Added auto oidc parameters to discourse

2025-02-22 20:39:40 +01:00 · 2025-01-27 11:51:14 +01:00 · 2025-01-27 11:51:14 +01:00 · 69a98c4c24
commit 69a98c4c24
parent c896057400
4 changed files with 30 additions and 17 deletions
--- a/group_vars/all
+++ b/group_vars/all
@ -244,7 +244,14 @@ joomla_version:                   "latest"
 #### Keycloak
 keycloak_version:                 "latest"
 keycloak_administrator_username:  "{{administrator_username}}"  # Administrator Username for Keycloak
-keycloak_oidc_active:             true                          # Implement OpenID Connect https://en.wikipedia.org/wiki/OpenID_Connect
+
+##### Keycloak Client Configuration
+oidc_client_active:               true  # Implement OpenID Connect https://en.wikipedia.org/wiki/OpenID_Connect
+oidc_client_id:                   "{{primary_domain}}"
+oidc_client_realm:                "{{primary_domain}}"   
+oidc_client_issuer_url:           "https://{{domain_keycloak}}/realms/{{oidc_client_realm}}"
+oidc_client_discovery_document:   "{{oidc_client_issuer_url}}/.well-known/openid-configuration"
+# oidc_client_secret:             "{{oidc_client_secret}}"  # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible

 #### LDAP
 ldap_lam_version:                     "latest"
@ -304,10 +311,7 @@ oauth2_proxy_redirect_url:                    "https://{{domain_keycloak}}/auth/
 # oauth2_proxy_port:                          >= 4180                                   # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
 oauth2_proxy_upstream_application_and_port:   "application:80"                          # The name of the application which the server redirects to. Needs to be defined in role vars.
 oauth2_proxy_allowed_roles:                   admin                                     # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups  
-oauth2_proxy_client_id:                       "{{primary_domain}}"                      # The id of the client application
-oauth2_proxy_client_secret:                   "{{primary_oauth2_proxy_client_secret}}"  # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible
-oauth2_proxy_cookie_secret:                   "{{primary_oauth2_proxy_cookie_secret}}"  # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16
-oauth2_proxy_oidc_issuer_url:                 "https://{{domain_keycloak}}/realms/{{primary_domain}}"
+#oauth2_proxy_cookie_secret:                  "{{oauth2_proxy_cookie_secret}}"          # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16

 #### Peertube
 peertube_version:           "bookworm"
--- a/roles/docker-bigbluebutton/templates/env.j2
+++ b/roles/docker-bigbluebutton/templates/env.j2
@ -281,12 +281,12 @@ HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html
 #   approval - For approve/decline registration
 DEFAULT_REGISTRATION=invite

-{% if keycloak_oidc_active | bool %}
+{% if oidc_client_active | bool %}
 ### EXTERNAL AUTHENTICATION METHODS
 # @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/
 #
-OPENID_CONNECT_CLIENT_ID={{oauth2_proxy_client_id}}
-OPENID_CONNECT_CLIENT_SECRET={{oauth2_proxy_client_secret}}
-OPENID_CONNECT_ISSUER={{oauth2_proxy_oidc_issuer_url}}
+OPENID_CONNECT_CLIENT_ID={{oidc_client_id}}
+OPENID_CONNECT_CLIENT_SECRET={{oidc_client_secret}}
+OPENID_CONNECT_ISSUER={{oidc_client_issuer_url}}
 OPENID_CONNECT_REDIRECT=https://{{domain}}
 {% endif %}
--- a/roles/docker-discourse/templates/discourse_application.yml.j2
+++ b/roles/docker-discourse/templates/discourse_application.yml.j2
@ -112,6 +112,15 @@ run:
  ## If you want to set the 'From' email address for your first registration, uncomment and change:
  ## After getting the first signup email, re-comment the line. It only needs to run once.
  #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
+{% if oidc_client_active | bool %}
+  - exec: rails r "SiteSetting.openid_connect_enabled = true"
+  - exec: rails r "SiteSetting.openid_connect_discovery_document = '{{oidc_client_discovery_document}}'"
+  - exec: rails r "SiteSetting.openid_connect_client_id = '{{oidc_client_id}}'"         
+  - exec: rails r "SiteSetting.openid_connect_client_secret = '{{oidc_client_secret}}'"     
+  - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout_redirect = ''"
+  - exec: rails r "SiteSetting.openid_connect_allow_association_change = false"
+  - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout = true"
+{% endif %}
  - exec: echo "End of custom commands"

 docker_args:
--- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
+++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
@ -7,10 +7,10 @@ cookie_domains          =   ["{{domain}}", "{{domain_keycloak}}"]
 whitelist_domains       =   [".{{primary_domain}}"]                                 # Required to allow redirection back to original requested target.

 # keycloak provider
-client_secret           =   "{{oauth2_proxy_client_secret}}"
-client_id               =   "{{oauth2_proxy_client_id}}"
+client_secret           =   "{{oidc_client_secret}}"
+client_id               =   "{{oidc_client_id}}"
 redirect_url            =   "https://{{domain}}/oauth2/callback"
-oidc_issuer_url         =   "{{oauth2_proxy_oidc_issuer_url}}"
+oidc_issuer_url         =   "{{oidc_client_issuer_url}}"
 provider                =   "oidc"
 provider_display_name   =   "Keycloak"