},
"multivalued": false
},
{
"name": "firstName",
"displayName": "${firstName}",
"validations": {"length": {"max": 255}, "person-name-prohibited-characters": {}},
"required": {"roles": ["user"]},
"permissions": {"view": ["admin","user"], "edit": ["admin","user"]},
"multivalued": false
},
{
"name": "lastName",
"displayName": "${lastName}",
"validations": {"length": {"max": 255}, "person-name-prohibited-characters": {}},
"required": {"roles": ["user"]},
"permissions": {"view": ["admin","user"], "edit": ["admin","user"]},
"multivalued": false
},
{
"name": ldap.user.attributes.ssh_public_key,
"displayName": "SSH Public Key",
"validations": {},
"annotations": {},
"permissions": {"view": ["admin","user"], "edit": ["admin","user"]},
"group": "user-metadata",
"multivalued": true
}
],
"groups": [
{
"name": "user-metadata",
"displayHeader": "User metadata",
"displayDescription": "Attributes, which refer to user metadata"
}
]
} %}
"org.keycloak.userprofile.UserProfileProvider": [
{
"providerId": "declarative-user-profile",
"subComponents": {},
"config": {
"kc.user.profile.config": [{{ (user_profile | tojson) | tojson }}]
}
}
]

116
roles/web-app-keycloak/templates/import/realm.json.j2
View File

@@ -507,7 +507,7 @@
"fullScopeAllowed": false,
"nodeReRegistrationTimeout": 0,
"defaultClientScopes": [
"web-app-origins",
"web-origins",
"acr",
"roles",
"profile",
@@ -572,7 +572,7 @@
}
],
"defaultClientScopes": [
"web-app-origins",
"web-origins",
"acr",
"roles",
"profile",
@@ -614,7 +614,7 @@
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": 0,
"defaultClientScopes": [
"web-app-origins",
"web-origins",
"acr",
"roles",
"profile",
@@ -655,7 +655,7 @@
"fullScopeAllowed": false,
"nodeReRegistrationTimeout": 0,
"defaultClientScopes": [
"web-app-origins",
"web-origins",
"acr",
"roles",
"profile",
@@ -696,7 +696,7 @@
"fullScopeAllowed": false,
"nodeReRegistrationTimeout": 0,
"defaultClientScopes": [
"web-app-origins",
"web-origins",
"acr",
"roles",
"profile",
@@ -763,7 +763,7 @@
}
],
"defaultClientScopes": [
"web-app-origins",
"web-origins",
"acr",
"roles",
"profile",
@@ -778,7 +778,7 @@
"microprofile-jwt"
]
},
{% include "client.json.j2" %}
{% include "clients/default.json.j2" %}
],
"clientScopes": [
{
@@ -1057,86 +1057,10 @@
}
]
},
{% include "scopes/rbac.json.j2" %},
{% include "scopes/nextcloud.json.j2" %},
{
"name": "{{ applications | get_app_conf(application_id, 'scopes.nextcloud', True) }}",
"description": "Optimized mappers for nextcloud oidc_login with ldap.",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "false",
"display.on.consent.screen": "true",
"gui.order": "",
"consent.screen.text": ""
},
"protocolMappers": [
{
"name": "{{ ldap.user.attributes.nextcloud_quota }}",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"aggregate.attrs": "false",
"introspection.token.claim": "true",
"multivalued": "false",
"userinfo.token.claim": "true",
"user.attribute": "{{ ldap.user.attributes.nextcloud_quota }}",
"id.token.claim": "true",
"lightweight.claim": "false",
"access.token.claim": "true",
"claim.name": "{{ ldap.user.attributes.nextcloud_quota }}",
"jsonType.label": "int"
}
},
{
"name": "UID Mapper",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"aggregate.attrs": "false",
"introspection.token.claim": "true",
"multivalued": "false",
"userinfo.token.claim": "true",
"user.attribute": "username",
"id.token.claim": "true",
"lightweight.claim": "false",
"access.token.claim": "true",
"claim.name": "{{ldap.user.attributes.id}}",
"jsonType.label": "String"
}
}
]
},
{
"name": "{{ applications | get_app_conf(application_id, 'scopes.rbac_roles', True) }}",
"description": "RBAC Groups",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "false",
"display.on.consent.screen": "true",
"gui.order": "",
"consent.screen.text": ""
},
"protocolMappers": [
{
"name": "groups",
"protocol": "openid-connect",
"protocolMapper": "oidc-group-membership-mapper",
"consentRequired": false,
"config": {
"full.path": "true",
"introspection.token.claim": "true",
"userinfo.token.claim": "true",
"multivalued": "true",
"id.token.claim": "true",
"lightweight.claim": "false",
"access.token.claim": "true",
"claim.name": "{{ OIDC.CLAIMS.GROUPS }}"
}
}
]
},
{
"name": "web-app-origins",
"name": "web-origins",
"description": "OpenID Connect scope for add allowed web origins to the access token",
"protocol": "openid-connect",
"attributes": {
@@ -1496,7 +1420,7 @@
"profile",
"email",
"roles",
"web-app-origins",
"web-origins",
"acr",
"basic"
],
@@ -1506,7 +1430,7 @@
"phone",
"microprofile-jwt",
"organization",
"{{ applications | get_app_conf(application_id, 'scopes.rbac_roles', True) }}",
"{{ KEYCLOAK_OIDC_RBAC_SCOPE_NAME }}",
"{{ applications | get_app_conf(application_id, 'scopes.nextcloud', True) }}"
],
"browserSecurityHeaders": {
@@ -1642,20 +1566,8 @@
"config": {}
}
],
"org.keycloak.userprofile.UserProfileProvider": [
{
"providerId": "declarative-user-profile",
"subComponents": {},
"config": {
"kc.user.profile.config": [
"{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"validations\":{\"length\":{\"min\":3,\"max\":255},\"pattern\":{\"pattern\":\"^[a-z0-9]+$\",\"error-message\":\"\"}},\"annotations\":{},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"email\",\"displayName\":\"${email}\",\"validations\":{\"email\":{},\"length\":{\"max\":255}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"firstName\",\"displayName\":\"${firstName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"lastName\",\"displayName\":\"${lastName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"{{ ldap.user.attributes.ssh_public_key }}\",\"displayName\":\"SSH Public Key\",\"validations\":{},\"annotations\":{},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"group\":\"user-metadata\",\"multivalued\":true}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}]}"
]
}
}
],
"org.keycloak.storage.UserStorageProvider": [
{% include "ldap.json.j2" %}
],
{%- include "components/org.keycloak.userprofile.UserProfileProvider.json.j2" -%},
{%- include "components/org.keycloak.storage.UserStorageProvider.json.j2" -%},
"org.keycloak.keys.KeyProvider": [
{
"name": "rsa-enc-generated",

