From 8b1ada745016682b2f253f2c95d72ba39df744c9 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Tue, 18 Feb 2025 21:54:40 +0100 Subject: [PATCH] Optimized iam and realm --- group_vars/all/11_iam.yml | 22 +++++++++---------- .../templates/import/realm.json.j2 | 2 +- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/group_vars/all/11_iam.yml b/group_vars/all/11_iam.yml index 60dc953b..9ae2caed 100644 --- a/group_vars/all/11_iam.yml +++ b/group_vars/all/11_iam.yml @@ -12,18 +12,18 @@ _oidc_client_realm: "{{ oidc.client.realm if oidc.client is defined and oi _oidc_client_issuer_url: "https://{{domains.keycloak}}/realms/{{_oidc_client_realm}}" defaults_oidc: - enabled: true + enabled: true # Enable OIDC functionality for all apps client: - id: "{{primary_domain}}" -# secret: # Define in inventory file - realm: "{{_oidc_client_realm}}" - issuer_url: "{{_oidc_client_issuer_url}}" - discovery_document: "{{_oidc_client_issuer_url}}/.well-known/openid-configuration" - authorize_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/auth" - toke_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/token" - user_info_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo" - logout_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout" - change_credentials: "{{_oidc_client_issuer_url}}account/account-security/signing-in" + id: "{{primary_domain}}" # Client identifier, typically matching your primary domain +# secret: # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters + realm: "{{_oidc_client_realm}}" # The realm to which the client belongs in the OIDC provider + issuer_url: "{{_oidc_client_issuer_url}}" # Base URL of the OIDC provider (issuer) + discovery_document: "{{_oidc_client_issuer_url}}/.well-known/openid-configuration" # URL for fetching the provider's configuration details + authorize_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/auth" # Endpoint to start the authorization process + toke_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/token" # Endpoint to exchange authorization codes for tokens (note: 'toke_url' may be a typo for 'token_url') + user_info_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo" # Endpoint to retrieve user information + logout_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout" # Endpoint to log out the user + change_credentials: "{{_oidc_client_issuer_url}}account/account-security/signing-in" # URL for managing or changing user credentials ############################################# ### OAuth2-Proxy ### diff --git a/roles/docker-keycloak/templates/import/realm.json.j2 b/roles/docker-keycloak/templates/import/realm.json.j2 index 4b235f40..4409d84b 100644 --- a/roles/docker-keycloak/templates/import/realm.json.j2 +++ b/roles/docker-keycloak/templates/import/realm.json.j2 @@ -865,7 +865,7 @@ "attributes": { "realm_client": "false", "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1737924347", + "client.secret.creation.time": "{{ ansible_date_time.epoch | int }}", "backchannel.logout.session.required": "true", "post.logout.redirect.uris": "https://{{primary_domain}}/*##+", "frontchannel.logout.session.required": "true",