49
roles/web-app-keycloak/templates/import/scopes/nextcloud.json.j2 Normal file
View File

@@ -0,0 +1,49 @@
{
"name": "{{ applications | get_app_conf(application_id, 'scopes.nextcloud') }}",
"description": "Optimized mappers for nextcloud oidc_login with ldap.",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "false",
"display.on.consent.screen": "true",
"gui.order": "",
"consent.screen.text": ""
},
"protocolMappers": [
{
"name": "{{ ldap.user.attributes.nextcloud_quota }}",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"aggregate.attrs": "false",
"introspection.token.claim": "true",
"multivalued": "false",
"userinfo.token.claim": "true",
"user.attribute": "{{ ldap.user.attributes.nextcloud_quota }}",
"id.token.claim": "true",
"lightweight.claim": "false",
"access.token.claim": "true",
"claim.name": "{{ ldap.user.attributes.nextcloud_quota }}",
"jsonType.label": "int"
}
},
{
"name": "UID Mapper",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"aggregate.attrs": "false",
"introspection.token.claim": "true",
"multivalued": "false",
"userinfo.token.claim": "true",
"user.attribute": "username",
"id.token.claim": "true",
"lightweight.claim": "false",
"access.token.claim": "true",
"claim.name": "{{ldap.user.attributes.id}}",
"jsonType.label": "String"
}
}
]
}

29
roles/web-app-keycloak/templates/import/scopes/rbac.json.j2 Normal file
View File

@@ -0,0 +1,29 @@
{
"name": "{{ KEYCLOAK_OIDC_RBAC_SCOPE_NAME }}",
"description": "RBAC Groups",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "false",
"display.on.consent.screen": "true",
"gui.order": "",
"consent.screen.text": ""
},
"protocolMappers": [
{
"name": "groups",
"protocol": "openid-connect",
"protocolMapper": "oidc-group-membership-mapper",
"consentRequired": false,
"config": {
"full.path": "true",
"introspection.token.claim": "true",
"userinfo.token.claim": "true",
"multivalued": "true",
"id.token.claim": "true",
"lightweight.claim": "false",
"access.token.claim": "true",
"claim.name": "{{ OIDC.CLAIMS.GROUPS }}"
}
}
]
}